Category: NCTC Resources

Source: US Department of Homeland Security

Canadian and U.S. officials deepen strong and collaborative partnership on issues of mutual concern, including law enforcement information sharing, malign foreign interference, combating gun and drug trafficking, and online and hate crimes

The United States (U.S.) and Canada have a longstanding and enduring security, law enforcement, and intelligence partnership that is centered on protecting public safety, consistent with rights protected by law. Yesterday, to advance our shared goals, U.S. Attorney General Merrick B. Garland and U.S. Secretary of Homeland Security Alejandro N. Mayorkas hosted Canada’s Minister of Justice and Attorney General, Arif Virani, and Canada’s Minister of Public Safety, Dominic LeBlanc, in Washington, DC for the U.S.–Canada Cross Border Crime Forum (CBCF). This meeting is the third CBCF since it was reestablished by President Biden’s and Prime Minister Trudeau’s 2021 Roadmap for a Renewed U.S.-Canada Partnership.

Building on the success of previous CBCF meetings, including the Statement of Partnership to Prevent, Investigate, Prosecute, and Disrupt Cross-Border Crime, which was signed at last year’s meeting, the four U.S. and Canadian Officials (hereinafter “the Ministers”) discussed ways to enhance collaboration in the following areas:

Foreign Interference/National Security

The Ministers acknowledged the threat from hostile foreign actors, including in the context of electoral interference. Malign actors may seek to influence outcomes and undermine public confidence in elections in many ways. They may deploy efforts to subvert democratic processes, such as engaging in cyber-attacks and other interference activities against election campaigns and election infrastructure to disrupt election processes. They may seek to influence elections, including by covertly exploiting and fueling divisions within society; and this, in turn, may also help fuel coercive activity and harassment, and threats of violence toward voters, candidates, and election personnel. Both Canada and the U.S. agreed that fair and secure elections are cornerstones of democracy and emphasized the need to work together to combat any threats that seek to undermine it.

Malign foreign actors also have demonstrated an intent and willingness to use insiders, computer intrusion, or other means to steal trade secrets and sensitive technologies. This global problem requires a global response and Canada and the U.S. will continue to investigate and, where appropriate, prosecute espionage that threatens our economies and export control violations. In this vein, the Ministers agreed on the need to preserve the cross-border flow of data between allies and partners that is critical to our economic well-being, while maintaining the security of sensitive personal data.

The Ministers similarly reaffirmed their united front in protecting our democracies and the democratic process. A key tool in combating the threat of transnational repression, as well as malign foreign influence and interference generally, is transparency through foreign agent registries; the U.S. discussed the use of its Foreign Agents Registration Act and related statutes, while Canada highlighted its newly passed legislation in this area, Bill C-70, An Act respecting countering foreign interference, which will establish a Foreign Influence Transparency Registry and update criminal law tools to better safeguard democracy. These efforts, along with investigations and prosecutions of transnational repression-related cases, will further enhance the ability of the U.S. and Canada to protect those living within our borders.

Law Enforcement Cooperation and Information Sharing

Canada and the U.S. continue to combat the devastation caused by fentanyl and synthetic opioids, by working together at disrupting the illicit supply chain, to include production and distribution and the importation of illicit precursor chemicals from China and elsewhere. Similarly, the violence wrought by firearms smuggled across the U.S.-Canada border requires continued efforts to target those responsible, including shippers and receivers, by seizing illicit firearms and tracing their origins.

Key in all these counter opioid and firearm efforts is enhanced information sharing between Canadian and U.S. law enforcement agencies, which has already led to successful operations. The Ministers applauded the advances in cooperation between U.S. and Canadian law enforcement since the last CBCF and underscored the need to build on and further operationalize prior Memoranda of Understanding (MOUs). The Ministers reaffirmed their commitment to provide clear policy direction and training to ensure that institutional policies and practices maximize information sharing within the context of each other’s laws and regulations, and in accordance with recent MOUs. They plan to continue to work together to improve the operationalization and systemization of intelligence and law enforcement sharing at the border, with the goals of supporting interdictions and investigations, countering transnational organized crime, continuing to build the global coalition against synthetic drug threats, and disrupting the synthetic opioid and firearm supply chains.

In the context of enhancing information sharing, the Ministers also discussed the challenges associated with cross-border human smuggling that is occurring in both directions, and challenges in related investigations. Accordingly, the Ministers called on their officials to continue strengthening ways to gather and share information for the detection and investigation of organized crime groups and networks that target vulnerable people and engage in human smuggling. They also tasked officials to review information sharing case studies of border incidents and identify opportunities to further improve intelligence sharing, detection, and interdiction, in order to disrupt cross-border smuggling and investigate and hold accountable those involved.

With respect to law enforcement cooperation and information sharing at the border, the Ministers also considered their respective country’s approach to providing advance notification of sex offender travel, which remains a key tool in making informed admission decisions. Both countries will seek to maximize the sharing of sex offender travel notifications, in the interest of ensuring public safety.

Online Crime and Hate Crimes

The Ministers began their discussion of online crime by acknowledging the need to maintain tightly-controlled lawful access to communications content that is vital to the investigation and prosecution of serious crimes, including terrorism and online child sexual exploitation and abuse. 

The Ministers then turned to collective efforts to address the increasing prevalence of online child sexual abuse material (CSAM). The Ministers noted the increase in both countries of artificial intelligence (AI)-generated CSAM and the need for international engagement to combat this threat, to include law enforcement, non-governmental organizations, the technology industry, and others.

With respect to AI more generally, the Ministers acknowledged the benefits and risks posed by AI technology. Moreover, the Ministers recognized that AI crosses over multiple government equities, including criminal law, civil rights, and antitrust law, and recommended that this continue to be a focus of study by the CBCF.

The need for strategic and coordinated engagement between and among international partners was also discussed in the context of elder fraud and romance scams. The Ministers discussed avenues available to collectively identify and disrupt such schemes to prevent further victimization.

Canada and the U.S. also acknowledged the ways in which hate crimes erode communities. The Ministers noted with concern the increased number of attacks motivated by anti-Semitism, Islamophobia, and other forms of bias on both sides of the border and pledged to work together to address this issue.

The Ministers also welcomed the outcomes of the strengthened collaboration between their respective Access to Justice Offices over the past year, including on strategies to overcome systemic inequality and discrimination, as part of efforts to increase access to – and strengthen confidence in – the justice system. 

Conclusion

The Ministers plan to continue their close contact on all these critical issues, both in the context of the CBCF, and in other bilateral exchanges. They reiterated the strength, success, and depth of the security and law enforcement relationships along the Canada-U.S. border and the need to remain aligned.

###

Source: US Department of Homeland Security

EXECUTIVE SUMMARY

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats.

In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture.

During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase.

The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.

The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk:

• Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
• Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
• Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
• Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs.

To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below:

• Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
• Use robust network segmentation to impede lateral movement across the network.
• Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise:

• Eliminate default passwords.
• Provide logging at no additional charge.
• Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents.

Download the PDF version of this report:

INTRODUCTION

CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase:

• Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach.
• Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team:

This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. 

During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs.

Figure 1: SILENTSHIELD assessment timeline

Adversary Emulation Phase

Exploitation of the Solaris Enclave

Reconnaissance, Initial Access, and Command and Control

CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access.

The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001].

Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023.

Credential Access, Command and Control, and Privilege Escalation

Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password.

Figure 2: Exploitation of the Solaris Enclave

The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section).

Lateral Movement and Persistence

Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004].

Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports. 

The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3).

Figure 3: Example of Lateral Movement in the Solaris Enclave

Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders.

To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated.

Full Enclave Compromise

Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007].

The harvested password granted unrestricted privileged access to the entire Solaris enclave.

Exploitation of the Windows Domain

While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4).

Figure 4: Exploitation of Solaris enclave

The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials.

Reconnaissance and Initial Access

While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation.

The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon.

Credentialed Access and Privilege Escalation

Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).

Lateral Movement and Persistence

The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001].

The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004].

The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism.

The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts. 

The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5).

Figure 5: Exploitation of the Windows Domain

After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior.

Pivoting Into External Trusted Partners

The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally.

The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6).

figure 6: path of exploitation into external fceb organizations

These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.

Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions.

Defense Evasion Techniques

Solaris Enclave Figure 5: Exploitation of the Windows Domain

Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example:

• A real file: /opt/splunkforwarder/bin/splunkd
• A malicious copy: /opt/splunkforwarder/splunkd
• Command auditing logs: splunkd

The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment.

Windows Domain

The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027].

Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised.

To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities.

All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection.

Collaborative Phase

Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity.

During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise:

• EDR alerts;
• YARA scans;
• C2 domains and techniques;
• Internal pivot hosts;
• Admin accounts used to pivot;
• Memory dumps, revealing attempts to pass credentials; and
• Email logs documenting the initial breach via phishing.

Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps:

• Command execution (initial access and lateral movement);
• Establish C2 channels and exfiltrate data;
• Establish persistence;
• Escalate privileges; and
• Use and abuse credentials.

All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs.

Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations.

Log Collection

The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage.

The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.

Forensic Analysis

Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses.

Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation.

Reliance on Known IOCs

The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example:

• After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks.
• Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity.

Regular Monitoring and Investigation Management

Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example:

• While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement.
• Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology.
• Network defenders had poor operational security and alerted the red team of investigations. For example:
  • In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed.
  • The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation.
• IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior.
• While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments.

Sysmon Misconfigurations

The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations:

• Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads.
• Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events).
• Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:Program Files (x86)GoogleUpdate*).

LESSONS LEARNED AND KEY FINDINGS

The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings.

Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity.

• Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports.
• Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response.
• Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material.
• Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.
• Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored.
• Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation.

Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs.

• Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation.
• Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity.
• Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering.

Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders.

• Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through.
• Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture.
• Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave.
  • The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement.

Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs.

• Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections.
• Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions.
• Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity.
• Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing.

NOTED STRENGTHS

The assessed organization promptly planned for and resolved multiple identified issues, including with:

• Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report).
• IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets.
• Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet.
• Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances.
• Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations.
• Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts.

MITIGATIONS

Network Defenders

CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

CISA recommends organizations implement the recommendations in Table 2 to mitigate other identified issues that can be uncovered through traditional penetration tests or red team assessments.

Note: The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. CISA encourage all organizations to prioritize purchasing products from manufacturers who demonstrate secure by design principles, such as evidenced by follow-on publications from companies who have signed the Secure by Design Pledge.

Software Manufacturers

CISA recognizes that insecure software is the root cause of many flaws; the responsibility should not rest on the end user. CISA urges software manufacturers to implement the following:

• Eliminate default passwords and determine what password practices should be required (such as minimum password length and disallowing known breached passwords). Configure software to use more secure authentication schemes by default.
• Provide logging at no additional charge. Cloud services and on-premises products should commit to generating and storing security related logs at no additional cost.
• Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents. The goal is to develop logs that yield a comprehensive story of the event.
• Remove unnecessary software dependencies. Unnecessary software increases the attack surface available to adversaries and may introduce additional vulnerabilities. Mitigating these additional vulnerabilities requires significant investment, consuming resources like time, technical personnel, and adding to the level of security effort.

These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. 

For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 3–11).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

VERSION HISTORY

July 11, 2024: Initial version.

APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3–11 for all referenced threat actor tactics and techniques in this advisory.

Source: US Department of Homeland Security

FEMA’s final rule implementing the Federal Flood Risk Management Standard will reduce risk of flood impacts, protect people and infrastructure

Final rule follows additional actions from President Biden to protect workers and communities from extreme weather

WASHINGTON — The Department of Homeland Security’s (DHS) Federal Emergency Management Agency (FEMA) today published a Final Rule to implement the Federal Flood Risk Management Standard (FFRMS). The standard is a flexible framework to increase resilience against flooding and help protect communities.

In recent years, communities have seen repeated flooding that threatens both lives and property. Previous approaches, based on historical data, have become outdated. By using the best available science, FFRMS strengthens FEMA’s standards to incorporate both current and future flood risk, making taxpayer-funded projects far more resilient to flooding, protecting federal investments and reducing the risk of damage and loss from floods. Additionally, FEMA will pay for the applicable federal cost share to implement the FFRMS which is often 75% or more.

“The human and economic cost of flooding is devastating and will only grow in the years ahead as the impacts of climate change grow more intense and reach more communities,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Taking forward-looking, effective steps to increase resilience before disaster strikes will save lives, property, critical infrastructure, and taxpayer money. The Federal Flood Risk Management Standard ensures that FEMA-funded projects meet that mandate. We cannot be passive as climate change threatens the safety and security of the American people and our homeland.”

“Climate change has exacerbated flood risk across the country, especially when it comes to sea-level rise. The Biden-Harris Administration is taking action to address these heightened risks by getting this new standard over the finish line,” said FEMA Administrator Deanne Criswell. “FFRMS will allow us to enhance resilience in flood-prone communities by taking future flood risk into consideration when we rebuild structures post-disaster. This is a huge win that will also allow us to end the repeat loss cycles that stem from flooding and increase the safety of families and save taxpayer dollars.”

“As climate change increases the frequency and severity extreme weather events, President Biden is taking bold action – mobilizing historic investments to protect communities before the storm strikes, upgrade critical infrastructure to reduce vulnerability and risk, and boost our collective capacity to recover quickly after disasters,” said National Climate Advisor Ali Zaidi. “By using common-sense solutions like elevating or floodproofing critical infrastructure, today’s rule will help local communities harness the best in science and engineering to better prepare for flood risks from rising sea levels and damaging storms. This important step will help protect taxpayer-funded projects, including fire and police stations and hospitals, from flood risks and is an integral part of the Biden-Harris administration’s broader efforts to enhance climate resilience across the country.”

This rule allows FEMA to consider the best available science in making projects and communities more resilient to increased flood conditions. The standard applies to FEMA-funded actions involving new construction, substantial improvement, or repairs to substantial damage.

FFRMS also applies to Hazard Mitigation Assistance projects involving structure elevation, dry floodproofing and mitigation reconstruction. This advances the National Climate Resilience Framework’s goal of building a climate-resilient nation. This higher standard considers both current and future flood risks associated with climate change and other threats.

Finalization of the rule supplements additional actions President Biden announced last week to protect workers and communities from extreme weather. After receiving an operational briefing on extreme weather from Department of Homeland Security Secretary Alejandro Mayorkas and FEMA Administrator Deanne Criswell, President Biden announced $1 billion for 656 projects across the country to help communities protect against disasters and natural hazards, including extreme heat, storms, and flooding.

This action is the latest in an all-of-government approach to minimize flood risks and implement the FFRMS. These efforts have included the issuance of a Federal Flood Standard Support Tool (Beta), a FFRMS Standard Floodplain Determination Job Aid, a State of the Science Report on Climate-Informed Science Approach for flood hazards, and implementation of the FFRMS by the Departments of Agriculture, Defense, Health and Human Services, Housing and Urban Development, Interior, and General Services Administration.

Expansion of the Floodplain

As climate change and other threats have increased flood risk across much of the United States, the FFRMS allows FEMA to consider the best available and actionable climate science in making projects and communities more resilient to increases in flood conditions due to sea level rise and other environmental changes.

Prior to the FFRMS, FEMA required non-critical projects to be protected to the 1% annual chance (100-year) flood to minimize flood risk. Critical projects, like the construction of fire and police stations, hospitals and facilities that store hazardous materials, had to be protected to the 0.2% annual chance (500-year) flood. This standard reflected only current flood risk.

The FFRMS will increase the flood elevation — how high — and floodplain — how wide — to reflect future, as well as current, flood risk for actions subject to the standard.

Implementing the FFRMS is an important step toward mitigating future flood risk that will benefit communities by allowing them to avoid or recover from future disasters more efficiently and effectively. Communities can protect against future flood risk by building outside of the floodplain, elevating, floodproofing, or using nature-based solutions.

Minimal Estimated Implementation Costs of Less than 2% for FEMA and Applicants

This standard requires incorporating flood resilience measures into project designs that could marginally increase the project cost. However, this minimal cost increase is expected to result in far greater savings over time due to avoided flood damage.

FEMA pays for the costs to implement the FFRMS at the applicable cost share for the project, often 75% or more. FEMA has found that incorporating 2-feet of elevation into a new building design on average adds only 1.91% to the total project cost.

As an example, on a $1 million dollar project with a federal cost share of 75%, the estimated increased project cost to the applicant is $4,775. These improvements can help reduce the chances of repetitive property losses to flooding, lowering costs for taxpayers and communities.

Full Implementation of the Federal Flood Risk Management Standard

Since August 2021, FEMA has partially implemented the FFRMS. Partial implementation relied on existing regulations to reduce flood risk, increasing minimum flood elevation requirements for structures in areas already subject to flood risk minimization requirements, but not horizontally expanding those areas.

The key distinctions between partial and full implementation are the expansion of the floodplain to reflect both current and future flood risk and the requirement to consider natural features and nature-based solutions. Using natural features and nature-based solutions can help preserve the benefits of floodplains across the nation, such as the ability to store and move floodwaters and create rich soils.

The Final Rule amends Title 44, Part 9 of the Code of Federal Regulations and will be effective on Sept. 9, 2024. For disasters declared on or after this date and notices of funding opportunity published on or after this date, the Federal Flood Risk Management Standard will apply to FEMA-funded actions involving new construction, substantial improvement or repairs to substantial damage.

Source: US Department of Homeland Security

WASHINGTON – Today, the Department of Homeland Security (DHS), as chair of the Forced Labor Enforcement Task Force (FLETF), released an updated Uyghur Forced Labor Prevention Act (UFLPA) Strategy to Prevent the Importation of Goods Mined, Produced, or Manufactured with Forced Labor in the People’s Republic of China (PRC). This strategy builds on two years of the Administration’s enforcement of the UFLPA in addition to DHS’s longstanding efforts to remove forced labor from U.S. supply chains and support responsible businesses and industries that uphold human rights protections and support fair competition.  

Notably in this year’s strategy, the FLETF has identified new high priority sectors for enforcement – aluminum, polyvinyl chloride (PVC), and seafood – for the first time since 2022. These industries were identified due to higher risk of forced labor or state labor transfer of Uyghurs and other ethnic minorities from the Xinjiang Uyghur Autonomous Region (XUAR). The FLETF continues to designate apparel, cotton and cotton products, silica-based products including polysilicon, and tomatoes and downstream products as high priority sectors.   

“Forced labor is a form of modern slavery, and the Department of Homeland Security is committed to eradicating it from our supply chains,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The updated Uyghur Forced Labor Prevention Act Strategy and new high-priority sectors for enforcement announced today reflect the evolving and expanding scope of those who seek to circumvent the law and profit off the exploitation of abused people. Our Department will continue to work closely with our partners in government, and with stakeholders across industry and civil society, to lead U.S. efforts to end forced labor by enforcing customs laws, supporting economic fairness, and safeguarding the human rights of all.” 

Originally published in June 2022, the UFLPA Strategy outlines a multi-pronged approach to combating forced labor in global supply chains. This year’s updates outline how the FLETF has significantly advanced our objectives through several initiatives, including strong enforcement by U.S. Customs and Border Protection (CBP); expansion of the UFLPA Entity List; new high priority sectors for enforcement; and greater collaboration with stakeholders. The updated Strategy comes after DHS recently added three new entities to the UFLPA Entity List, bringing the total number of PRC-based companies whose goods are restricted from entering the United States to 68. The DHS fact sheet released today details the impact of our forced labor enforcement efforts and highlights updates in the latest UFLPA Strategy. 

With the designation of new high priority sectors for enforcement, entities in these sectors will be prioritized for review by the FLETF for a variety of enforcement actions: inclusion on the UFLPA Entity List, export limitations, economic sanctions, and visa restrictions. The FLETF will undertake these enforcement actions to curtail the economic incentives to participate in or facilitate human rights abuses, including forced labor. Identifying high priority sectors also allows importers to focus their due diligence efforts on supply chains that intersect with these sectors, supporting compliance and keeping goods from forced labor out of U.S. markets.   

“We are committed to expanding our enforcement of the UFLPA to keep goods made with forced labor out of U.S. markets,” said Robert Silvers, Under Secretary for Policy and Chair of the Forced Labor Enforcement Task Force. “This will happen through designation of more companies to the UFLPA Entity List, enforcement by CBP at our ports, focus on additional industry sectors, and continued engagement with industry and civil society.”   

“Two years into the implementation of UFLPA, CBP and DHS efforts are making an impact against the scourge of forced labor. Businesses are shifting behavior to ensure their supply chains are free of goods made with forced labor, which protects workers and strengthens our nation’s economic security,” said Troy A. Miller, CBP Senior Official Performing the Duties of the Commissioner. “Thus far, CBP has denied entry to nearly 3,500 such shipments valued at over $695 million. Our enforcement efforts will continue, as will our engagement with our key stakeholders to reinforce the shared imperative of this work.” 

The Strategy furthers the memorandum President Biden signed in November 2023 on advancing worker empowerment, rights, and high labor standards globally. The memorandum represents the first whole-of-government approach to advance workers’ rights by directing departments and agencies to elevate labor rights in their work abroad, which includes DHS’ work implementing the UFLPA. 

Forced labor undermines the global trading system and our national security. DHS and the FLETF remain dedicated to ensuring the United States is doing its part in upholding fair labor standards and supporting American workers and manufacturers with a fair and equal playing field in the global marketplace. The United States will remain diligent in standing up against these human rights abuses. The FLETF will continue to collaborate with stakeholders from the trade community, civil society, labor organizations and our international partners to ensure the use of forced labor is eradicated from U.S. and international supply chains.  

###

Source: US Department of Homeland Security

This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.

The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.

The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]

The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to identify, prevent and remediate APT40 intrusions against their own networks. The selected case studies are those where appropriate remediation has been undertaken reducing the risk of re-exploitation by this threat actor, or others. As such, the case studies are naturally older in nature, to ensure organizations were given the necessary time to remediate.

APT40 has repeatedly targeted Australian networks as well as government and private sector networks in the region, and the threat they pose to our networks is ongoing. The tradecraft described in this advisory is regularly observed against Australian networks.

Notably, APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability. APT40 regularly conducts reconnaissance against networks of interest, including networks in the authoring agencies’ countries, looking for opportunities to compromise its targets. This regular reconnaissance postures the group to identify vulnerable, end-of-life or no longer maintained devices on networks of interest, and to rapidly deploy exploits. APT40 continues to find success exploiting vulnerabilities from as early as 2017.

APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). ASD’s ACSC and the authoring agencies expect the group to continue using POCs for new high-profile vulnerabilities within hours or days of public release.

This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. APT40 regularly uses web shells [T1505.003] for persistence, particularly early in the life cycle of an intrusion. Typically, after successful initial access APT40 focuses on establishing persistence to maintain access on the victim’s environment. However, as persistence occurs early in an intrusion, it is more likely to be observed in all intrusions—regardless of the extent of compromise or further actions taken.

Although APT40 has previously used compromised Australian websites as command and control (C2) hosts for its operations, the group have evolved this technique [T1594].

APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. This has enabled the authoring agencies to better characterize and track this group’s movements.

Many of these SOHO devices are end-of-life or unpatched and offer a soft target for N-day exploitation. Once compromised, SOHO devices offer a launching point for attacks that is designed to blend in with legitimate traffic and challenge network defenders [T1001.003].

APT40 does occasionally use procured or leased infrastructure as victim-facing C2 infrastructure in its operations; however, this tradecraft appears to be in relative decline.

ASD’s ACSC are sharing some of the malicious files identified during the investigations outlined below. These files have been uploaded to VirusTotal to enable the wider network defense and cyber security communities to better understand the threats they need to defend against.

ASD’s ACSC are sharing two anonymized investigative reports to provide awareness of how the actors employ their tools and tradecraft.

Source: US Department of Homeland Security

Instead of interacting directly with CISA, you can also share and receive AIS cyber threat indicators and defensive measures through a participating ISAC or ISAO or via an AIS-integrated commercial product or service. (Customers are only required to sign an AIS Terms of Use Agreement if they want to receive data designated with distribution limitation “TLP: Amber.” Visit the Traffic Light Protocol (TLP) page for further information.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Commercial providers offer AIS data to existing subscribers at no extra cost:

ISACS/ISAOs also offer AIS data to existing members via ISAC/ISAO provided automated data connections**:

**Other ISACS do receive AIS data but might not offer a member CTI feed connection and therefore do not distribute AIS data.

Source: US Department of Homeland Security

Secretary of Homeland Security Alejandro N. Mayorkas released the following statement following yesterday’s record three million passenger screenings by the Transportation Security Administration.

“Yesterday, for the first time since its founding in November 2001, Transportation Security Administration officers screened more than three million travelers on a single day at airports across the country.  It was an extraordinary achievement: TSA fully, unerringly, and efficiently checked 35 passengers every second, along with all their luggage and carry-on baggage, while demonstrating unwavering professionalism and respect for travelers during the intensely busy holiday weekend.  Congratulations to the entire TSA workforce and Administrator David Pekoske.

“Every day, the men and women of TSA enable millions of travelers to reach their destinations safely and securely.  Yet, for decades, TSA officers received less pay for their service than their government counterparts did.  One year ago, our Department, together with our partners in Congress, finally ended this injustice and secured long-overdue pay fairness.  Its impact is already evident: In just the last year, TSA workforce attrition has been cut in half, recruitment rates are rising, and surveys report improved morale and job satisfaction across the agency.

“Now, with record-breaking travel spurred by our nation’s strong economy expected to continue in the months ahead, it is imperative that Congress ensure pay fairness for TSA permanently.  It is the smart thing to do for everyone who depends on TSA to keep our skies and our country safe, and it is the right thing to do for these great public servants.”

###

Source: US Department of Homeland Security

During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted. 

In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones. 

At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities. 

DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.  

DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy. 

For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit https://www.dhs.gov/file-civil-rights-complaint. 

Source: US Department of Homeland Security

Redesignation Allows Additional Newly Eligible Yemeni Nationals to Apply for TPS and Employment Authorization Documents 

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas today announced the extension and redesignation of Yemen for Temporary Protected Status for 18 months, from September 4, 2024, to March 3, 2026, due to country conditions in Yemen that prevent individuals from safely returning.

After consultation with interagency partners, Secretary Mayorkas determined that an 18-month extension and redesignation of Yemen for TPS is warranted because ongoing armed conflict and extraordinary and temporary conditions continue to support Yemen’s TPS designation, and that the extension and redesignation are not contrary to the national interest of the United States.

“Yemen has been in a state of protracted conflict for the past decade, severely limiting civilians’ access to water, food, and medical care, pushing the country to the brink of economic collapse, and preventing Yemeni nationals living abroad from safely returning home,” said Secretary Mayorkas. “The steps the Department of Homeland Security has taken today will allow certain Yemenis currently residing in the United States to remain and work here until conditions in their home country improve.”

The redesignation of Yemen for TPS allows an estimated 1,700 Yemeni nationals (and individuals having no nationality who last habitually resided in Yemen) who have been continuously residing in the United States since July 2, 2024 to file initial applications for TPS, if they are otherwise eligible.

The extension of TPS for Yemen allows approximately 2,300 current beneficiaries to retain TPS through March 3, 2026, if they continue to meet TPS eligibility requirements. This extension and redesignation does not apply for anyone who was not already in the United States on July 3, 2024.

The corresponding Federal Register notice provides information about registering for TPS as a new or current beneficiary under Yemen’s extension and redesignation. The Federal Register notice explains eligibility criteria, timelines, and procedures necessary for current beneficiaries to re-register and renew EADs, and for new applicants to submit an initial application under the redesignation and apply for an EAD.

Accompanying this announcement is a Special Student Relief notice for F-1 nonimmigrant students whose country of citizenship is Yemen, or individuals having no nationality who last habitually resided in Yemen, so that eligible students may request employment authorization, work an increased number of hours while school is in session, and reduce their course load while continuing to maintain F-1 status through the TPS designation period.

Current TPS beneficiaries who wish to extend their status through March 3, 2026, must re-register during the 60-day re-registration period from July 10, 2024, through September 9, 2024, to ensure they keep their TPS and employment authorization. DHS recognizes that not all re-registrants may receive a new Employment Authorization Document before their current EAD expires and is automatically extending through September 3, 2025, the validity of EADs previously issued under Yemen’s TPS designation.

U.S. Citizenship and Immigration Services will continue to process pending applications filed under previous TPS designations for Yemen. Individuals with a pending Form I-821, Application for Temporary Protected Status, or a related Form I-765, Application for Employment Authorization, as of July 10, 2024 do not need to file either application again. If USCIS approves a pending Form I-821 or Form I-765 filed under the previous designation of TPS for Yemen, USCIS will grant the individual TPS through March 3, 2026, and issue an EAD valid through the same date.

Under the redesignation of Yemen, eligible individuals who do not have TPS may submit an initial Form I-821, Application for Temporary Protected Status, during the initial registration period that runs from July 10, 2024 through March 3, 2026. Applicants also may apply for TPS-related EADs and for travel authorization. Applicants can request an EAD by submitting a completed Form I-765, Application for Employment Authorization, with their Form I-821, or separately later.

Since the Securing the Border Presidential Proclamation and Interim Final Rule was issued in early June, over 24,000 noncitizens have been removed or returned to more than 20 countries. All irregular migration journeys are extremely dangerous, unforgiving, and often result in loss of life. DHS will continue to enforce U.S. laws and will return noncitizens who do not establish a legal basis to remain in the United States.

Source: US Department of Homeland Security

WASHINGTON –Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its “Guide to Operational Security for Election Officials.” This essential guide aims to enhance the security of election infrastructure by providing a thorough overview of operational security (OPSEC) within the election context, highlighting potential risks and offering practical mitigation measures.

Operational security is a systematic approach to identifying and protecting sensitive information, data, or capabilities within an organization.  Without robust safeguards, sensitive information can be inadvertently or deliberately exposed and exploited by threat actors, potentially impacting the ability of election workers to fulfill their duties, exposing voters’ personally identifiable information (PII) and enabling unauthorized access to internal systems and facilities.

By incorporating OPSEC principles into daily election operations and fostering a culture of security awareness, election workers can significantly reduce the risk of unauthorized disclosures while maintaining a transparent elections process and responding to public inquiries.  The guide emphases the importance of viewing data from an adversary’s perspective to holistically assess and mitigate potential threats.

“CISA provides various training programs for election workers, including secure practices, incident response planning, and de-escalation techniques.” said CISA Special Advisor to the Director for Election Security Cait Conley. “This guide is another excellent resource CISA provides the public with to keep our elections safe and secure.”

Key points from the Guide:

• OPSEC is critical for protecting election infrastructure from exposure to potential threat actors.
• Embedding OPSEC principles in daily operations helps prevent unauthorized access to sensitive information.
• Training and awareness of OPSEC principles enable election workers to understand and manage aggregated risks effectively.
• The guide provides real-world examples and mitigation activities to strengthen operational security. 

To learn more, visit #Protect2024 on CISA.gov.