Feed aggregator

Cisco Nexus 9000 Series Switches Bidirectional Forwarding Detection Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-02-23 16:00

A vulnerability in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software for Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device.

This vulnerability is due to a logic error in the BFD rate limiter functionality. An attacker could exploit this vulnerability by sending a crafted stream of traffic through the device. A successful exploit could allow the attacker to cause BFD traffic to be dropped, resulting in BFD session flaps. BFD session flaps can cause route instability and dropped traffic, resulting in a denial of service (DoS) condition. This vulnerability applies to both IPv4 and IPv6 traffic.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-bfd-dos-wGQXrzxn

This advisory is part of the February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2022-20623
Categories: Security Alerts

Cisco NX-OS Software Cisco Fabric Services Over IP Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-02-23 16:00

A vulnerability in the Cisco Fabric Services over IP (CFSoIP) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to insufficient validation of incoming CFSoIP packets. An attacker could exploit this vulnerability by sending crafted CFSoIP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cfsoip-dos-tpykyDr

This advisory is part of the February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2022 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2022-20624
Categories: Security Alerts

Cisco Nexus 9000 Series Fabric Switches ACI Mode Multi-Pod and Multi-Site TCP Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-02-23 15:56

February 23, 2022 Update: After further investigation, Cisco determined that an additional fix was necessary to completely address this vulnerability. The initial fix allowed an attacker to cause high CPU utilization on an affected device, which could impact user traffic. See the Fixed Software section of this advisory for updated information about the fixed releases.

A vulnerability in the Multi-Pod or Multi-Site network configurations for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to unexpectedly restart the device, resulting in a denial of service (DoS) condition.

This vulnerability exists because TCP traffic sent to a specific port on an affected device is not properly sanitized. An attacker could exploit this vulnerability by sending crafted TCP data to a specific port that is listening on a public-facing IP address for the Multi-Pod or Multi-Site configuration. A successful exploit could allow the attacker to cause the device to restart unexpectedly, resulting in a DoS condition. 

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n9kaci-tcp-dos-YXukt6gM

This advisory is part of the August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2021-1586
Categories: Security Alerts

AA22-054A: New Sandworm Malware Cyclops Blink Replaces VPNFilter

US-CERT - Wed, 2022-02-23 07:00
Original release date: February 23, 2022
Summary

The Sandworm actor, which the United Kingdom and the United States have previously attributed to the Russian GRU, has replaced the exposed VPNFilter malware with a new more advanced framework.

The United Kingdom's (UK) National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST). The malicious cyber activity below has previously been attributed to Sandworm:

Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices.

This advisory summarizes the VPNFilter malware it replaces, and provides more detail on Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available.

It also provides mitigation measures to help organizations defend against malware.

Click here for a PDF version of this report.

Technical DetailsVPNFilter The malware was first exposed in 2018

A series of articles published by Cisco Talos in 2018 describes VPNFilter and its modules in detail. VPNFilter was deployed in stages, with most functionality in the third-stage modules. These modules enabled traffic manipulation, destruction of the infected host device, and likely enabled downstream devices to be exploited. They also allowed monitoring of Modbus SCADA protocols, which appears to be an ongoing requirement for Sandworm, as also seen in their previous attacks against ICS networks.

VPNFilter targeting was widespread and appeared indiscriminate, with some exceptions: Cisco Talos reported an increase of victims in Ukraine in May 2018. Sandworm also deployed VPNFilter against targets in the Republic of Korea before the 2018 Winter Olympics. 

In May 2018, Cisco Talos published the blog that exposed VPNFilter and the U.S. Department of Justice linked the activity to Sandworm and announced efforts to disrupt the botnet.

Activity since its exposure 

A Trendmicro blog in January 2021 detailed residual VPNFilter infections and provided data which showed that although there had been a reduction in requests to a known C2 domain, there was still more than a third of the original number of first-stage infections.

Sandworm has since shown limited interest in existing VPNFilter footholds, instead preferring to retool.

Cyclops Blink Active since 2019

The NCSC, CISA, the FBI, and NSA, along with industry partners, have now identified a large-scale modular malware framework (T1129) which is targeting network devices. The new malware is referred to here as Cyclops Blink and has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread.

The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Note: Note that only WatchGuard devices that were reconfigured from the manufacturer default settings to open remote management interfaces to external access could be infected

Malware overview 

The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.

The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.

Post exploitation 

Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.

Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.

Mitigations

Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware. 

WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.

The tooling and guidance from WatchGuard can be found at: https://detection.watchguard.com/.

In addition:

  • If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations.
  • You should ensure that the management interface of network devices is not exposed to the internet.
Indicators of Compromise

Please refer to the accompanying Cyclops Blink malware analysis report for indicators of compromise which may help detect this activity. 

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Tactic

Technique

Procedure

Initial Access

T1133

External Remote Services

The actors most likely deploy modified device firmware images by exploiting an externally available service

Execution

T1059.004

Command and Scripting Interpreter: Unix Shell

Cyclops Blink executes downloaded files using the Linux API

Persistence

T1542.001

Pre-OS Boot: System Firmware

Cyclops Blink is deployed within a modified device firmware image

T1037.004

Boot or Logon Initialization Scripts: RC Scripts

Cyclops Blink is executed on device startup, using a modified RC script

Defense Evasion

 

T1562.004

Impair Defenses: Disable or Modify System Firewall

Cyclops Blink modifies the Linux system firewall to enable C2 communication

 

 

T1036.005

Masquerading: Match Legitimate Name or Location

Cyclops Blink masquerades as a Linux kernel thread process

Discovery

T1082

System Information Discovery

Cyclops Blink regularly queries device information

Command and Control

T1090

Proxy

T1132.002

Data Encoding: Non-Standard Encoding

Cyclops Blink command messages use a custom binary scheme to encode data

T1008

Fallback Channels

Cyclops Blink randomly selects a C2 server from contained lists of IPv4 addresses and port numbers

T1071.001

Application Layer Protocol: Web Protocols

Cyclops Blink can download files via HTTP or HTTPS

T1573.002

Encrypted Channel: Asymmetric Cryptography

Cyclops Blink C2 messages are individually encrypted using AES-256-CBC and sent underneath TLS

T1571

Non-Standard Port

The list of port numbers used by Cyclops Blink includes non-standard ports not typically associated with HTTP or HTTPS traffic

Exfiltration

T1041

Exfiltration Over C2 Channel

Cyclops Blink can upload files to a C2 server

A Cyclops Blink infection does not mean that an organization is the primary target, but it may be selected to be, or its machines could be used to conduct attacks.

Organizations are advised to follow the mitigation advice in this advisory to defend against this activity, and to refer to indicators of compromise (not exhaustive) in the Cyclops Blink malware analysis report to detect possible activity on networks. 

UK organizations affected by the activity outlined in should report any suspected compromises to the NCSC at https://report.ncsc.gov.uk/.

Further Guidance

A variety of mitigations will be of use in defending against the malware featured in this advisory:

About This Document

This advisory is the result of a collaborative effort by United Kingdom’s National Cyber Security Centre (NCSC), the United States’ National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). 

CISA, FBI, and NSA agree with this attribution and the details provided in the report.

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. 

Disclaimers

This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

DISCLAIMER OF ENDORSEMENT: The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov.

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory:

U.S. organizations contact your local FBI field office at fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

Australian organizations should report incidents to the Australian Signals Directorate’s (ASD’s) ACSC via cyber.gov.au or call 1300 292 371 (1300 CYBER 1).

U.K. organizations should report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hrs) or for urgent assistance, call 03000 200 973.

Revisions
  • February 23, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Cisco IOS XR Software Arbitrary File Read and Write Vulnerability

Cisco Security Advisories - Fri, 2022-02-18 14:38

A vulnerability in the SSH Server process of Cisco IOS XR Software could allow an authenticated, remote attacker to overwrite and read arbitrary files on the local device.

This vulnerability is due to insufficient input validation of arguments that are supplied by the user for a specific file transfer method. An attacker with lower-level privileges could exploit this vulnerability by specifying Secure Copy Protocol (SCP) parameters when authenticating to a device. A successful exploit could allow the attacker to elevate their privileges and retrieve and upload files on a device that they should not have access to.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-scp-inject-QwZOCv2

This advisory is part of the September 2021 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: September 2021 Cisco IOS XR Software Security Advisory Bundled Publication.


Security Impact Rating: High
CVE: CVE-2021-34718
Categories: Security Alerts

Cisco IOS XE SD-WAN Software Command Injection Vulnerability

Cisco Security Advisories - Thu, 2022-02-17 18:13

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. 

The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-rhpbE34A


Security Impact Rating: High
CVE: CVE-2021-1529
Categories: Security Alerts

Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability

Cisco Security Advisories - Thu, 2022-02-17 00:00

A vulnerability in the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition. Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-MxZvGtgU


Security Impact Rating: High
CVE: CVE-2022-20653
Categories: Security Alerts

Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability

Cisco Security Advisories - Thu, 2022-02-17 00:00

A vulnerability in the checkpoint manager implementation of Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software could allow an unauthenticated, remote attacker to cause the checkpoint manager process to restart upon receipt of malformed TCP data.

This vulnerability is due to improper input validation of an ingress TCP packet. An attacker could exploit this vulnerability by sending crafted TCP data to the affected application. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to the checkpoint manager process restarting.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-tcp-dos-2Wh8XjAQ


Security Impact Rating: Medium
CVE: CVE-2022-20750
Categories: Security Alerts

Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability

Cisco Security Advisories - Thu, 2022-02-17 00:00

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-xss-P8fBz2FW


Security Impact Rating: Medium
CVE: CVE-2022-20659
Categories: Security Alerts

AA22-047A: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

US-CERT - Wed, 2022-02-16 07:00
Original release date: February 16, 2022
Summary

Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
• Enforce multifactor authentication.
• Enforce strong, unique passwords.
• Enable M365 Unified Audit Logs.
• Implement endpoint detection and response tools.

From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:

  • Command, control, communications, and combat systems;
  • Intelligence, surveillance, reconnaissance, and targeting;
  • Weapons and missile development;
  • Vehicle and aircraft design; and
  • Software development, data analytics, computers, and logistics. 

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. 

In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.

These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.

For additional information on Russian state-sponsored cyber activity, see CISA's webpage, Russia Cyber Threat Overview and Advisories.

Click here for a PDF version of this report.

Threat Details Targeted Industries and Assessed Motive

Russian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.

During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.

Through these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.

 

Figure 1. Targeted Industries

 

Figure 2. Exfiltrated Information

  Threat Actor Activity

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access 

Russian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.

  • Threat actors use brute force techniques [T1110] to identify valid account credentials [T1589.001] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. Note: For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.
  • Threat actors send spearphishing emails with links to malicious domains [T1566.002] and use publicly available URL shortening services to mask the link [T1027]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link. 
  • The threat actors use harvested credentials in conjunction with known vulnerabilities—for example, CVE-2020-0688 and CVE-2020-17144—on public-facing applications [T1078, T1190], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[1] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. 
  • As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.
Credential Access 

After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database ntds.dit [T1003.003]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. 

Collection

Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [T1213.002], user profiles, and user emails [T1114.002].

Command and Control

The threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [T1090.003].

Persistence

In multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [T1078], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.

Tactics, Techniques, and Procedures

The following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. Note: for specific countermeasures related to each ATT&CK technique, see the Enterprise Mitigations section and MITRE D3FEND™.
 

Table 1: Observed Tactics, Techniques, and Procedures (TTPs)

Tactic Technique Procedure

Reconnaissance [TA0043]

Credential Access [TA0006]

Gather Victim Identity Information: Credentials [T1589.001

Brute Force [T1110]

Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access.  Initial Access [TA0001] External Remote Services [T1133] Threat actors continue to research vulnerabilities in Fortinet’s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [2]

Initial Access [TA0001]

Privilege Escalation [TA0004]

Valid Accounts [T1078]

Exploit Public-Facing Application [T1190]

Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications. [3]

Initial Access [TA0001]


Defense Evasion [TA0005]

Phishing: Spearphishing Link [T1566.002]

Obfuscated Files or Information [T1027]

Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. 

Initial Access [TA0001]


Credential Access [TA0006]

OS Credential Dumping: NTDS [T1003.003]

Valid Accounts: Domain Accounts [T1078.002]

Threat actors logged into a victim’s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database ntds.dit.

Initial Access [TA0001]

Privilege Escalation [TA0004]

Collection [TA0009]

Valid Accounts: Cloud Accounts [T1078.004]

Data from Information Repositories: SharePoint [T1213.002]

In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes.

Initial Access [TA0001]

Collection [TA0009]

Valid Accounts: Domain Accounts [T1078.002]

Email Collection [T1114]

In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system.

Persistence [TA0003]

Lateral Movement [TA0008]

Valid Accounts [T1078] Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. Discovery [TA0007] File and Network Discovery [T1083] After gaining access to networks, the threat actors used BloodHound to map the Active Directory.  Discovery [TA0007] Domain Trust Discovery [T1482] Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. Command and Control [TA0011] Proxy: Multi-hop Proxy [T1090.003] Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target.   Detection

The FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Detect Unusual Activity

Implement robust log collection and retention. Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:

  • Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.
  • Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. Note: for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments.
Look for Evidence of Known TTPs
  • Look for behavioral evidence or network and host-based artifacts from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. 
  • To detect use of compromised credentials in combination with a VPS, follow the steps below:
    • Review logs for suspicious “impossible logins,” such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
    • Look for one IP used for multiple accounts, excluding expected logins.
    • Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
    • Evaluate processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller. 
    • Identify suspicious privileged account use after resetting passwords or applying user account mitigations. 
    • Review logs for unusual activity in typically dormant accounts.
    • Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Incident Response and Remediation

Organizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.

  • Reset passwords for all local accounts. These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. Note: reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft’s AD Forest Recovery - Resetting the krbtgt password guidance and automation script for additional information. [4][5]
  • Reset all domain user, admin, and service account passwords. 

Note: for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise. Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the SolarWinds Orion supply chain compromise, the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors.

Mitigations

The FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. 

Implement Credential Hardening Enable Multifactor Authentication
  • Enable multifactor authentication (MFA) for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[6] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[7
Enforce Strong, Unique Passwords
  • Require accounts to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Enable password management functions, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.
Introduce Account Lockout and Time-Based Access Features
  • Implement time-out and lock-out features in response to repeated failed login attempts.
  • Configure time-based access for accounts set at the admin level and higher. For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.
Reduce Credential Exposure
  • Use virtualization solutions on modern hardware and software to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[8] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[9][10] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[11] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[12][13]
Establish Centralized Log Management
  • Create a centralized log management system. Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. 
    • Forward all logs to a SIEM tool.
    • Ensure logs are searchable.
    • Retain critical and historic network activity logs for a minimum of 180 days. 
  • If using M365, enable Unified Audit Log (UAL)—M365’s logging capability—which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. 
  • Correlate logs, including M365 logs, from network and host security devices. This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. 

In addition to setting up centralized logging, organizations should:

  • Ensure PowerShell logging is turned on. Threat actors often use PowerShell to hide their malicious activities.[14] 
  • Update PowerShell instances to version 5.0 or later and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. 
  • Confirm PowerShell 5.0 instances have module, script block, and transcription logging enabled.
  • Monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.
Initiate a Software and Patch Management Program 
  • Consider using a centralized patch management system. Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[15
    • If an organization is unable to update all software shortly after a patch is released, prioritize patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). 
    • Subscribe to CISA cybersecurity notifications and advisories to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. 
  • Sign up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. CISA’s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.
Employ Antivirus Programs 
  • Ensure that antivirus applications are installed on all organizations’ computers and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. 
  • Keep virus definitions up to date.
  • Regularly monitor antivirus scans. 
Use Endpoint Detection and Response Tools 
  • Utilize endpoint detection and response (EDR) tools. These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. 
Maintain Rigorous Configuration Management Programs 
  • Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[16
Enforce the Principle of Least Privilege
  • Apply the principle of least privilege. Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised.  
  • For M365, assign administrator roles to role-based access control (RBAC) to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. Note: refer to the Microsoft documentation, Azure AD built-in roles, for more information about Azure AD. 
  • Remove privileges not expressly required by an account’s function or role. 
  • Ensure there are unique and distinct administrative accounts for each set of administrative tasks. 
  • Create non-privileged accounts for privileged users, and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Reduce the number of domain and enterprise administrator accounts, and remove all accounts that are unnecessary.
  • Regularly audit administrative user accounts.
  • Regularly audit logs to ensure new accounts are legitimate users.
  • Institute a group policy that disables remote interactive logins, and use Domain Protected Users Group.

To assist with identifying suspicious behavior with administrative accounts:

  • Create privileged role tracking.
  • Create a change control process for all privilege escalations and role changes on user accounts.
  • Enable alerts on privilege escalations and role changes.
  • Log privileged user changes in the network environment, and create an alert for unusual events.
Review Trust Relationships
  • Review existing trust relationships with IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.  
  • Remove unnecessary trust relationships.  
  • Review contractual relationships with all service providers, and ensure contracts include: 
    • Security controls the customer deems appropriate. 
    • Appropriate monitoring and logging of provider-managed customer systems.
    • Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
    • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.

Note: review CISA’s page on APTs Targeting IT Service Provider Customers and CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses for additional recommendations for MSP and CSP customers.

Encourage Remote Work Environment Best Practices

With the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices. Note: for additional information, see joint NSA-CISA Cybersecurity Information Sheet: Selecting and Hardening Remote Access VPN Solutions.

  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations.
  • When possible, require MFA on all VPN connections. Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.
  • Monitor network traffic for unapproved and unexpected protocols.
  • Reduce potential attack surfaces by discontinuing unused VPN servers that may be used as a point of entry by adversaries.
Establish User Awareness Best Practices

Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:

  • Provide end user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.
  • Inform employees of the risks of social engineering attacks, e.g., risks associated with posting detailed career information to social or professional networking sites.
  • Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion to help quickly and efficiently identify threats and employ mitigation strategies.
Apply Additional Best Practice Mitigations
  • Deny atypical inbound activity from known anonymization services, including commercial VPN services and The Onion Router (TOR).
  • Impose listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Identify and create offline backups for critical assets.
  • Implement network segmentation.
  • Review CISA Alert AA20-120A: Microsoft Office 365 Security Recommendations for additional recommendations on hardening M365 cloud environments.
Rewards for Justice Program

If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to rewardsforjustice.net.

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. 

Contact Information

To report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or Cybersecurity_Requests@nsa.gov. Defense Industrial Base companies may additionally sign up for NSA’s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at dib_defense@cyber.nsa.gov

Appendix: Detailed Tactics, Techniques, and Procedures Reconnaissance [TA0043]

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials  [T1589.001].[17]

 

ID Name Description T1589.001 Gather Victim Identity Information: Credentials Adversaries may gather credentials that can be used during targeting.

 

Initial Access [TA0001]

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[18] These specific actors obtained and abused credentials of domain [T1078.002] and cloud accounts [T1078.004].[19] The actors also used external remote services to gain access to systems [T1133].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [T1190].[21] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [T1566.002].[22] 
 

 

ID Name Description T1078 Valid Accounts  Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. T1078.002 Valid Accounts: Domain Accounts Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. T1078.004 Valid Accounts: Cloud Accounts Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. T1133 External Remote Services Adversaries may leverage external-facing remote services to initially access and/or persist within a network. T1190 Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. T1566.002 Phishing: Spearphishing Link Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. 

 

Persistence [TA0003]

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[23

 

ID Name  Description T1078 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Privilege Escalation [TA0004]

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[24]  Specifically in this case, credentials of cloud accounts [T1078.004] were obtained and abused.[25]   

 

ID Name Description T1078 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. T1078.004 Valid Accounts: Cloud Accounts Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Defense Evasion [TA0005]

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [T1027].[26
 

ID Name Description T1027 Obfuscated Files or Information Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

 

Credential Access [TA0006]

Credential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [T1003.003].[27] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [T1110.003].[28

ID Name Description T1003.003 OS Credential Dumping: NTDS Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights.  T1110.003 Brute Force: Password Spraying Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.  Discovery [TA0007]

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [T1083].[29]  In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [T1482].[30] 

ID Name Description T1083 File and Directory Discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.  T1482 Domain Trust Discovery Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

 

Collection [TA0009]

Collection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [T1213.002].[31]   

ID Name Description T1213.002 Data from Information Repositories: SharePoint Adversaries may leverage the SharePoint repository as a source to mine valuable information. 

 

Command and Control [TA0011]

Command and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [T1090.003].[32
 

ID Name Description T1090.003 Proxy: Multi-hop Proxy To disguise the source of malicious traffic, adversaries may chain together multiple proxies. 

 

Additional Resources

[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[2] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities, 7 October 2019.
[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[4] Microsoft Article: AD Forest Recovery – Resetting the krbtgt password, 29 July 2021. 
[5] Microsoft GitHub: New-KrbtgtKeys.ps1, 14 May 2020.
[6] NSA Cybersecurity Information: Defend Privileges and Accounts, August 2019.
[7] Microsoft Article: Group Managed Service Accounts Overview, 29 July 2021.
[8] NSA Cybersecurity Information: Leverage Modern Hardware Security Features, August 2019.
[9] Microsoft Article: Protect derived domain credentials with Windows Defender Credential Guard, 3 December 2021.
[10] Microsoft Article: Windows Defender Credential Guard protection limits, 3 December 2021.
[11] Microsoft Article: Windows 11 requirements, 30 November 2021.
[12] Microsoft Blog Post: The Importance of KB2871997 and KB2928120 for Credential Protection, 20 September 2021.
[13] Microsoft Article: What’s New in Credential Protection, 7 January 2022.
[14] NSA Cybersecurity Factsheet: PowerShell: Security Risks and Defenses, 1 December 2016.
[15] NSA Cybersecurity Information: Update and Upgrade Software Immediately, August 2019.
[16] NSA Cybersecurity Information: Actively Manage Systems and Configurations, August 2019.
[17] MITRE Groups: APT28, 18 October 2021.
[18] MITRE Groups: APT28, 18 October 2021.
[19] MITRE Software: Cobalt Strike, 18 October 2021.
[20] Based on technical information shared by Mandiant.
[21] MITRE Groups: APT28, 18 October 2021.
[22] Based on technical information shared by Mandiant.
[23] MITRE Groups: APT28, 18 October 2021.
[24] MITRE Groups: APT28, 18 October 2021.
[25] MITRE Software: Cobalt Strike, 18 October 2021.
[26] MITRE Software: Fysbis, 6 November 2020. 
[27] MITRE Software: Koadic, 30 March 2020. 
[28] MITRE Groups: APT28, 18 October 2021.
[29] Based on technical information shared by Mandiant.
[30] Based on technical information shared by Mandiant.
[31] MITRE Groups: APT28, 18 October 2021.
[32] MITRE Groups: APT28, 18 October 2021.

Revisions
  • February 16, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware

US-CERT - Wed, 2022-02-09 06:00
Original release date: February 9, 2022
Summary

Immediate Actions You Can Take Now to Protect Against Ransomware: • Update your operating system and software.
• Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments.
• If you use Remote Desktop Protocol (RDP), secure and monitor it.
• Make an offline backup of your data.
• Use multifactor authentication (MFA).

In 2021, cybersecurity authorities in the United States,[1][2][3] Australia,[4] and the United Kingdom[5] observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors. The United Kingdom’s National Cyber Security Centre (NCSC-UK) recognizes ransomware as the biggest cyber threat facing the United Kingdom. Education is one of the top UK sectors targeted by ransomware actors, but the NCSC-UK has also seen attacks targeting businesses, charities, the legal profession, and public services in the Local Government and Health Sectors.

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.

This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.

Click here for a PDF version of this report.

Technical Details

Cybersecurity authorities in the United States, Australia, and the United Kingdom observed the following behaviors and trends among cyber criminals in 2021:

  • Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities. Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents in 2021. Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware. Note: these infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021. This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching.
  • Using cybercriminal services-for-hire. The market for ransomware became increasingly “professional” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals. NCSC-UK observed that some ransomware threat actors offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.

Note: cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident.

  • Sharing victim information. Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations. For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
  • Shifting away from “big-game” hunting in the United States. 
    • In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting “big game” organizations—i.e., perceived high-value organizations and/or those that provide critical services—in several high-profile incidents. These victims included Colonial Pipeline Company, JBS Foods, and Kaseya Limited. However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from “big-game” and toward mid-sized victims to reduce scrutiny. 
    • The ACSC observed ransomware continuing to target Australian organizations of all sizes, including critical services and “big game,” throughout 2021. 
    • NCSC-UK observed targeting of UK organizations of all sizes throughout the year, with some “big game” victims. Overall victims included businesses, charities, the legal profession, and public services in the Education, Local Government, and Health Sectors.
  • Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. The ACSC continued to observe “double extortion” incidents in which a threat actor uses a combination of encryption and data theft to pressure victims to pay ransom demands. 

Ransomware groups have increased their impact by:

  • Targeting the cloud. Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. In addition to exploiting weaknesses to gain direct access, threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems. Ransomware threat actors have also targeted cloud service providers to encrypt large amounts of customer data.
  • Targeting managed service providers. Ransomware threat actors have targeted managed service providers (MSPs). MSPs have widespread and trusted accesses into client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.
  • Attacking industrial processes. Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.
  • Attacking the software supply chain. Globally, in 2021, ransomware threat actors targeted software supply chain entities to subsequently compromise and extort their customers. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise. 
  • Targeting organizations on holidays and weekends. The FBI and CISA observed cybercriminals conducting increasingly impactful attacks against U.S. entities on holidays and weekends throughout 2021. Ransomware threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations. For more information, see joint FBI-CISA Cybersecurity Advisory, Ransomware Awareness for Holidays and Weekends.
Mitigations

Cybersecurity authorities in the United States, Australia, and the United Kingdom recommend network defenders apply the following mitigations to reduce the likelihood and impact of ransomware incidents:

  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities. In cloud environments, ensure that virtual machines, serverless applications, and third-party libraries are also patched regularly, as doing so is usually the customer’s responsibility. Automate software security scanning and testing when possible. Consider upgrading hardware and software, as necessary, to take advantage of vendor-provided virtualization and security capabilities.
  • If you use RDP or other potentially risky services, secure and monitor them closely.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). 
    • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
    • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
    • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established.
    • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails. 
  • Require MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups. 
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local admin accounts should implement a password policy, possibly using a password management solution (e.g., Local Administrator Password Solution [LAPS]), that requires strong, unique passwords for each admin account.
  • If using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. The security modules may prevent the operating system from making arbitrary connections, which is an effective mitigation strategy against ransomware, as well as against remote code execution (RCE).
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. If using cloud-based key management for encryption, ensure that storage and key administration roles are separated.

Malicious cyber actors use system and network discovery techniques for network and system visibility and mapping. To limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally, take the following actions: 

  • Segment networks. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Organizations with an international footprint should be aware that connectivity between their overseas arms can expand their threat surface; these organizations should implement network segmentation between international divisions where appropriate. For example, the ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions (outside their control).
  • Implement end-to-end encryption. Deploying mutual Transport Layer Security (mTLS) can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool. To aid in detecting the ransomware, leverage a tool that logs and reports all network traffic, including lateral movement on a network. Endpoint detection and response tools are particularly useful for detecting lateral connections as they have insight into unusual network connections for each host. Artificial intelligence (AI)-enabled network intrusion detection systems (NIDS) are also able to detect and block many anomalous behaviors associated with early stages of ransomware deployment.
  • Document external remote connections. Organizations should document approved solutions for remote management and maintenance. If an unapproved solution is installed on a workstation, the organization should investigate it immediately. These solutions have legitimate purposes, so they will not be flagged by antivirus vendors.
  • Implement time-based access for privileged accounts. For example, the just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level. As needed, individual users can submit requests through an automated process that enables access to a system for a set timeframe. In cloud environments, just-in-time elevation is also appropriate and may be implemented using per-session federated claims or privileged access management tools.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to human identities as well as non-person (e.g., software) identities. In cloud environments, non-person identities (service accounts or roles) with excessive privileges are a key vector for lateral movement and data access. Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Reduce credential exposure. Accounts and their credentials present on hosts can enable further compromise of a network. Enforcing credential protection—by restricting where accounts and credentials can be used and by using local device credential protection features—reduces opportunities for threat actors to collect credentials for lateral movement and privilege escalation.
  • Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. Organizations should also disable macros sent from external sources via Group Policy.
  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from an attack as well as protect against data losses. In cloud environments, consider leveraging native cloud service provider backup and restoration capabilities. To further secure cloud backups, consider separation of account roles to prevent an account that manages the backups from being used to deny or degrade the backups should the account become compromised. 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Consider storing encryption keys outside the cloud. Cloud backups that are encrypted using a cloud key management service (KMS) could be affected should the cloud environment become compromised. 
  • Collect telemetry from cloud environments. Ensure that telemetry from cloud environments—including network telemetry (e.g., virtual private cloud [VPC] flow logs), identity telemetry (e.g., account sign-on, token usage, federation configuration changes), and application telemetry (e.g., file downloads, cross-organization sharing)—is retained and visible to the security team.

Note: critical infrastructure organizations with industrial control systems/operational technology networks should review joint CISA-FBI Cybersecurity Advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations, including mitigations to reduce the risk of severe business or functional degradation should their entity fall victim to ransomware. 

Responding to Ransomware Attacks

If a ransomware incident occurs at your organization, cybersecurity authorities in the United States, Australia, and the United Kingdom recommend organizations:

Note: cybersecurity authorities in the United States, Australia, and the United Kingdom strongly discourage paying a ransom to criminal actors. Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations (or re-target the same organization) or encourage cyber criminals to engage in the distribution of ransomware. Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.

Additionally, NCSC-UK reminds UK organizations that paying criminals is not condoned by the UK Government. In instances where a ransom paid, victim organizations often cease engagement with authorities, who then lose visibility of the payments made. While it continues to prove challenging, the NCSC-UK has supported UK Government efforts by identifying needed policy changes—including measures about the cyber insurance industry and ransom payments—that could reduce the threat of ransomware. 

Resources
  • For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. whole-of-government webpage providing ransomware resources and alerts.
  • CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
  • The ACSC recommends organizations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a cybersecurity baseline. These strategies, known as the “Essential Eight,” make it much harder for adversaries to compromise systems.
  • Refer to the ACSC’s practical guides on how to protect yourself against ransomware attacks and what to do if you are held to ransom at cyber.gov.au.
  • Refer to NCSC-UK’s guides on how to protect yourself against ransomware attacks and how to respond to and recover from them at ncsc.gov.uk/ransomware/home
Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, NSA, ACSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation.

References Revisions
  • February 9, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator