Category: United States Director of National Intelligence

Source: US Department of Homeland Security

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).

Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

The authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails [T1566], exploitation of known vulnerabilities [T1190], and password spraying [T1110.003]. Password spraying targets accounts compromised through data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed:

• CVE-2023-3519 (CWE-94)
  • Citrix ADC (NetScaler) Remote Code Execution. A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
• CVE-2023-27997 (CWE-787 | CWE-122)
  • A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
• CVE-2023-46604 (CWE-502)
  • The Java OpenWire protocol marshaller, such as in Apache ActiveMQ, is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue.
• CVE-2023-22515
  • A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized Confluence administrator accounts and access to Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
• CVE-2023-46747 (CWE-306 | CWE-288)
  • Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
• CVE-2023-48788 (CWE-89)
  • An improper neutralization of special elements used in an SQL command (SQL injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
• CVE-2017-0144
  • The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, also known as “Windows SMB Remote Code Execution Vulnerability” [T1210].
• CVE-2020-1472
  • An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
• CVE-2020-0787
  • This vulnerability was also potentially exploited along with the Zerologon privilege escalation vulnerability.

Discovery

RansomHub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living off the land methods with PowerShell to conduct network scanning [T1018][T1046][T1059.001].

Defense Evasion

Cybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop (C:Users%USERNAME%Desktop) or downloads (C:Users%USERNAME%Downloads) [T1036]. The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response [T1070]. Affiliates used Windows Management Instrumentation [T1047] to disable antivirus products. In some instances, RansomHub-specific tools were deployed to disable endpoint detection and response (EDR) tooling [T1562.001].

Privilege Escalation and Lateral Movement

Following initial access, RansomHub affiliates created user accounts for persistence [T1136], reenabled disabled accounts [T1098], and used Mimikatz [S0002] on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM [T1068]. Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP) [T1021.001], PsExec [S0029], Anydesk [T1219], Connectwise, N-Able, Cobalt Strike [S0154], Metasploit, or other widely used command-and-control (C2) methods.

Data Exfiltration

Data exfiltration methods depend heavily on the affiliate conducting the network compromise. The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.

Encryption

RansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system [T1486]. Curve 25519 uses a public/private key that is unique to each victim organization. To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes:

• “vmms.exe”
• “msaccess.exe”
• “mspub.exe”
• “svchost.exe”
• “vmcompute.exe”
• “notepad.exe”
• “ocautoupds.exe”
• “ocomm.exe”
• “ocssd.exe”
• “oracle.exe”
• “onenote.exe”
• “outlook.exe”
• “powerpnt.exe”
• “explorer.exe”
• “sql.exe”
• “steam.exe”
• “synctime.exe”
• “vmwp.exe”
• “thebat.exe”
• “thunderbird.exe”
• “visio.exe”
• “winword.exe”
• “wordpad.exe”
• “xfssvccon.exe”
• “TeamViewer.exe”
• “agntsvc.exe”
• “dbsnmp.exe”
• “dbeng50.exe”
• “encsvc.exe”

The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares.

RansomHub implements intermittent encryption, encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks. Files smaller than 0x100000 bytes in size are completely encrypted. Files are appended with 58 (0x3A) bytes of data at the end. This data contains a value which is likely part of an encryption/decryption key. The structure of the appended 0x3A bytes is listed below with images from three different encrypted files.

The next eight bytes are the size of encrypted blocks. If the entire file is encrypted, this section is all zeros. In this example, each encrypted section is 0x100000 bytes long, with 0x100000 bytes between each encrypted block. This number was observed changing based on the size of the encrypted file.

The next two bytes were always seen to be 0x0001.

The next 32 bytes are the public encryption key for the file.

The next four bytes are a checksum value.

The last four bytes are always seen to be the sequence 0x00ABCDEF.

The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system. To further inhibit system recovery, the ransomware executable typically leverages the vssadmin.exe program to delete volume shadow copies [T1490].

Leveraged Tools

See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Source: US Department of Homeland Security

DHS continues to provide unprecedented resources to support border & interior communities

WASHINGTON – Today, the Department of Homeland Security (DHS), through the Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP), announced the allocation of over $380 million through the Shelter and Services Program (SSP). Through the SSP, DHS directly supports communities that are providing critical support such as food, shelter, clothing, acute medical care, and transportation to noncitizens recently released from DHS custody and awaiting their immigration court proceedings. FEMA, in coordination with CBP, is administering these SSP grants with state, local and tribal governments as well as nongovernmental organizations to help prevent the overcrowding of short-term CBP holding facilities. This funding augments the $259.13 million in SSP grants that DHS distributed in April 2024.

This grant cycle provides a new opportunity through a competitive program and builds on the support being provided to communities on the border and in the interior. Last year, more than $780 million awarded through SSP and the Emergency Food and Shelter Program – Humanitarian Awards (EFSP-H) funding in Fiscal Year 2023 went to organizations and cities across the country.

DHS efforts to manage and secure our borders in a safe, orderly, and humane way include support for communities, as well as strengthened consequences for those without a legal basis to remain and an expansion of lawful pathways that have helped reduce the number of encounters from specific populations. U.S. Customs and Border Protection (CBP)’s operational report for July 2024 shows a significant decline in migrant encounters during the first full month after a Presidential Proclamation issued June 4, 2024, by President Biden to temporarily suspend the entry of certain noncitizens across the southern border. U.S. Border Patrol encounters in July were 32% lower than in June 2024 and were the lowest monthly total along the southwest border since September 2020. July’s total numbers between ports of entry are also lower than July 2019, and lower than the monthly average for all of 2019, the last comparable year prior to the pandemic.

Due to the substantial demand that exceeds the limited SSP program funding authorized by Congress, not all requests can be fulfilled.

For more information on the Shelter and Services Program, visit fema.gov/grants/preparedness/shelter-services-program. 

###

Source: US Department of Homeland Security

Summary

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).

This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.

The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity.

If organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend immediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting Form (see the Reporting section of this advisory for more details and contact methods).

For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Threat Actor Details

Background on Threat Group and Prior Activity

This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.[1][2] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.

The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape[3], Ransomhouse[4], and ALPHV (aka BlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.

Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key.[5],[6] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging their prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.

Attribution Details

FBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in support of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity. This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.

The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities.

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 15.1. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview of Observed Tactics, Techniques, and Procedures

The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.

Reconnaissance, Initial Access, Persistence, and Credential Access

The actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596][T1190].

Following exploitation of vulnerable devices, the actors use the following techniques:

• Capture login credentials using webshells on compromised Netscaler devices and append to file named netscaler.1 in the same directory as the webshell [T1505.003][T1056].
• Create the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003]. Malicious files deployed to this directory include:
  • netscaler.1
  • netscaler.php
  • ctxHeaderLogon.php
• Specifically related to Netscaler, place additional webshells on compromised devices immediately after system owners patch the exploited vulnerability [T1505.003]. The following file locations and filenames have been observed on devices:
  • /netscaler/logon/LogonPoint/uiareas/ui_style.php
  • /netscaler/logon/sanpdebug.php 
• Create the directory /xui/common/images/ on targeted IP addresses [T1133].
• Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain” [T1136.001].
• Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network [T1098].
• Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll. This file has been observed being executed from the Windows Downloads directory [T1053]. 
• Place a malicious backdoor version.dll in C:WindowsADFS directory [T1505.003].
• Use a scheduled task to load malware through installed backdoors [T1053].
• Deployment of Meshcentral to connect with compromised servers for remote access [T1219].
• For persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random eight characters and attempt execution of a similarly named DLL contained in the C:Windowssystem32drivers directory. For example, a service named “test” was observed attempting to load a file located at C:WINDOWSsystem32driverstest.sys [T1505].

Execution, Privilege Escalation, and Defense Evasion

• Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) [T1078.003].
• Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks [T1078.002].
• Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level [T1562.001][T1562.010].
• Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted [T1562.001].
• Use a compromised administrator account to initiate a remote desktop session to another server on the network. In one instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell Integrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including files.catbox[.]moe. Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism [T1059.001].

Discovery

• Export system registry hives and network firewall configurations on compromised servers [T1012].
• Exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—presumably to gather network and user account information for use in further exploitation efforts [T1482].

Command and Control

• Install “AnyDesk” remote access program as a backup access method [T1219].
• Enable servers to use Windows PowerShell Web Access [T1059.001].
• Use the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572].
• Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572].

Exfiltration and Impact

After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657]. The actors also conduct what is assessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010], likely in support of the GOI.

MITRE ATT&CK Tactics and Techniques

See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory.

Source: US Department of Homeland Security

FOR IMMEDIATE RELEASE August 27, 2024

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the National Association of Secretaries of State (NASS) and National Association of State Election Directors (NASED), hosted the seventh annual Tabletop the Vote election security exercise this month. Tabletop the Vote brings together federal, state, and local officials as well as private sector partners from across the election community to enhance #Protect2024 efforts. The exercise took place over four days, August 22, 23, 26, and 27 and provided participants with the opportunity to share best practices around cyber and physical incident planning, preparedness, identification, response, and recovery.

Following the exercise, CISA Director Jen Easterly, and the Election Infrastructure Subsector Government Coordinating Council (EIS-GCC) Executive Committee, which includes U.S. Election Assistance Commission (EAC) Chairman Ben Hovland, NASS President and Minnesota Secretary of State Steve Simon, NASED President and State Elections Director for the New Mexico Secretary of State Mandy Vigil, and Sarah Ball Johnson, City Clerk for the City of Colorado Springs, Colorado, issued the following joint statement:

“Tabletop the Vote provides an opportunity for the election community as a whole to plan for potential scenarios and improve our response plans within the safety of a training environment.  Exercises like this allow us to prepare for incidents that occur before, during, and after an election and better understand response and recovery efforts.  They also assist us in identifying how to best tackle today’s increasingly complex threat environment by refining communication and intelligence sharing practices, and identifying potential process improvements. Tabletop the Vote is just one example of the ongoing efforts of state and local election officials and the federal government to ensure the security and resilience of America’s most critical democratic process. 

“Elections are run by the thousands of state and local election officials nationwide who work diligently to administer elections that are secure and resilient. It is because of their hard work Americans can have confidence in our nation’s elections.”

State and local election officials, as well as in-state stakeholders, from across the country participated virtually. In addition to CISA, federal participants in the exercise included the Department of Homeland Security, the Department of Justice, the Federal Bureau of Investigation, the Department of Defense, the Office of the Director of National Intelligence, the National Security Agency, U.S. Cyber Command, the U.S. Election Assistance Commission, the National Guard Bureau, the National Security Council, the U.S. Postal Service Office of the Inspector General, and the U.S. Postal Inspection Service.

The full EIS-GCC will also be held this week to further foster efficient communication and collaboration within the election infrastructure community ahead of the November general election.

Both of these events highlight-the ongoing collaboration between federal, state, local, and private sector members to ensure the security and resilience of our nation’s election infrastructure.

###

About the EIS-GCC 

The enables state, local, and federal governments to share information and collaborate on best practices to mitigate and counter threats to election infrastructure. The EIS-GCC is composed of representatives from across various levels of government as appropriate to depict the operating landscape of the Election Infrastructure Subsector.

Source: US Department of Homeland Security

COLOMBIA, ESTADOS UNIDOS Y PANAMÁ
Cartagena de Indias, 26 de agosto de 2024

El Ministro de Relaciones Exteriores de la República de Colombia, Luis Gilberto Murillo, el Ministro de Relaciones Exteriores de la República de Panamá, Javier Martínez-Acha Vásquez y el Secretario de Seguridad Nacional de los Estados Unidos, Alejandro N. Mayorkas y sus delegaciones, reunidos en la ciudad de Cartagena de Indias, en el marco de la Tercera Reunión del Mecanismo Tripartito Sobre Migracion Irregular:

Afirmaron que el abordaje de la migración irregular parte del reconocimiento de responsabilidad compartida, y desde un enfoque multidimensional y de derechos humanos, resaltaron el alto valor que representan los principios y compromisos asumidos por los gobiernos de Panamá, Estados Unidos, y Colombia, en la Declaración de Los Ángeles sobre Migración y Protección y sus pilares, en colaboración con las organizaciones internacionales.

Los gobiernos de Panamá, Estados Unidos y Colombia tienen una larga historia de colaboración. En los últimos tres años, específicamente, esta colaboración ha tenido resultados notables que incluyen la regularización de 2.5 millones de migrantes venezolanos en Colombia, el establecimiento de las Oficinas de Movilidad Segura para otorgar el acceso a vías legales para los Estados Unidos y otros países para migrantes, el anuncio de Colombia de expandir la regularización para venezolanos que no se encuentran cubiertos bajo el Estatuto Temporal de Protección, esfuerzos conjuntos para abordar la trata de personas en la región del Darién.

Del mismo modo, Panamá ha aumentado la capacidad para el programa de repatriación para aquellos que carecen de base legal para permanecer en Panamá. Estos esfuerzos en la región, junto con los Estados Unidos, contribuyen a una gestión coordinada de la migración irregular.

Los tres gobiernos reconocen las amenazas que representan las organizaciones criminales transnacionales, que se lucran de la explotación de los migrantes. En tal sentido, reafirman su compromiso para identificar distintos mecanismos que permitan desmantelar estas redes y llevar a estos criminales ante la justicia. Así mismo, se comprometen a mejorar el intercambio de información.

Los tres países reconocen que los flujos migratorios irregulares que transitan por la frontera entre Colombia y Panamá son de alcance global e involucran poblaciones de más de 90 nacionalidades, algunos de los cuales entraron a la región por terceros países. En este sentido, las partes se comprometieron a incentivar el diálogo con terceros países en la región, para aumentar alternativas seguras, ordenadas y humanas que reduzcan la migración irregular.

Colombia y Panamá destacan la importancia de proteger los ecosistemas estratégicos y comunidades locales asentadas en su frontera común. En tal sentido, los Estados Unidos se comprometen con fortalecer la cooperación para el desarrollo de dichas comunidades.

Comprometidos con la necesidad de ampliar mecanismos de protección de las poblaciones migrantes bajo los principios interamericanos sobre los derechos humanos, los tres países expresan su voluntad de fortalecer las políticas migratorias que respaldan los esfuerzos de regularización e integración socioeconómica de los migrantes; promover y respetar las vías migratorias regulares; e impulsar acciones que protejan a los migrantes en condición de vulnerabilidad.

Coincidieron en la implementación de un plan de trabajo con acciones concretas y realistas que fortalezcan la presencia estatal de Colombia y Panamá en su frontera común. Así mismo, se comprometieron a mejorar los mecanismos de control y regulación, el intercambio de información y la verificación de identidad.

  Los tres países se comprometen a fortalecer la cooperación para desarticular las redes de trata y tráfico de migrantes, mejorar la asistencia humanitaria a las poblaciones migrantes y buscar mecanismos de protección para grupos vulnerables, contemplando opciones humanitarias tales como los mecanismos vigentes de tránsito entre países.

Lo anterior en el marco de los principios y normas internacionales de derechos humanos, de la responsabilidad compartida en la gestión migratoria en la región y hacia la búsqueda de una cooperación internacional que reconozca las brechas y necesidades en materia de desarrollo.

Los jefes de delegación instruyeron a sus autoridades competentes en materia migratoria a que realicen una reunión técnica, en el término máximo de noventa (90) días a partir de la adopción de la presente Declaración, para que elaboren y presenten un cronograma y plan de ejecución con actividades que construyan sobre el avance que han hecho los tres países con acciones concretas.

Jefe de la delegación de Colombia
Jefe de la Delegación de Estados  Unidos
Jefe de la Delegación de Panamá

 

Source: US Department of Homeland Security

COLOMBIA, UNITED STATES AND PANAMA
Cartagena de Indias, August 26th, 2024

The Colombian Minister of Foreign Affairs Luis Gilberto Murillo, the United States Secretary of Homeland Security Alejandro N. Mayorkas, and the Panamanian Minister of Foreign Affairs Javier Eduardo Martinez-Acha led the high-level delegation that met in Cartagena de Indias for their Third Trilateral Meeting on Irregular Migration:

Together, they affirmed that addressing irregular migration begins with the recognition of shared responsibility, with a multi-pronged approach and highlighted the great value of the principles and commitments made by the governments of Colombia, Panama and the United States, framed in the pillars of the Los Angeles Declaration on Migration and Protection, in partnership with key international organizations.

The governments of Panama, the United States, and Colombia have a long history of collaboration. Over the last three years specifically, that collaboration has yielded notable results, including the regularization of 2.5 million Venezuelan migrants in Colombia, the establishment of Safe Mobility Offices to provide access to lawful pathways to the United States and other countries for migrants, Colombia’s announcement to expand regularization to Venezuelans not covered under its temporary protected status, joint efforts to address human smuggling in the Darien region.

Along those lines, Panama has increased its capacity with regards to repatriating those without a legal basis to remain in Panama. These efforts in the region, and with U.S. support, all contribute to coordinated management of irregular migration management. 

The three governments recognize the threats posed by transnational criminal organizations that profit from the exploitation of migrants. Thus they reaffirm their commitment to identifying diverse mechanisms that serve to dismantle these networks and to bring these criminals to justice. Consistent with that, they commit to enhancing information sharing.

The three partner countries recognize that irregular migration flows along the Colombia-Panama border have global implications, involving more than 90 different nationalities some of which have entered the region through third countries. As such, the partners committed to incentivizing dialogue with others across the region to reduce irregular migration, by increasing safe, orderly and humane migration alternatives.

Colombia and Panama emphasized the importance of protecting strategic ecosystems and local communities along their shared border. Consistent with that, the United States is committed to strengthening cooperation on the development of those communities.

Committed to expanding protection mechanisms for migrant populations in each of their territories based on InterAmerican human rights principles, the three countries expressed their will to strengthening migration policies that support efforts for the socioeconomic regularization and integration of migrants, and to promoting and respecting lawful pathways, and advancing actions that protect migrants in vulnerable conditions.

The leaders agreed to implement a plan of action with concrete and realistic steps to strengthen Colombian and Panamanian state presence along their shared border. Along those lines, they committed to improving control and regulation mechanisms, to the sharing of information, and identity verification.

The three countries committed to strengthening their cooperation to disband human trafficking and migrant smuggling networks, improving humanitarian assistance to migrant populations, and to identifying mechanisms for protection for vulnerable groups, considering humanitarian options such as existing mechanisms for transit between countries.

That is consistent with international human rights principles and norms, stemming from a shared responsibility to manage migration in the region, and toward identifying international cooperation that addresses existing development gaps and needs.
The heads of delegation instructed their respective teams to hold a technical meeting no later than 90 days from the adoption of this joint statement and to develop and present an action plan and timeframe that through concrete actions builds on the progress the three countries have made.
 

Head of Delegation of Colombia
Head of Delegation of the United States
Head of Delegation of Panama

Source: US Department of Homeland Security

WASHINGTON — Today, the Department of Homeland Security announced final allocations of nearly $724 million in six Fiscal Year (FY) 2024 competitive preparedness grant programs. This includes $454.5 million in funding for the Nonprofit Security Grant Program, an increase of $149.5 million from FY 2023, which will provide critical funding for faith-based groups and others to prevent and protect themselves from the heightened threat environment we face today.

These allocations, together with the more than $1.25 billion in non-competitive grant funding announced earlier this year, total almost $1.98 billion in FY 2024 to help prepare our nation against threats and natural disasters. 

The grant programs provide funding to state, local, tribal and territorial governments, nonprofit agencies, and the private sector to build and sustain capabilities to prevent, protect against, respond to and recover from acts of terrorism and other disasters. The total amount for each grant program is set by Congress and the allocations are made by the Department through a competitive process. 

“The Department of Homeland Security is proud to work together with our federal, state, local, tribal, territorial and other partners to increase our nation’s resilience in a constantly evolving threat environment,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The funds announced today will provide communities across the country with vital resources necessary to strengthen their security and guard against terrorism and other threats. The impact of these grants will be measured in lives saved and tragedies averted.” 

Preparedness Grant Program Allocations for Fiscal Year 2024 

The following grants are competitive, with allocations announced today:  

Operation Stonegarden: provides $81 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders. 

Tribal Homeland Security Grant Program: provides $13.5 million to eligible Tribal Nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards. 

Nonprofit Security Grant Program: provides $454.5 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack. This year, $227.25 million is provided to nonprofits in Urban Area Security Initiative-designated areas, and $227.25 million is provided to nonprofits outside those designated urban areas located in any state or territory. 

Port Security Grant Program: provides $90 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities. 

Transit Security Grant Program: provides $83.7 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Intercity Bus Security Grant Program: provides $1.8 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure. Eligible applicants receiving approval for funding requested only $1,214,968 of the $1.8 million made available this fiscal year. 

The following non-competitive grants were announced earlier this year to recipients based on a number of factors: 

State Homeland Security Program: provides $373.5 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets. Awards are based on statutory minimums and relative risk as determined by DHS/FEMA’s risk methodology. 

Urban Area Security Initiative: provides $553.5 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas. Awards are based on relative risk as determined by the Department’s risk methodology. 

Emergency Management Performance Grant: provides $319.55 million to assist state, local, tribal, and territorial emergency management agencies in obtaining the resources required to support the National Preparedness Goal’s associated mission areas and core capabilities to build a culture of preparedness. 

Intercity Passenger Rail: provides $9 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system. Award made per congressional direction. 

Further information on preparedness grant programs is available at www.dhs.gov and www.fema.gov/grants.  

Source: US Department of Homeland Security

WASHINGTON – On Wednesday, extensive coordination and collaboration between the Department of Homeland Security, the Justice Department and domestic and international partners resulted in a major enforcement operation that dismantled a human smuggling network based in Guatemala. In June 2022, this network smuggled people into the United States on a journey that ended with the deaths of 53 migrants in a tractor-trailer in San Antonio, Texas. Twenty-one of the deceased migrants were Guatemalan. 

This case is part of Joint Task Force Alpha (JTFA), created by Secretary of Homeland Security Alejandro N. Mayorkas and Attorney General Merrick B. Garland in June 2021 to strengthen U.S. enforcement efforts against human smuggling emanating from Central America. 

On Aug. 21, Guatemalan law enforcement executed multiple search and arrest warrants across Guatemala, working together with United States law enforcement agents. At the request of the United States, Guatemalan authorities arrested Guatemalan national Rigoberto Ramon Miranda-Orozco, who has been indicted in the Western District of Texas in connection with the investigation. Six individuals arrested as part of the operation will be charged locally in Guatemala. 

Miranda-Orozco, 47, whose indictment was unsealed today, allegedly conspired with other smugglers to facilitate the travel of four migrants from Guatemala through Mexico, and ultimately, to the United States. He allegedly charged the migrants, or their families and friends, approximately $12,000 to $15,000 for the journey. The indictment alleges that three of these migrants perished in the tractor-trailer, and the fourth suffered serious bodily injury. Miranda-Orozco is charged with six counts related to migrant smuggling resulting in death or serious bodily injury. He faces maximum penalties of life in prison. 

“Smugglers prey on migrants and seek profits with complete disregard for human life, as we saw in this tragic incident that killed 53 people,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The men and women at Homeland Security Investigations (HSI) and U.S. Customs and Border Protection (CBP) work every day to disrupt these sophisticated smuggling networks, and we will continue to work alongside our federal and international partners to dismantle them at every level of operation.” 

“Over the past two years, the Justice Department has worked methodically to hold accountable those responsible for the horrific tragedy in San Antonio that killed 53 people who had been preyed on by human smugglers,” said Attorney General Garland. “With these arrests, the Justice Department and our partners in Guatemala have now arrested a total of 14 people for their alleged involvement in this tragedy. We are committed to continuing to work with our partners both in the United States and abroad to target the most prolific and dangerous human smuggling groups operating in Mexico, Guatemala, El Salvador, Honduras, Colombia, and Panama.” 

“In launching Joint Task Force Alpha three years ago, the Department of Justice directed every tool at our disposal to the dismantling of human smuggling networks across the continent. And after the tragic deaths of 53 migrants in June 2022, we pledged to hold accountable those responsible, no matter where they live or operate,” said Deputy Attorney General Lisa Monaco. “Today’s arrests in Guatemala are a continued fulfillment of that pledge. We will not rest in our efforts to disrupt the smuggling networks that capitalize on desperation and foster misery throughout the Western Hemisphere.” 

“As alleged in the indictment, Miranda-Orozco recruited some of the migrants who died in the back of a tractor-trailer near San Antonio, Texas, in June 2022, and worked with a network of smugglers to transport them from Guatemala through Mexico into the United States,” said Principal Deputy Assistant Attorney General Nicole Argentieri, head of the Justice Department’s Criminal Division. “This tragedy is a dire warning of the dangers that human smugglers cause by exposing migrants to life-threatening conditions for the smugglers’ financial gain. Dismantling human smuggling networks is a critical priority for the Criminal Division, and we will continue to work with our domestic and international law enforcement partners to investigate and prosecute these cases, no matter where the offenders may be found.” 

“This was a complex operation and a major success for the progression of this case — apprehending a key orchestrator of the horrendous smuggling operations in which families were charged thousands of dollars for trusted transport across the U.S. border from Guatemala and other countries,” said U.S. Attorney Jaime Esparza for the Western District of Texas. “This significant development in the case demonstrates the commitment of this office, the Department of Justice, and our partners at all necessary levels, to ensure all 53 migrants who died in the 2022 tractor-trailer tragedy get their justice.” 

“HSI is deeply immersed in the global fight against human smuggling that includes our international operations within Central and South America. These arrests reflect the disruption of Central American human smuggling organizations that recruit, organize and transport people,” said HSI Executive Associate Director Katrina W. Berger. “Combating this prolific, transnational crime is one of our top priorities. Our special agents and criminal analysts are actively engaged with law enforcement partners and task forces around the globe working to dismantle criminal networks that treat human life like a commodity. HSI will keep exhausting every resource available to bring human smugglers to justice.” 

“The men and women of CBP are unwavering in their commitment to combat and dismantle the human smuggling networks that ruthlessly exploit and endanger the lives of migrants — from the time of this tragic incident in San Antonio, to today’s important step in bringing those responsible to justice,” said Senior Official Performing the Duties of the Commissioner Troy A. Miller of the CBP. “Our collective work through Joint Task Force Alpha remains critical to our ongoing efforts at disrupting smuggling operations across the hemisphere and the world.” 

The human smuggling organization allegedly loaded 65 migrants into a tractor-trailer, which court documents allege lacked functioning air conditioning as it drove north on a Texas interstate. As temperatures rose, some of the migrants inside the trailer allegedly lost consciousness, while others clawed at the walls, trying to escape. By the time the tractor-trailer reached San Antonio, the indictment alleges, 48 migrants had already died. Another five migrants died after being transported to local hospitals. Six children and a pregnant woman were among the deceased. 

The U.S. Attorney’s Office for the Western District of Texas has previously charged seven other defendants for their alleged involvement in this smuggling event, including through indictments filed in 2022 and 2023. Four of these seven defendants have pleaded guilty. 

The indictment against Miranda-Orozco and the cooperation between U.S. and Guatemalan authorities were spearheaded by JTFA and the U.S. Attorney’s Office for the Western District of Texas. Given the rise in prolific and dangerous smuggling emanating from Central America with effects in the United States, JTFA’s goal is to disrupt and dismantle human smuggling and trafficking networks operating in El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama with a focus on networks that endanger, abuse or exploit migrants, present national security risks, or engage in other types of transnational organized crime. 

Since its creation, JTFA has successfully increased coordination and collaboration between the Department of Homeland Security, Justice Department, and other interagency law enforcement participants, and with foreign law enforcement partners, including El Salvador, Guatemala, Honduras, Mexico, Colombia, and Panama; targeted those organizations who have the most impact on the United States; and coordinated significant smuggling indictments and extradition efforts in U.S. Attorneys’ Offices across the country. JTFA is comprised of detailees from southwest border U.S. Attorneys’ Offices, including the Southern District of Texas, Western District of Texas, District of Arizona, and Southern District of California, and dedicated support for the program is also provided by numerous components of the Justice Department’s Criminal Division that are part of JTFA — led by the Human Rights and Special Prosecutions Section (HRSP), and supported by the Office of Prosecutorial Development, Assistance, and Training, Narcotic and Dangerous Drug Section, Money Laundering and Asset Recovery Section, Office of Enforcement Operations, Justice Department’s Office of International Affairs (OIA), and Violent Crime and Racketeering Section. JTFA is made possible by substantial law enforcement investment from Department of Homeland Security, FBI, Drug Enforcement Administration, and other partners. 

HSI San Antonio investigated the case, with valuable assistance from HSI Guatemala and the HSI Human Smuggling Unit in Washington, D.C. CBP’s National Targeting Center/Operation Sentinel; U.S. Border Patrol; Bureau of Alcohol, Tobacco, Firearms and Explosives; San Antonio Police Department; San Antonio Fire Department; Palestine Police Department, OIA, and OPDAT provided valuable assistance. The Justice Department thanks Guatemalan law enforcement, who were instrumental in furthering this investigation. 

HRSP Trial Attorney Alexandra Skinnion and Assistant U.S. Attorneys Jose Luis Acosta, Eric Fuchs, Sarah Spears, and Amanda Brown for the Western District of Texas are prosecuting the case, with assistance from HRSP Historian/Latin America Specialist Joanna Crandall. 

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law. 

 

Source: US Department of Homeland Security

Executive Summary

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

• United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
• Canadian Centre for Cyber Security (CCCS).
• New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
• The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
• Singapore Cyber Security Agency (CSA).
• The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.

An effective event logging solution aims to:

• Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
• Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
• Support incident response by revealing the scope and extent of a compromise.
• Monitor account compliance with organizational policies.
• Reduce alert noise, saving on costs associated with storage and query time.
• Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
• Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

1. Enterprise-approved event logging policy.
2. Centralized event log access and correlation.
3. Secure storage and event log integrity.
4. Detection strategy for relevant threats.

To access the PDF version of this report, visit here.

Introduction

The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.

Audience

This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

• Senior information technology (IT) and OT decision makers.
• IT and OT operators.
• Network administrators.
• Critical infrastructure providers.

Best Practices

Enterprise-approved Event Logging Policy

Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.

Event Log Quality

Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 

Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.

Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization’s log storage capacity.

For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 

To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

• On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
• On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
• For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details

As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.

The US Office of Management and Budget’s M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

• Properly formatted and accurate timestamp (millisecond granularity is ideal).
• Event type (status code).
• Device identifier (mac address or other unique identifier).
• Session/transaction ID.
• Autonomous system number.
• Source and destination IP (includes both IPv4 and IPv6).
• Status code.
• Response time.
• Additional headers (e.g., HTTP headers).
• The user ID, where appropriate.
• The command executed, where appropriate.
• A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.

Operational Technology Considerations

Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.

Additional Resources

Content and Format Consistency

When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.

Timestamp Consistency

Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

• Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
• Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.
  • Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).
• Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
• Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

• ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
• For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
• The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention

Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 

It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.

Centralized Log Collection and Correlation

The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.

Logging Priorities for Enterprise Networks

Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.

ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services, including remote access, network metadata, and their underlying server operating system.
3. Identity and domain management servers.
4. Any other critical servers.
5. Edge devices such as boundary routers and firewalls.
6. Administrative workstations.
7. Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
8. Data repositories.
9. Security-related and critical software.
10. User computers.
11. User application logs.
12. Web proxies used by organizational users and service accounts.
13. DNS services used by organizational users.
14. Email servers.
15. DHCP servers.
16. Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

• Underlying infrastructure, such as hypervisor hosts.
• IT devices, such as printers.
• Network components such as application gateways.

Logging Priorities for Operational Technology

Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 

ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

1. OT devices critical to safety and service delivery, except for air-gapped systems.[4]
2. Internet-facing OT devices.
3. OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.

Logging Priorities for Enterprise Mobility Using Mobile Computing Devices

Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.

ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

1. Web proxies used by organizational users.
2. Organization operated DNS services.
3. Device security posture of organizationally managed devices.
4. Device behavior of organizationally managed devices.
5. User account behavior such as sign-ins.
6. VPN solutions.
7. MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

• Signaling exploitation.
• Binary/invisible SMS.
• CLI spoofing.
• SIM/eSIM activities such as SIM swapping.
• Null cipher downgrade.
• Connection downgrade (false base station).
• Network API/query against user.
• Roaming traffic protection.
• Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.

Logging Priorities for Cloud Computing

ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.

Organizations should prioritize the following log sources in their use of cloud computing services:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
3. Use of the tenant’s user accounts that access and administer cloud services.
4. Logs for administrative configuration changes.
5. Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
6. Authentication success and/or failures to third party services (e.g., SAML/OAuth).
7. Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity

ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 

Secure Transport and Storage of Event Logs

ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.

Protecting Event Logs from Unauthorized Access, Modification and Deletion

It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.

An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.

Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.

Centralized Event Logging Enables Threat Detection

The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

• Deviations from a baseline.
  • A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
  • A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.
• Cyber security events.
  • For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.
• Cyber security incidents.
  • For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion

Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.

Detection Strategy for Relevant Threats

Detecting Living Off the Land Techniques

ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

Case study – Volt Typhoon Since mid-2021, Volt Typhoon has targeted critical infrastructure organizations by relying almost exclusively on LOTL techniques. Their campaign has been enabled by privately-owned SOHO routers, infected with the ‘KV Botnet’ malware.  Volt Typhoon uses PowerShell, a command and scripting interpreter, to: Discover remote systems [T1059.001, T1018]. Identify associated user and computer account names using the command  Get-EventLog security –instanceid 4624 [T1033]. Enumerate event logs to search for successful logons using wevtutil.exe and the command Get-EventLog Security [T1654]. Volt Typhoon consistently obtains valid credentials by extracting the Active Directory database file NTDS.dit.[6]  To do so, Volt Typhoon has been observed to: Execute the Windows-native vsssadmin command to create a volume shadow copy [T1006]. Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil.exe to copy NTDS.dit and the SYSTEM registry from the volume shadow copy. Move laterally to the Microsoft Active Directory Domain Services (AD DS) domain controller via an interactive RDP session using a compromised user account with domain administrator privileges [T1021.001]. Other LOTL techniques that Volt Typhoon has been observed to use includes: Accessing hashed credentials from the Local Security Authority SubSystem Service (LSASS) process memory space [T1003.001]. Using ntdsutil.exe to create installation media from Microsoft AD DS domain controllers, either remote or locally, which contain username and password hashes [T1003.003]. Using PowerShell, WMIC, and the ping command, to facilitate system discovery [T1018]. Using the built-in netsh portproxy command to create proxies on compromised systems to facilitate access [T1090]. While Volt Typhoon uses LOTL techniques to make detection more difficult, the behaviors that the malware exhibits would be considered abnormal compared to business-as-usual activity and could be used to create detection use cases. For more information, consider visiting MITRE ATT&CK®’s Volt Typhoon page and the MITRE ATT&CK framework.

Source: US Department of Homeland Security

WASHINGTON, D.C. – Today, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released the following statement: 

“As each of us has indicated in prior public statements, Iran seeks to stoke discord and undermine confidence in our democratic institutions. Iran has furthermore demonstrated a longstanding interest in exploiting societal tensions through various means, including through the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections. In addition to these sustained efforts to complicate the ability of any U.S. administration to pursue a foreign policy at odds with Iran’s interests, the IC has previously reported that Iran perceives this year’s elections to be particularly consequential in terms of the impact they could have on its national security interests, increasing Tehran’s inclination to try to shape the outcome. We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting Presidential campaigns. 

This includes the recently reported activities to compromise former President Trump’s campaign, which the IC attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the Presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process. It is important to note that this approach is not new.  Iran and Russia have employed these tactics not only in the United States during this and prior federal election cycles but also in other countries around the world.  

Protecting the integrity of our elections from foreign influence or interference is our priority.  As the lead for threat response, the FBI has been tracking this activity, has been in contact with the victims, and will continue to investigate and gather information in order to pursue and disrupt the threat actors responsible. We will not tolerate foreign efforts to influence or interfere with our elections, including the targeting of American political campaigns. As an interagency we are working closely with our public and private sector partners to share information, bolster security, and identify and disrupt any threats.  Just as this activity demonstrates the Iranians’ increased intent to exploit our online platforms in support of their objectives, it also demonstrates the need to increase the resilience of those platforms. Using strong passwords and only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication will drastically improve online security and safety.

The FBI and CISA encourage campaigns and election infrastructure stakeholders to report information concerning suspicious or criminal activity to their local Election Crime Coordinators via FBI field office (), by calling 1-800-CALL-FBI (1-800-225-5324), or online at ic3.gov. Cyber incidents impacting election infrastructure can also be reported to CISA by calling 1-844-Say-CISA (1-844-729-2472), emailing report@cisa.dhs.gov, or reporting online at cisa.gov/report. Election infrastructure stakeholders and the public can find additional resources about how to protect against cyber and physical threats at CISA’s #PROTECT2024 (https://www.cisa.gov/protect2024).”

###

About CISA