Category: Homeland Security

Source: US Department of Homeland Security

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2]

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of indicators of compromise (IOCs), see:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. Phobos ransomware operates in conjunction with various open source tools such as Smokeloader, Cobalt Strike, and Bloodhound. These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[3],[4]

Reconnaissance and Initial Access

Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [T1598] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [T1595.001] or by leveraging RDP on Microsoft Windows environments.[5],[6]

Once they discover an exposed RDP service, the actors use open source brute force tools to gain access [T1110]. If Phobos actors gain successful RDP authentication [T1133][T1078] in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies [T1593]. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [T1219].[7]

Alternatively, threat actors send spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. After SmokeLoader’s hidden payload is downloaded onto the victim’s system, threat actors use the malware’s functionality to download the Phobos payload and exfiltrate data from the compromised system.

Execution and Privilege Escalation

Phobos actors run executables like 1saas.exe or cmd.exe to deploy additional Phobos payloads that have elevated privileges enabled [TA0004]. Additionally, Phobos actors can use the previous commands to perform various windows shell functions. The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [T1059.003][T1105].[8]

Smokeloader Deployment

Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[9]

For the first phase, Smokeloader manipulates either VirtualAlloc or VirtualProtect API functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [T1055.002]. In the second phase, a stealth process is used to obfuscate command and control (C2) activity by producing requests to legitimate websites [T1001.003].[10]

Within this phase, the shellcode also sends a call from the entry point to a memory container [T1055.004] and prepares a portable executable for deployment in the final stage [T1027.002][T1105][T1140].

Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[7] Following successful payload decryption, the threat actors can begin downloading additional malware.

Additional Phobos Defense Evasion Capabilities

Phobos ransomware actors have been observed bypassing organizational network defense protocols by modifying system firewall configurations using commands like netsh firewall set opmode mode=disable [T1562.004]. Additionally, Phobos actors can evade detection by using the following tools: Universal Virus Sniffer, Process Hacker, and PowerTool [T1562].

Persistence and Privilege Escalation

According to open source reporting, Phobos ransomware uses commands such as Exec.exe or the bcdedit[.]exe control mechanism. Phobos has also been observed using Windows Startup folders and Run Registry Keys such as C:/UsersAdminAppDataLocaldirectory [T1490][T1547.001] to maintain persistence within compromised environments.[5]

Additionally, Phobos actors have been observed using built-in Windows API functions [T1106] to steal tokens [T1134.001], bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process [T1134.002]. Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access [T1003.005].

Discovery and Credential Access

Phobos actors additionally use open source tools [T1588.002] such as Bloodhound and Sharphound to enumerate the active directory [T1087.002]. Mimikatz and NirSoft, as well as Remote Desktop Passview to export browser client credentials [T1003.001][T1555.003], have also been used. Furthermore, Phobos ransomware is able to enumerate connected storage devices [T1082], running processes [T1057], and encrypt user files [T1083].

Exfiltration

Phobos actors have been observed using WinSCP and Mega.io for file exfiltration.[11] They use WinSCP to connect directly from a victim network to an FTP server [T1071.002] they control [TA0010]. Phobos actors install Mega.io [T1048] and use it to export victim files directly to a cloud storage provider [T1567.002]. Data is typically archived as either a .rar or .zip file [T1560] to be later exfiltrated. They target legal documentation, financial records, technical documents (including network architecture), and databases for commonly used password management software [T1555.005].

Impact

After the exfiltration phase, Phobos actors then hunt for backups. They use vssadmin.exe and Windows Management Instrumentation command-line utility (WMIC) to discover and delete volume shadow copies in Windows environments. This prevents victims from recovering files after encryption has taken place [T1047][T1490].

Phobos.exe contains functionality to encrypt all connected logical drives on the target host [T1486]. Each Phobos ransomware executable has unique build identifiers (IDs), affiliate IDs, as well as a unique ransom note which is embedded in the executable. After the ransom note has populated on infected workstations, Phobos ransomware continues to search for and encrypt additional files.

Most extortion [T1657] occurs via email; however, some affiliate groups have used voice calls to contact victims. In some cases, Phobos actors have used onion sites to list victims and host stolen victim data. Phobos actors use various instant messaging applications such as ICQ, Jabber, and QQ to communicate [T1585]. See Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[6]

INDICATORS OF COMPROMISE (IOCs)

See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023.

Table 1: Associated Phobos Domains

Associated Phobos Domains
adstat477d[.]xyz
demstat577d[.]xyz [12]
serverxlogs21[.]xyz

Table 2: Observed Phobos Shell Commands

Shell Commands
vssadmin delete shadows /all /quiet [T1490]
netsh advfirewall set currentprofile state off
wmic shadowcopy delete
netsh firewall set opmode mode=disable [T1562.004]
bcdedit /set {default} bootstatuspolicy ignoreallfailures [T1547.001]
bcdedit /set {default} recoveryenabled no [T1490]
wbadmin delete catalog -quiet
mshta C:%USERPROFILE%Desktopinfo.hta [T1218.005]
mshta C:%PUBLIC%Desktopinfo.hta
mshta C:info.hta

The commands above are observed during the execution of a Phobos encryption executable. A Phobos encryption executable spawns a cmd.exe process, which then executes the commands listed in Table 1 with their respective Windows system executables. When the commands above are executed on a Windows system, volume shadow copies are deleted and Windows Firewall is disabled. Additionally, the system’s boot status policy is set to boot even when there are errors during the boot process, and automatic recovery options, like Windows Recovery Environment (WinRE), are disabled for the given boot entry. The system’s backup catalog is also deleted. Finally, the Phobos ransom note is displayed to the end user using mshta.exe.

Table 3: Observed Phobos Registry Keys

Registry Keys
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
C:/UsersAdminAppDataLocaldirectory

Table 4: Observed Phobos Actor Email Addresses

Email Addresses
AlbetPattisson1981@protonmail[.]com	henryk@onionmail[.]org
atomicday@tuta[.]io	info@fobos[.]one
axdus@tuta[.]io	it.issues.solving@outlook[.]com
barenuckles@tutanota[.]com	JohnWilliams1887@gmx[.]com
Bernard.bunyan@aol[.]com	jonson_eight@gmx[.]us
bill.g@gmx[.]com	joshuabernandead@gmx[.]com
bill.g@msgsafe[.]io	LettoIntago@onionmail[.]com
bill.g@onionmail[.]org	Luiza.li@tutanota[.]com
bill.gTeam@gmx[.]com	MatheusCosta0194@gmx[.]com
blair_lockyer@aol[.]com	mccreight.ellery@tutanota[.]com
CarlJohnson1948@gmx[.]com	megaport@tuta[.]io
cashonlycash@gmx[.]com	miadowson@tuta[.]io
chocolate_muffin@tutanota[.]com	MichaelWayne1973@tutanota[.]com
claredrinkall@aol[.]com	normanbaker1929@gmx[.]com
clausmeyer070@cock[.]li	nud_satanakia@keemail[.]me
colexpro@keemail[.]me	please@countermail[.]com
cox.barthel@aol[.]com	precorpman@onionmail[.]org
crashonlycash@gmx[.]com	recovery2021@inboxhub[.]net
everymoment@tuta[.]io	recovery2021@onionmail[.]org
expertbox@tuta[.]io	SamuelWhite1821@tutanota[.]com
fastway@tuta[.]io	SaraConor@gmx[.]com
fquatela@techie[.]com	secdatltd@gmx[.]com
fredmoneco@tutanota[.]com	skymix@tuta[.]io
getdata@gmx[.]com	sory@countermail[.]com
greenbookBTC@gmx[.]com	spacegroup@tuta[.]io
greenbookBTC@protonmail[.]com	stafordpalin@protonmail[.]com
helperfiles@gmx[.]com	starcomp@keemail[.]me
helpermail@onionmail[.]org	xdone@tutamail[.]com
helpfiles@onionmail[.]org	xgen@tuta[.]io
helpfiles102030@inboxhub[.]net	xspacegroup@protonmail[.]com
helpforyou@gmx[.]com	zgen@tuta[.]io
helpforyou@onionmail[.]org	zodiacx@tuta[.]io

Table 5: Observed Phobos Actor Telegram Username

Telegram Username
@phobos_support

Table 6: Observed Phobos Actor Wickr Address

Wickr Address

Disclaimer: Organizations are encouraged to investigate the use of the IOCs in Table 7 for related signs of compromise prior to performing remediation actions.

Table 7: Phobos IOCs from September through December 2023

Associated IP Address	File Type	File Name	SHA 256 Hash
194.165.16[.]4 (October 2023)	Win32.exe	Ahpdate.exe [13]	0000599cbc6e5b0633c5a6261c79e4d3d81005c77845c6b0679d854884a8e02f
45.9.74[.]14 (December 2023) 147.78.47[.]224 (December 2023)	Executable and Linkable Format (ELF) [14]	1570442295 (Trojan Linux Mirai)	7451be9b65b956ee667081e1141531514b1ec348e7081b5a9cd1308a98eec8f0
185.202.0[.]111 (September 2023)	Win32.exe [15]	cobaltstrike_shellcode[.]exe (C2 activity)
185.202.0[.]111 (December 2023)	.txt [16]	f1425cff3d28afe5245459afa6d7985081bc6a62f86dce64c63daeb2136d7d2c.bin (Trojan)

Disclaimer: Organizations are encouraged to investigate the use of the file hashes in Tables 8 and 9 for related signs of compromise prior to performing remediation actions.

Table 8: Phobos Actor File Hashes Observed in October 2023

Phobos Ransomware SHA 256 Malicious Trojan Executable File Hashes
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
9215550ce3b164972413a329ab697012e909d543e8ac05d9901095016dd3fc6c
482754d66d01aa3579f007c2b3c3d0591865eb60ba60b9c28c66fe6f4ac53c52
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763

Table 9: Phobos Actor File Hashes from Open Source from November 2023 [17]

Phobos Ransomware SHA 256 File Hashes
58626a9bfb48cd30acd0d95debcaefd188ae794e1e0072c5bde8adae9bccafa6
f3be35f8b8301e39dd3dffc9325553516a085c12dc15494a5e2fce73c77069ed
518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
32a674b59c3f9a45efde48368b4de7e0e76c19e06b2f18afb6638d1a080b2eb3
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66
fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

MITRE ATT&CK TECHNIQUES

See Table 10 through 22 for all threat actor tactics and techniques referenced in this advisory.

Table 10: Phobos Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance

Technique Title	ID	Use
Search Open Websites/Domains	T1593	Phobos actors perform open source research to find information about victims that can be used during targeting to create a victim profile.
Scanning IP Blocks	T1595.001	Phobos actors used IP scanning tools to include Angry IP Scanner to search for vulnerable RDP ports.
Phishing for Information	T1598	Phobos actors use phishing campaigns to social engineer information from users and gain access to vulnerable RDP ports.

Table 11: Phobos Threat Actors ATT&CK Techniques for Enterprise – Resource Development

Technique Title	ID	Use
Establish Accounts	T1585	Phobos actors establish accounts to communicate.
Obtain Capabilities: Tool	T1588.002	Phobos actors used open source tools in their attack.

Table 12: Phobos Threat Actors ATT&CK Techniques for Enterprise – Initial Access

Technique Title	ID	Use
Valid Accounts	T1078	Following successful RDP authentication, Phobos actors search for IP addresses and pair them with their associated computer to create a victim profile.
External Remote Services	T1133	Phobos actors may leverage external-facing remote services to initially access and/or persist within a network.
Phishing: Spearphishing Attachment	T1566.001	Phobos actors used a spoofed email attachment to execute attack.

Table 13: Phobos Threat Actors ATT&CK Techniques for Enterprise – Execution

Technique Title	ID	Use
Windows Management Instrumentation	T1047	Phobos actors used Windows Management Instrumentation command-line utility (WMIC) to prevent victims from recovering files.
Windows Command Shell	T1059.003	Phobos actors can use the previous commands to perform commands with windows shell functions.
Native API	T1106	Phobos actors used open source tools to enumerate the active directory.
Malicious File	T1204.002	Phobos actors attached a malicious email attachment to deliver ransomware.

Table 14: Phobos Threat Actors ATT&CK Techniques for Enterprise – Persistence

Technique Title	ID	Use
Registry Run Keys / Startup Folder	T1547.001	Phobos ransomware operates using the Exec.exe control mechanism and has been observed using Windows Startup folders and Run Registry Keys.

Table 15: Phobos Threat Actors ATT&CK Techniques for Enterprise – Privilege Escalation

Technique Title	ID	Use
Privilege Escalation	TA0004	Phobos actors use run commands like 1saas.exe, or cmd.exe to deploy additional Phobos payloads with escalated privileges.
Portable Executable Injection	T1055.002	Phobos actors use Smokeloader to inject code into running processes to identify an entry point through enabling a VirtualAlloc or VirtualProtect process.
Asynchronous Procedure Call	T1055.004	During phase two of execution, Phobos ransomware sends a call back from an identified entry point.
Access Token Manipulation: Token Impersonation/Theft	T1134.001	Phobos actors can use Windows API functions to steal tokens.
Create Process with Token	T1134.002	Phobos actors used Windows API functions to steal tokens, bypass access controls and create new processes.

Table 16: Phobos Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion

Technique Title	ID	Use
Software Packing	T1027.002	Phobos actors deployed a portable executable (PE) to conceal code.
Embedded Payloads	T1027.009	Phobos actors embedded the ransomware as a hidden payload by using Smokeloader.
Deobfuscate/Decode Files or Information	T1140	During phase two of execution, Phobos actors’ malware stores and decrypts information.
System Binary Proxy Execution: Mshta	T1218.005	Phobos actors used Mshta to execute malicious files.
Impair Defenses	T1562	Phobos actors can use Universal Virus Sniffer, Process Hacker, and PowerTool to evade detection.
Disable or Modify System Firewall	T1562.004	Phobos ransomware has been observed bypassing organizational network defense protocols through modifying system firewall configurations.

Table 17: Phobos Threat Actors ATT&CK Techniques for Enterprise – Credential Access

Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	Phobos actors used Mimikatz to export credentials.
OS Credential Dumping: Cached Domain Credentials	T1003.005	Phobos actors use cached domain credentials to authenticate as the domain administrator in the event a domain controller is unavailable.
Brute Force	T1110	Phobos actors may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Credentials from Password Stores	T1555	Phobos actors may search for common password storage locations to obtain user credentials.
Credentials from Password Stores: Credentials from Web Browsers	T1555.003	Phobos actors use Nirsoft or Passview to export client credentials from web browsers. Phobos actors search for stored credentials in browser clients once they gain initial network access.
Credentials from Password Stores: Password Managers	T1555.005	Phobos actors targeted victim’s databases for password management software.

Table 18: Phobos Threat Actors ATT&CK Techniques for Enterprise – Discovery

Technique Title	ID	Use
Process Discovery	T1057	Phobos ransomware is able to run processes.
System Information Discovery	T1082	Phobos ransomware is able to enumerate connected storage devices.
File and Directory Discovery	T1083	Phobos ransomware can encrypt user files.
Domain Account	T1087.002	Phobos threat actor used Bloodhound and Sharphound to enumerate the active directory.

Table 19: Phobos Threat Actors ATT&CK Techniques for Enterprise – Collection

Technique Title	ID	Use
Archive Collected Data	T1560	Phobos threat actors archive data as either a .rar or .zip file to be later exfiltrated.

Table 20: Phobos Threat Actors ATT&CK Techniques for Enterprise – Command and Control

Technique Title	ID	Use
Data Obfuscation: Protocol Impersonation	T1001.003	Phobos actors used a stealth process to obfuscate C2 activity.
File Transfer Protocols	T1071.002	Phobos threat actors used WinSCP to connect the victim’s network to an FTP server.
Ingress Tool Transfer	T1105	Phobos ransomware extracts its final payload from the hashed file.
Remote Access Software	T1219	Phobos threat actors used remote access tools to establish a remote connection within victim’s network.

Table 21: Phobos Threat Actors ATT&CK Techniques for Enterprise – Exfiltration

Technique Title	ID	Use
Exfiltration	TA0010	Phobos threat actors may use exfiltration techniques to steal data from your network.
Exfiltration Over Alternative Protocol	T1048	Phobos threat actors use software to export files to a cloud.
Exfiltration to Cloud Storage	T1567.002	Phobos threat actors use Mega.io to exfiltrate data to a cloud storage service rather than over their primary command and control channel.

Table 22: Phobos Threat Actors ATT&CK Techniques for Enterprise – Impact

Technique Title	ID	Use
Data Encrypted for Impact	T1486	Phobos threat actors use the Phobos.exe command to encrypt data on all logical drives connected to the network.
Inhibit System Recovery	T1490	Phobos threat actors may delete or remove backups to include volume shadow copies from Windows environments to prevent victim data recovery response efforts.
Financial Theft	T1657	Phobos threat actor’s extort victims for financial gain.

MITIGATIONS

Secure by Design and Default Mitigations:

These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the secure posture for their customers.

For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.

The FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture against actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Secure remote access software by applying recommendations from the joint Guide to Securing Remote Access Software.
• Implement application controls to manage and control execution of software, including allowlisting remote access programs.
  • Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlist solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
• Implement log collection best practices and use intrusion detection systems to defend against threat actors manipulating firewall configurations through early detection [CPG 2.T].
  • Implement EDR solutions to disrupt threat actor memory allocation techniques.
• Strictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best practices, for example [CPG 2.W]:
• Disable command-line and scripting activities and permissions [CPG 2.N].
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP) [CPG 2.E].
• Reduce the threat of credential compromise via the following:
  • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
  • Refrain from storing plaintext credentials in scripts.
• Implement time-based access for accounts at the admin level and higher [CPG 2.A, 2.E].

In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
• Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
  • Use longer passwords consisting of at least 15 characters and no more than 64 characters in length [CPG 2.B].
  • Store passwords in hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords [CPG 2.C].
  • Implement multiple failed login attempt account lockouts [CPG 2.G].
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Require phishing-resistant multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [CPG 2.H].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Disable unused ports and protocols [CPG 2.V].
• Consider adding an email banner to emails received from outside your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Ensure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 4-16).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

[1] Privacy Affairs: “Moral” 8Base Ransomware Targets 2 New Victims
[2] VMware: 8base ransomware: A Heavy Hitting Player
[3] Infosecurity Magazine: Phobos Ransomware Family Expands With New FAUST Variant
[4] The Record: Hospitals offline across Romania following ransomware attack on IT platform
[5] Comparitech: What is Phobos Ransomware & How to Protect Against It?
[6] Cisco Talos: Understanding the Phobos affiliate structure and activity
[7] Cisco Talos: A deep dive into Phobos ransomware, recently deployed by 8Base group
[8] Malwarebytes Labs: A deep dive into Phobos ransomware
[9] Any Run: Smokeloader
[10] Malpedia: Smokeloader
[11] Truesec: A case of the FAUST Ransomware
[12] VirusTotal: Phobos Domain #1
[13] VirusTotal: Phobos executable: Ahpdate.exe
[14] VirusTotal: Phobos GUI extension: ELF File
[15] VirusTotal: Phobos IP address: 185.202.0[.]111
[16] VirusTotal: Phobos GUI extension: Binary File
[17] Cisco Talos GitHub: IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.

The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870.

DISCLAIMER

The FBI does not conduct its investigative activities or base attribution solely on activities protected by the First Amendment. Your company has no obligation to respond or provide information back to the FBI in response to this engagement. If, after reviewing the information, your company decides to provide referral information to the FBI, it must do so in a manner consistent with federal law. The FBI does not request or expect your company to take any particular action regarding this information other than holding it in confidence due to its sensitive nature.

The information in this report is being provided “as is” for informational purposes only. The FBI and CISA not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC.

ACKNOWLEDGEMENTS

The California Joint Regional Intelligence Center (JRIC, CA) and Israel National Cyber Directorate (INCD) contributed to this CSA.

VERSION HISTORY

February 29, 2024: Initial version.

Source: US Department of Homeland Security

The text of the following statement was released by the Governments of the United States of America, Mexico, and Guatemala on the occasion of a Trilateral Ministerial Meeting in Washington, D.C.

Senior officials from the United States, Guatemala, and Mexico met today at the State Department for a trilateral ministerial meeting to enhance cooperation on hemispheric migration management and regional development. Led by Secretary of State Antony Blinken, Secretary of Homeland Security Alejandro Mayorkas, and White House Homeland Security Advisor Liz Sherwood Randall of the United States, Foreign Minister Carlos Ramiro Martinez and Minister of the Interior Francisco José Jiménez Irungaray of Guatemala, and Foreign Secretary Alicia Bárcena Ibarra of Mexico, the meeting solidified key areas of collaboration between the three partners, including on issues related toa root causes and development, border enforcement, labor mobility pathways and orderly, humane, and regular migration in the region. During the meeting, Foreign Minister Martinez announced Guatemala will host the next Los Angeles Declaration on Migration and Protection ministerial meeting in the near future.

The U.S. and Mexican delegations congratulated the Guatemalan delegation on a successful democratic transition and pledged to work closely with President Bernardo Arévalo’s administration to help strengthen institutions and democratic values in Guatemala.

The three delegations agreed on the urgency of addressing the root causes of irregular migration and displacement. To that end, participants discussed the importance of encouraging investments in Guatemala that develop infrastructure and expand access to health, education, electricity and housing. Participants also emphasized the need to foster economic productivity, foster supply chains between our countries, and create jobs in the region.

The delegations committed to expand access to labor mobility pathways as a strategic response to migration challenges in the region. All three countries emphasized the importance of upholding international human rights and protection standards, ensuring the dignity and well-being of migrants and refugees, and maintaining consular cooperation as a means of defending labor rights.

The three countries discussed efforts to combat human trafficking and the importance of trafficking prevention programs. The participants committed to strengthen joint law enforcement efforts, including by enhancing information sharing and working collectively to investigative and prosecute human trafficking and migrant smuggling networks.

Discussion also focused on the need to increase coordinated joint efforts on humane border management and enforcement, including at the U.S. – Mexico and Mexico – Guatemala borders. The three delegations committed to share data about migration flows by launching a new dashboard, which will enhance data-driven decision-making and coordination.

The three delegations also committed to establish an operationally focused trilateral working group which will work to improve security, law enforcement, processes, and infrastructure along their international borders. Law enforcement authorities from the three countries will work together to identify security gaps, share information, and develop coordinated operational plans. This effort will build on and expand existing partnerships to address shared challenges at our borders.

The participants reaffirmed their commitment to other regional cooperation initiatives, including the Summit on Labor Migration Pathways, which will be co-hosted by Mexico, Colombia and the International Organization for Migration in May. This forum will help foster regional cooperation to address migration challenges in an effective manner that upholds the rights and dignity of all migrants.

Source: US Department of Homeland Security

How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure

OVERVIEW

This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.

The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB) agree with this attribution and the details provided in this advisory.

This advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud environment and includes advice to detect and mitigate this activity.

To download the PDF version of this report, click here.

PREVIOUS ACTOR ACTIVITY

The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

SVR actors are also known for:

EVOLVING TTPs

As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.

They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.

To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors.

Below describes in more detail how SVR actors are adapting to continue their cyber operations for intelligence gain. These TTPs have been observed in the last 12 months.

ACCESS VIA SERVICE AND DORMANT ACCOUNTS

Previous SVR campaigns reveal the actors have successfully used brute forcing [T1110] and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.

SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system [T1078.004].

Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.

CLOUD-BASED TOKEN AUTHENTICATION

Account access is typically authenticated by either username and password credentials or system-issued access tokens. The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without needing a password [T1528].

The default validity time of system-issued tokens varies dependent on the system; however, cloud platforms should allow administrators to adjust the validity time as appropriate for their users. More information can be found on this in the mitigations section of this advisory.

ENROLLING NEW DEVICES TO THE CLOUD

On multiple occasions, the SVR have successfully bypassed password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification [T1621].

Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant [T1098.005]. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.

By configuring the network with device enrollment policies, there have been instances where these measures have defended against SVR actors and denied them access to the cloud tenant.

RESIDENTIAL PROXIES

As network-level defenses improve detection of suspicious activity, SVR actors have looked at other ways to stay covert on the internet. A TTP associated with this actor is the use of residential proxies [T1090.002]. Residential proxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users. This reduces the effectiveness of network defenses that use IP addresses as indicators of compromise, and so it is important to consider a variety of information sources such as application and host-based logging for detecting suspicious activity.

CONCLUSION

The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors.

For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat.

Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders.

CISA have also produced guidance through their Secure Cloud Business Applications (SCuBA) Project which is designed to protect assets stored in cloud environments.

Some of the TTPs listed in this report, such as residential proxies and exploitation of system accounts, are similar to those reported as recently as January 2024 by Microsoft.

MITRE ATT&CK®

This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Tactic	ID	Technique	Procedure
Credential Access	T1110	Brute Force	The SVR use password spraying and brute forcing as an initial infection vector.
Initial Access	T1078.004	Valid Accounts: Cloud Accounts	The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts.
Credential Access	T1528	Steal Application Access Token	The SVR use stolen access tokens to login to accounts without the need for passwords.
Credential Access	T1621	Multi-Factor Authentication Request Generation	The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account.
Command and Control	T1090.002	Proxy: External Proxy	The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs.
Persistence	T1098.005	Account Manipulation: Device Registration	The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts.

MITIGATION AND DETECTION

A number of mitigations will be useful in defending against the activity described in this advisory: 

• Use multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of password compromises. See NCSC guidance: Multifactor Authentication for Online Services and Setting up 2-Step Verification (2SV).
• Accounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be disabled when no longer required with a “joiners, movers, and leavers” process in place and regular reviews to identify and disable inactive/dormant accounts. See NCSC guidance: 10 Steps to Cyber Security.
• System and service accounts should implement the principle of least privilege, providing tightly scoped access to resources required for the service to function.
• Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services. Monitoring and alerting on the use of these account provides a high confidence signal that they are being used illegitimately and should be investigated urgently.
• Session lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary to use stolen session tokens. This should be paired with a suitable authentication method that strikes a balance between regular user authentication and user experience.
• Ensure device enrollment policies are configured to only permit authorized devices to enroll. Use zero-touch enrollment where possible, or if self-enrollment is required then use a strong form of 2SV that is resistant to phishing and prompt bombing. Old devices should be prevented from (re)enrolling when no longer required. See NCSC guidance: Device Security Guidance.
• Consider a variety of information sources such as application events and host-based logs to help prevent, detect and investigate potential malicious behavior. Focus on the information sources and indicators of compromise that have a better rate of false positives. For example, looking for changes to user agent strings that could indicate session hijacking may be more effective than trying to identify connections from suspicious IP addresses. See NCSC guidance: Introduction to Logging for Security Purposes.

DISCLAIMER

This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.

Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.

All material is UK Crown Copyright.

Source: US Department of Homeland Security

 New logging increases security by default and enhances cyber defense 

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft announce today further progress in ensuring that Federal Civilian Executive Branch (FCEB) agencies have access to necessary logging capabilities. Over the past six months, Microsoft has worked closely with CISA, OMB, and ONCD to roll out expanded logs to a pilot group of agencies. Beginning this month, expanded logging will be available to all agencies using Microsoft Purview Audit regardless of license tier.

As described in CISA’s Secure by Design guidance, all technology providers should provide “high-quality audit logs to customers at no extra charge or additional configuration.” Today’s announcement is a further step in this direction. Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by OMB Memorandum M-21-31.

To help agencies more effectively use available logs to detect and remediate cyber threats, CISA has developed a new Expanded Cloud Log Implementation Playbook in close coordination with Microsoft, which provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations. 

“Last summer, we were glad to see Microsoft’s commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein. “We look forward to continued progress with our partners to ensure that every organization has access to necessary security logs– a core tenet of our Secure by Design guidance in support of the National Cybersecurity Strategy. Every organization has the right to safe and secure technology, and we continue to make progress toward this goal.”

“As the federal government continues our transition to cloud environments, we must ensure we are following secure-by-design and secure-by-default principles,” said Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director. “The upgraded logging features now available to Microsoft’s government community cloud customers will provide greater visibility, and enable our network defenders to enhance their threat detection capabilities.”

“We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors. For this reason, we have been collaborating across the federal government to provide access to advanced audit logs,” said Candice Ling, Senior Vice President, Microsoft Federal. “Microsoft will continue to play a critical role in partnering with the federal government to reinforce our commitment to secure by design and further enhance the security baseline of our nation.”

In July 2023, a federal agency observed suspicious, unexpected activity in unclassified Microsoft 365 audit logs and reported it to Microsoft and CISA. The agency detected the activity using one of the logs Microsoft is expanding access to with this announcement. The importance of having critical cybersecurity logs that provided timely information was clearly demonstrated by this incident. CISA continues our work to ensure every organization has access to key security data by default so they can better defend their networks from malicious cyber actors.

For more details on this announcement, read Microsoft’s blog and visit CISA’s Secure by Design webpage for more information.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

VIENNA – On February 18, Secretary of Homeland Security Alejandro N. Mayorkas met with People’s Republic of China (PRC) State Councilor and Minister of Public Security Wang Xiaohong in Vienna, Austria to advance cooperation with the PRC in the fight against the scourge of fentanyl, its precursor chemicals, and associated equipment. 

This meeting builds upon the commitments made at the Woodside Summit between President Biden and President Xi last November, the January 10 virtual meeting between Secretary Mayorkas and State Councilor Wang, and the January 30 inaugural meeting of the U.S.-PRC Counternarcotics Working Group. 

The two sides had a candid and constructive discussion on the steps needed to combat the spread of precursor chemicals and the transnational criminal organizations that profit off the production, distribution, and sale of illicit synthetic drugs. The two sides also made commitments with respect to continued law enforcement cooperation, technical bilateral exchanges between scientists and other experts, scheduling of precursor chemicals, and furthering multilateral cooperation. 

Secretary Mayorkas and State Councilor Wang discussed areas of concern within the bilateral relationship and committed to ongoing discussion on those and other issues.  

The two sides also discussed expanding their law enforcement cooperation in the fight to protect children from online child sexual exploitation and abuse. This heinous crime is global in scope and predators do not draw geographic boundaries that limit the reach of this cruelty. 

The Secretary reiterated that the United States will stand up for our interests and values and those of our allies and partners. 

Secretary Mayorkas was joined in the meeting by senior officials from the Department of Homeland Security, Department of State, Department of Justice, Department of the Treasury, National Security Council, Office of National Drug Control Policy, the Drug Enforcement Administration, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE). 

###

Source: US Department of Homeland Security

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.

CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actor’s activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview

A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[1] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.

The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems.

Untitled Goose Tool

Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s Untitled Goose Tool—a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. CISA developed the Untitled Goose Tool to export and review AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, and MDE data. By exporting cloud artifacts, Untitled Goose Tool supports incident response teams with environments that do not ingest logs into a security information and event management (SIEM) tool.

Threat Actor Activity

The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN [T1133] with the intent to blend in with legitimate traffic to evade detection.

Initial Access: Compromised Domain Accounts

USER1: The threat actor gained initial access through the compromised account of a former employee with administrative privileges (USER1) [T1078.002] to conduct reconnaissance and discovery activities. The victim organization confirmed that this account was not disabled immediately following the employee’s departure.

• The threat actor likely obtained the USER1 account credentials in a separate data breach due to the credentials appearing in publicly available channels containing leaked account information [T1589.001].
• USER1 had access to two virtualized servers including SharePoint and the workstation of the former employee. The workstation was virtualized from a physical workstation using the Veeam Physical to Virtual (P2V) function within the backup software.

USER2: The threat actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1 [T1213.002]. The victim confirmed that the administrator credentials for USER2 were stored locally on this server [T1552.001].

• Through connection from the VM, the threat actor authenticated to multiple services [T1021] via the USER1 account, as well as from an additional compromised global domain administrator account (USER2) [T1078.002].

• The threat actor’s use of the USER2 account was impactful due to the access it granted to both the on-premises AD and Azure AD [T1021.007], thus enabling administrative privileges [T1078.004].

Following notification of the dark web posting, the victim organization immediately disabled the USER1 account and took the two virtualized servers associated with the former employee offline. The victim also changed the password for the USER2 account and removed administrator privileges. Neither of the administrative accounts had multifactor authentication (MFA) enabled.

LDAP Queries

Through connection from the VM, the threat actor conducted LDAP queries of the AD, likely using the open source tool AdFind.exe, based on the format of the output. CISA and MS-ISAC assess the threat actor executed the LDAP queries [T1087.002] to collect user, host [T1018], and trust relationship information [T1482]. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site: ad_users.txt, ad_computers.txt, and trustdmp.txt.

Table 1 lists all queries that were conducted between 08:39:43-08:40:56 Coordinated Universal Time (UTC).

Table 1: LDAP Queries Conducted by the Threat Actor

Query	Description
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)	Collects names and metadata of users in the domain.
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)	Collects names and metadata of hosts in the domain.
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)	Collects trust information in the domain.
LDAP Search Scope: WholeSubtree, Base Object: DC=[REDACTED],DC=local, Search Filter: ( &  ( &  (sAMAccountType=805306368)  (servicePrincipalName=*) ( ! (sAMAccountName=krbtgt) ) ( !  (userAccountControl&2) ) )  (adminCount=1) )	Collects Domain Administrators and Service Principals in the domain.

Service Authentication

Through the VM connection, the threat actor was observed authenticating to various services on the victim organization’s network from the USER1 and USER2 administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints [T1078.002],[T1021.002]—a protocol used for providing shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery [T1083], and assessed to be executed in an automated manner.

• USER1 authenticated to four services, presumably for the purpose of network and service discovery [T1046].
• USER2 authenticated to twelve services. Note: This account had administrative privileges to both the on-premises network and Azure tenant.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2-9 for all referenced threat actor’s tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 2: Reconnaissance

Technique Title	ID	Use
Gather Victim Identity Information: Credentials	T1589.001	The actor likely gathered USER1 account credentials in a data breach where account information appeared in publicly available channels.

Table 3: Initial Access

Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	The actor gained initial access through the compromised account of a former employee with administrative privileges (USER1). The employee’s account was not immediately disabled after their departure.

Table 4: Persistence

Technique Title	ID	Use
External Remote Services	T1133	The actor connected a VM via the victim’s VPN to blend in with legitimate traffic to evade detection.

Table 5: Privilege Escalation

Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	The actor authenticated to multiple services from a compromised Global Domain Administrator account (USER2). The actor also authenticated to the Common Internet File Service (CIFS) on various endpoints.
Valid Accounts: Cloud Accounts	T1078.004	The actor used a compromised account (USER2) which was synced to both the on-premises AD and Azure AD, thus enabling administrative privileges to both the on-premises network and Azure tenant.

Table 6: Credential Access

Technique Title	ID	Use
Unsecured Credentials: Credentials in Files	T1552.001	The actor likely obtained USER2 account credentials from the virtualized SharePoint server where they were locally stored.

Table 7: Discovery

Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Through the VM connection, the actor executed LDAP queries of the AD.
Remote System Discovery	T1018	Through the VM connection, the actor executed LDAP queries to collect user and host information.
Domain Trust Discovery	T1482	Through the VM connection, the actor executed LDAP queries to collect trust relationship information.
File and Directory Discovery	T1083	The actor authenticated to the CIFS on various endpoints likely for the purpose of file, folder, and directory discovery.
Network Service Discovery	T1046	The actor used the compromised USER1 account to authenticate to four services, presumably for the purpose of network and service discovery.

Table 8: Lateral Movement

Technique Title	ID	Use
Remote Services	T1021	The actor connected from an unknown VM and authenticated to multiple services via the USER1 account.
Remote Services: Cloud Services	T1021.007	The actor used the USER2 account, which granted access to the Azure AD, as well as the on-premises AD.
Remote Services: SMB/Windows Admin Shares	T1021.002	The actor used compromised accounts to interact with a remote network share using Server Message Block.

Table 9: Collection

Technique Title	ID	Use
Data from Information Repositories: SharePoint	T1213.002	The actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1.

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which apply to all critical infrastructure organizations and network defenders. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Secure and Monitor Administrator Accounts

The threat actor gained access to the network via compromised administrator accounts that did not have MFA enabled. The compromised USER2 Global Domain Administrator account could have enabled the threat actor to move laterally from the on-premises environment to the Azure tenant. In response to the incident, the victim organization removed administrator privileges for USER2. Additionally, the victim organization disabled unnecessary administrator accounts and enabled MFA for all administrator accounts. To prevent similar compromises, CISA and MS-ISAC recommend the following:

• Review current administrator accounts to determine their necessity and only maintain administrator accounts that are essential for network management. This will reduce the attack surface and focus efforts on the security and monitoring of necessary accounts.
• Restrict the use of multiple administrator accounts for one user.
• Create separate administrator accounts for on-premises and Azure environments to segment access.
• Implement the principle of least privilege to decrease threat actor’s ability to access key network resources. Enable just-in-time and just enough access for administrator accounts to elevate the minimum necessary privileges for a limited time to complete tasks.
• Use phishing-resistant multifactor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit CISA’s More than a Password webpage and read CISA’s Implementing Phishing-Resistant MFA fact sheet.

Reduce Attack Surface

Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. CISA and MS-ISAC recommend the following:

• Establish policy and procedure for the prompt removal of unnecessary accounts and groups from the enterprise, especially privileged accounts. Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
• Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
  • Determine the need and functionality of assets that require public internet exposure [CPG 1.A].
• Follow a routine patching cycle for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
• Restrict personal devices from connecting to the network. Personal devices are not subject to the same group policies and security measures as domain joined devices.

Evaluate Tenant Settings

By default, in Azure AD all users can register and manage all aspects of applications they create. Users can also determine and approve what organizational data and services the application can access. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions. CISA and MS-ISAC recommend the following:

• Evaluate current user permissions in the Azure tenant to restrict potentially harmful permissions including:
  • Restrict users’ ability to register applications. By default, all users in Azure AD can register and manage the applications they create and approve the data and services the application can access. If this is exploited, a threat actor can access sensitive information and move laterally in the network.
  • Restrict non-administrators from creating tenants. Any user who creates an Azure AD automatically becomes the Global Administrator for that tenant. This creates an opportunity for a threat actor to escalate privileges to the highest privileged account.
  • Restrict access to the Azure AD portal to administrators only. Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. This would allow a threat actor to gather valuable information for malicious activities.

Create a Forensically Ready Organization

• Collect access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activities [CPG 2.T].
• Enable complete coverage of tools, including Endpoint Detection and Response (EDR), across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities.

Assess Security Configuration of Azure Environment

CISA created the Secure Cloud and Business Applications (SCuBA) assessment tool to help Federal Civilian Executive Branch (FCEB) agencies to verify that a M365 tenant configuration conforms to a minimal viable secure configuration baseline. Although the SCuBA assessment tool was developed for FCEB, other organizations can benefit from its output. CISA and MS-ISAC recommend the following:

• Use tools that identify attack paths. This will enable defenders to identify common attack paths used by threat actors and shut them down before they are exploited.
• Review the security recommendations list provided by Microsoft 365 Defender. Focus remediation on critical vulnerabilities on endpoints that are essential to mission execution and contain sensitive data.

Evaluate Conditional Access Policies

Conditional access policies require users who want to access a resource to complete an action. Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection.

• Review current conditional access policies to determine if changes are necessary.

Reset All Passwords and Establish Secure Password Policies

In response to the incident, the victim organization reset passwords for all users.

• Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as user passwords expire [CPG 2.A],[CPG 2.B],[CPG 2.C].
• Store credentials in a secure manner, such as with a credential manager, vault, or other privileged account management solution [CPG 2.L].
• For products that come with default passwords, ask vendors how they plan to eliminate default passwords, as highlighted in CISA’s Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords.

Mitigations for Vendors

CISA recommends that vendors incorporate secure by design principles and tactics into their practices, limiting the impact of threat actor techniques and strengthening the secure posture for their customers.

• Prioritize secure by default configurations, such as eliminating default passwords and providing high-quality audit logs to customers with no additional configuration, at no extra charge. Secure by default configurations should be prioritized to eliminate the need for customer implementation of hardening guidance.
• Immediately identify, mitigate, and update affected products that are not patched in accordance with CISA’s Known Exploited Vulnerabilities (KEV) catalog.
• Implement multifactor authentication (MFA), ideally phishing-resistant MFA, as a default (rather than opt-in) feature for all products.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see table 2-9).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

[1] CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC.

VERSION HISTORY

February 15, 2024: Initial version.

Source: US Department of Homeland Security

Department Strengthens Commitment to Advancing Equity in its Policies, Programs, and Operations 

WASHINGTON – Today, the U.S. Department of Homeland Security (DHS) announced the release of the 2023 Update to the DHS Equity Action Plan, which builds on the progress made in the 2022 inaugural plan to further embed equity at the center of the Department’s mission. The 2023 Update highlights DHS’s accomplishments over the past three years and identifies nine focus areas to comprehensively advance equity across the Department’s policies, programs, and operations.  

DHS selected the nine focus areas in the 2023 Update based on feedback from external stakeholders representing underserved communities. These nine areas include the following strategies and initiatives: 
 

1. Advance equity through the planned updates to the FEMA Individual Assistance Program, which will create opportunities for underserved communities by increasing accessibility and eligibility for post-disaster support.   

2. Reduce barriers to citizenship and naturalization through continued evaluation of programs, policies, and outreach opportunities.  

3. Promote equitable use of AI technology across the Department through the development and application of new guidance as well as intra-agency coordination.   

4. Counter Domestic Violent Extremism and targeted violence through a public health-informed approach. 

5. Advance equity for persons who are Limited English Proficient (LEP) by strengthening language access programs. 

6. Advance equity in DHS’s screening activities at airport checkpoints and ports of entry through updates to training and enhanced technologies. 

7. Advance equity for the 574 federally recognized Tribal Nations and their citizens by ensuring appropriate Tribal consideration and representation in the Department’s work.  

8. Advance equity for persons seeking humanitarian protection during immigration processing by strengthening programs available to assist them. 

9. Advance equity through Community Disaster Resilience Zones. 

The 2023 Update also notes the following accomplishments, among many others: 

• Exceeded all small business prime and socioeconomic goals as negotiated with the Small Business Administration in FY 2023. This equates to $9.94 billion awarded to small businesses, including $4.69 billion to small disadvantaged businesses. DHS is the largest spending agency to have achieved this goal. 

• Deployed TSA’s new software to over 1,000 Advanced Imaging Technology (AIT) screening systems at airports across the country: Updates to the software algorithm eliminate the need for security officers to determine a passenger’s gender prior to AIT screening, enhance accuracy, and significantly reduce false alarms and pat downs for all passengers. It is projected to reduce instances of enhanced screening for members of underserved communities. 

• Updated medical certification for disability exceptions and related policy guidance: Applicants for naturalization with a physical or developmental disability or mental impairment may request an exception to the English and civics testing requirements for naturalization. This form and policy update streamlines the process for applicants to claim and substantiate a disability by eliminating unnecessary and duplicative questions. 

DHS released the 2023 Update to the DHS Equity Action Plan pursuant to Executive Order 14091, Further Advancing Racial Equity and Support for Underserved Communities Through the Federal Government. The Executive Order called on federal agencies to strengthen their efforts to deliver more equitable outcomes for members of underserved communities.  

Read more about advancing equity at DHS.  

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the U.S. Election Assistance Commission (EAC), and the United States Postal Inspection Service (USPIS) published Election Mail Handling Procedures to Protect Against Hazardous Materials. This resource helps officials understand safe mail handling procedures and provides guidance on responding to potential hazardous materials exposure.  

Over the past two decades, U.S. government offices and employees have been the target of multiple incidents using letters containing hazardous materials, including suspicious letters mailed to election offices in California, Georgia, Nevada, Oregon, and Washington in 2023. Since mail is a key component of both standard office operations and mail balloting across the country, this guidance document provides information for election offices on how to identify and handle potentially suspicious mail and respond to potential hazardous materials exposure while handling suspicious mail. The guide also provides specific information on how to protect against the three hazardous powders of greatest concern, fentanyl, anthrax, and ricin, in addition to more routine mail hazards. 

“CISA is proud to stand shoulder to shoulder with state and local election officials who face a complex threat environment,” said CISA Director Jen Easterly. “Today’s guidance on safe mail handling procedures will help election officials and others on the frontlines of our democracy take steps to protect themselves and their personnel from hazards sent through the mail.  We will continue to work with our partners to ensure election officials have the information and resources they need to run a safe, secure and resilient election.” 

“It is essential for the FBI to leverage force multipliers, through strong partnerships and informational campaigns, like this one, which focus on election mail handling procedures,” said Susan Ferensic, Assistant Director of the Weapons of Mass Destruction Directorate. “This guidance will further strengthen the ability of those on the frontlines to be better prepared to identify and handle suspicious mail. The FBI will continue to reinforce proactive partnerships in an effort to protect election workers.”

EAC Chairwoman Christy McCormick, Vice Chair Ben Hovland, Commissioner Donald Palmer, and Commissioner Thomas Hicks said in the following joint statement: “The safety of election workers is a top priority for the EAC, as it should be for all Americans. To ensure our elections run smoothly, election officials must be able to carry out essential tasks such as opening and receiving mail without risking their health. Due to the multiple incidents involving election offices being sent hazardous materials, we urge election workers to exercise caution when handling mail by following the guidance in this resource. We will continue to work with federal partners to support officials as they conduct fair, safe, and secure elections in 2024 and beyond.”

“The U.S. Postal Inspection Service is committed to ensuring the safe and secure delivery of Election Mail, the integrity of our elections and the protection of election offices and election officials from threatening and dangerous mail,” said Gary Barksdale, Chief Postal Inspector.  “This guidance is part of our collaborative efforts with our federal partners to raise awareness with the election community of suspicious, threatening, and dangerous mail and steps that can be taken to prepare for, and respond to, these incidents should they arise.  We encourage all election offices to implement the recommendations that are part of this guidance.”

To learn more, visit Election Mail Handling Procedures to Protect Against Hazardous Materials on CISA.gov.  

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Continuing a 20+ Year Partnership, More Than 385 DHS Personnel on the Ground Working to Protect Estimated 65,000 Fans Attending the Big Game at Allegiant Stadium

NFL Announces it Will Join Secure Our World Cybersecurity Awareness Effort During Super Bowl and Throughout Upcoming Season

DHS Working with Lyft to Equip Drivers in Las Vegas with the Tools to Detect and Report Human Trafficking

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas traveled this week to Las Vegas, Nevada to review Department of Homeland Security (DHS) operations for Super Bowl LVIII with state and local law enforcement and the National Football League (NFL). For the past 18 months, DHS employees worked with local officials to assess potential risks and developed plans to address them. The Department, as the lead federal agency providing Super Bowl security, has not identified specific, credible threats related to this Super Bowl, but DHS continues to bring federal resources to bear.

Over 385 DHS personnel are deployed in Las Vegas to provide extensive air security resources; venue, cyber, and infrastructure security assessments; chemical, biological, radiological, nuclear, and explosives detection technologies; intelligence analysis and threat assessments; intellectual property enforcement; and real-time situational awareness reporting for our partners.

U.S. Secret Service Special Agent in Charge Karon Ransom is serving as the lead Federal Coordinator for Super Bowl LVIII with support from various DHS component agencies and offices and other federal partners. Federal Security Director Karen Burke from the Transportation Security Administration (TSA) is the Deputy Federal Coordinator, and Cybersecurity and Infrastructure Security Agency (CISA) Supervisory Protective Security Advisor Gonzalo Cordova is the Alternate Deputy Federal Coordinator. DHS leads federal efforts to ensure the safety and security of employees, players, and fans at the Super Bowl for the last two decades.

“The Department of Homeland Security, alongside our federal, state, and local partners, is working to ensure that the 65,000 people attending Super Bowl LVIII and the millions of people gathering together and enjoying the game across the country are all safe,” said Secretary of Homeland Security Alejandro N. Mayorkas. “There are no known, credible, specific threats to the Super Bowl or to Las Vegas at this time – but we are vigilant, and we are prepared.”

As part of these efforts, the NFL also announced today they are joining the Secure Our World cybersecurity awareness campaign. Led by CISA, Secure Our World encourages individuals, families, and small to medium-sized businesses to take simple steps such as using strong passwords, enabling multi-factor authentication, identifying and reporting phishing, and updating software to stay safe and secure online. The cyber safety tips will be seen at the NFL Experience during Super Bowl Week and during the game on Sunday. The league is also committing to working with their teams to advance cybersecurity awareness throughout the 2024-2025 season.

In a historic partnership, the DHS Blue Campaign, part of the DHS Center for Combating Human Trafficking, and Lyft announced a new effort today to educate drivers in the Las Vegas area during Super Bowl week to ensure they have the tools and campaign resources to recognize the signs of human trafficking. Crimes like human trafficking can be more prevalent during events like the Super Bowl due to the mass volume of people and anonymity that large gatherings provide.

“Securing the Super Bowl requires the combined expertise and resources of local, state, and federal law enforcement and public safety agencies,” said U.S. Secret Service Special Agent in Charge and Federal Coordinator Karon Ransom. “Together we are working to ensure a safe event for fans, teams, event staff, and the public.”

Personnel from 12 DHS component agencies and offices are in Las Vegas conducting the following activities to protect fans and attendees:

Identifying, Assessing, and Mitigating Potential Risks: DHS constantly evaluates a range of potential risks, from acts of terrorism to cyber security vulnerabilities, and takes steps to mitigate them. 

• CISA conducted physical and cybersecurity vulnerability assessments, planning exercises, and bomb safety workshops with state and local partners ahead of the event. 
• The Office of Intelligence &Analysis is working with the Federal Bureau of Investigation to assess the threat landscape leading up to the Super Bowl; this includes sharing timely and actionable information and intelligence with their state and local partners.  
• The Countering Weapons of Mass Destruction Office (CWMD) is providing surge support from its Mobile Detection Deployment Program and its BioWatch program in coordination with the City of Las Vegas. The U.S. Coast Guard’s (USCG) Pacific Strike Team is also supporting the Mobile Detection Deployment Program to bolster the Department’s ability to detect and interdict chemical, biological, radiological, and nuclear threats. 
• The TSA will have a Supervisory Federal Air Marshal staffing the Fusion Watch Center, the primary command center for the Las Vegas Metropolitan Police Department, during the event.  
• U.S. Customs and Border Protection’s (CBP) Air and Marine Operations (AMO) will support Super Bowl security operations enforcing temporary flight restrictions around Allegiant Stadium during Super Bowl LVIII. AMO will provide “eye in the sky” intelligence, surveillance and reconnaissance flight operations in and around the various NFL venues to provide situational awareness and enhance overall security operations. 
• The NFL received a SAFETY Act Designation from DHS, allowing the Allegiant Stadium to invest in the most current security technologies, procedures, services, controls and systems contributing to structural and physical security during the Super Bowl. These measures grant providers of those technologies’ liability protections in the event of a terrorist attack. 
• For the first time at a Super Bowl, the Science & Technology Directorate (S&T) will deploy easy-to assemble, expandable security barriers that can be installed quickly to provide critical asset protection and intrusion prevention to fill coverage gaps in security at the stadium. 
• DHS is also continuing our partnership with the NFL on the “If You See Something, Say Something®” public awareness campaign during the Super Bowl. DHS is working with the Southern Nevada Counterterrorism Center and Las Vegas Police Department using social media and digital displays within the stadium and outreach throughout the Las Vegas area to raise public awareness of the importance of reporting terrorism-related suspicious activity. In partnership with TSA, the campaign also launched its general awareness video at Harry Reid International Airport (LAS) for residents and visitors traveling to and from Las Vegas. 
• On Super Bowl Sunday, the Southern Nevada Counter Terrorism Center will partner with the NFL and DHS to host a tip line where the public and game attendees can report suspicious activity. For attendees within Allegiant Stadium, they may call (702) 828-7777 or text (725) 780-2345. Outside of the stadium, the public may call (702) 828-7777 or local authorities.   

Actively screening and monitoring people, goods, and vehicles for a range of threats: DHS is leveraging its significant technology assets and dedicated personnel to protect the Super Bowl stadium, Super Bowl week events, and city of Las Vegas against potential threats. 

• TSA is utilizing its National Deployment Force to increase the number of transportation security officers who will be working at LAS to screen the increased number of departing passengers following the Super Bowl. TSA explosive detection canines and their handlers will be working during Super Bowl week events at key venues including the Mandalay Bay South Convention Center, Allegiant Stadium, and LAS. TSA will also have four Visible Intermodal Prevention and Response (VIPR) teams on the ground to conduct increased counter-terrorism patrols. 
• The USCG is providing five Canine Explosive Detection teams to ensure the safety and security of the event. 
• CBP is providing assets including aviation security, video surveillance capabilities, and non-intrusive inspection of vehicles and cargo. CBP officers are also scanning the cargo entering the stadium for contraband such as narcotics, weapons, and explosives. 

Protecting fans from counterfeit goods and services: The Department is surging resources to identify and target the vendors of counterfeit merchandise and tickets.  

• CBP will be on the frontline in detecting and intercepting these illicit goods before they enter the United States. As in many Super Bowls in the past, criminal organizations will escalate their efforts to make a quick profit defrauding consumers by smuggling counterfeit NFL merchandise. The most commonly seized products are counterfeit NFL jerseys, championship rings, T-shirts, caps and all sorts of souvenirs and memorabilia. Counterfeit merchandise has economic impacts, legal implications, and health and safety risks. 
• Homeland Security Investigations (HSI) will deploy special agents to Las Vegas to support CBP, local law enforcement agencies, and other private partners to identify and open investigations against any flea markets, retail outlets, street vendors and online marketplaces selling counterfeit goods during the week leading up to Super Bowl. This work ensures the secure transaction of the over $16.5 billion consumers are expected to spend nationwide, supporting the sale of official – and safe – memorabilia.  

Leading emergency response efforts, if they should occur: DHS is taking steps to mitigate risk, align resources, and coordinate communication between security personnel at all levels of government. 

• The Federal Emergency Management Agency (FEMA) supports state and local governments by providing communication tools to help keep fans safe by ensuring state and local responders have the ability to communicate with each other and the public.  
• An HSI Special Response Team is standing by to provide interior stadium tactical support if needed.  
• On Super Bowl Sunday, CISA will also deploy Advisors and Emergency Communications Coordinators to support local law enforcement, emergency responders, and private partners in Las Vegas.  

Preventing human trafficking: In addition to the groundbreaking partnership with Lyft, the Department is partnering with law enforcement and other industry partners to educate the public on the indicators of human trafficking and how to appropriately respond to possible cases. 

• DHS Blue Campaign is also disseminating digital and out-of-home advertising in the Las Vegas area to raise awareness of human trafficking among visitors, local residents, and those working in industries, such as hotels, hospitality, and transportation, where front line employees are more likely to be in a position to identify and report human trafficking.  
• The Campaign’s Blue Lightning Initiative is also partnering with Harry Reid International Airport to raise awareness and train staff to recognize and report human trafficking.  

For the past 20 years, DHS has provided security assistance to the NFL Super Bowl because of the event’s significant national and/or international importance, which requires extensive federal interagency support to resolve any resource gaps in security planning. DHS assessed the Super Bowl this year as a Special Event Assessment Rating (SEAR) Level 1 event. The extensive security measures implemented for this Super Bowl build on success protecting large-scale events in the last year, where DHS helped secure 18 Special Event Assessment Rating (SEAR) events – including the first ever designations for the Chicago NASCAR Street Race, the NFL Draft, and the Boston Marathon – and three National Special Security Events (NSSE).

For more information visit: www.dhs.gov/publication/special-event-assessment-rating-sear-events-fact-sheet  

Source: US Department of Homeland Security

Advisory provides details on the PRC’s efforts to conceal its hacking activity, discovery and mitigation guidance to potential victims, and encourage reporting of any suspected incident  

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), along with key U.S. and international government agencies published a Joint Cybersecurity Advisory today on malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor, known as Volt Typhoon, to compromise critical infrastructure and associated actions that should be urgently undertaken by all organizations.

CISA and its U.S. Government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories. The data and information CISA and its U.S. Government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.

In addition to the joint Cybersecurity Advisory, CISA and our partners also released complementary Joint Guidance to help all organizations effectively hunt for and detect the sophisticated types of techniques used by actors such as Volt Typhoon, known as “living off the land.” In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. By using “living off the land” techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations.

Detecting and mitigating “living off the land” malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. This advisory and complementary guidance provide organizations with details on how Volt Typhoon cyber threat actors use “living off the land” techniques to abuse legitimate, native tools and processes on systems, and identifies specific details on the actors’ tactics, techniques, and procedures (TTPs) using certain adversarial behavior patterns.

“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA Director Jen Easterly. “Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”

Today’s joint advisory is based primarily on technical insights gleaned from CISA and industry response activities at victim organizations within the United States, primarily in communications, energy, transportation, and water and wastewater sectors. Our complementary joint guide is derived from those insights as well as previously published products, red team assessments, and industry partners.

The new advisory and guide have been jointly issued by CISA, National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE), United Kingdom National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ).

For more information, visit People’s Republic of China Cyber Threat.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.