Redesignation Allows Additional Eligible Syrian Nationals to Apply for TPS and Employment Authorization Documents
WASHINGTON– Secretary of Homeland Security Alejandro N. Mayorkas today announced the extension and redesignation of Syria for Temporary Protected Status for 18 months, from April 1, 2024, to September 30, 2025, due to ongoing armed conflict and extraordinary and temporary conditions in Syria that prevent individuals from safely returning. The corresponding Federal Register notice provides information about how to register as a new or current beneficiary for TPS under Syria ’s extension and redesignation.
Secretary Mayorkas made the decision to extend and redesignate TPS for this population in consultation with interagency partners and with careful consideration of certain country conditions. The civil war in Syria has involved large-scale destruction of infrastructure, widespread civilian casualties, and human rights abuses and violations. The humanitarian consequences are dire, with mass displacement of civilians, high levels of food insecurity, and limited access to health care and clean water. These effects were compounded by the February 6, 2023 earthquakes, which further destroyed infrastructure, worsened the breakdown of the economy, and intensified demand on an already overburdened health care system.
Accompanying this announcement is a Special Student Relief notice for F-1 nonimmigrant students whose country of citizenship is Syria so that eligible students may request employment authorization, work an increased number of hours while school is in session, and reduce their course load while continuing to maintain F-1 status through the TPS designation period.
“We recognize the vulnerable status of Syrian nationals already present in the United States who cannot safely return home,” said Secretary Mayorkas. “We are therefore using the legal tool available to us to provide them with this much-needed humanitarian relief.”
A country may be designated for TPS when conditions in the country fall into one or more of the three statutory bases for designation: ongoing armed conflict, environmental disasters, or extraordinary and temporary conditions. Syria’s designation is based on ongoing armed conflict and extraordinary and temporary conditions, specifically, he serious threat posed by ongoing hostilities and human rights abuses by Syrian regime forces, terrorist groups and other non-state actors, food insecurity, spread of disease and mass displacement.
The extension of TPS for Syria allows approximately 6,200 current beneficiaries to retain TPS through September 5, 2025 if they continue to meet TPS eligibility requirements. The redesignation of Syria for TPS allows an estimated 2,000 additional Syrian nationals (or individuals having no nationality who last habitually resided in Syria) who have been continuously residing in the United States since January 25, 2024, to file initial applications to obtain TPS, if they are otherwise eligible. Syrians who were not residing in the United States as of January 25, 2024, are not eligible for TPS. The initial registration period for new applicants under the redesignation runs from January 29, 2024, through September 30, 2025.
Re-registration is limited to individuals who previously registered for and were granted TPS under Syria’s prior designation. Current Syrian TPS beneficiaries must re-register in a timely manner during the 60-day re-registration period from January 29, 2024, through March 29, 2024, to ensure they keep their TPS and employment authorization.
The Department of Homeland Security recognizes that not all re-registrants may receive a new Employment Authorization Document (EAD) before their current EAD expires and is automatically extending through March 31, 2025, the validity of certain EADs previously issued under Syria’s TPS designation.
U.S. Citizenship and Immigration Services will continue to process pending applications filed under previous TPS designations for Syria. Individuals with a pending Form I-821, Application for Temporary Protected Status, or a related Form I-765, Application for Employment Authorization, as of January 29, 2024, do not need to file either application again. If USCIS approves a pending Form I-821 or Form I-765 filed under the previous designation of TPS for Syria, USCIS will grant the individual TPS through Sept. 30, 2025, and issue an EAD valid through the same date.
Under the redesignation of Syria, eligible individuals who do not have TPS may submit an initial Form I-821, Application for Temporary Protected Status, during the initial registration period that runs from February 1, 2024, through Sept. 30, 2025. Applicants also may apply for TPS-related EADs and for travel authorization. Applicants can request an EAD by submitting a completed Form I-765, Application for Employment Authorization, with their Form I-821, or separately later.
The Federal Register notice explains eligibility criteria, timelines, and procedures necessary for current beneficiaries to re-register and renew their EAD, and for new applicants to submit an initial application under the redesignation and apply for an EAD.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting[1], Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].
Targeting the PHPUnit
Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed) /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.
Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.
Laravel Framework Targeting
Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Note:.env files commonly store credentials and tokens. Threat actors often target .env files to steal these credentials within the environment variables.
If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.
Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.
Apache Web Server Targeting
In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.
If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].
INDICATORS OF COMPROMISE (IOCs)
Based on investigations and analysis, the following requests are associated with Androxgh0st activity:
Incoming GET and POST requests to the following URIs:
The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.
The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.
MITIGATIONS
The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.
The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.
Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from.env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the.envfile for unauthorized access or use.
Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 1-10).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REPORTING
The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.
When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
Will Also Introduce Online Filing for I-129 H-1B Petitions and H-1B I-907 Premium Processing Service
WASHINGTON—U.S. Citizenship and Immigration Services today announced the upcoming launch of a package of customer experience improvements for H-1B cap season. The measures are expected to increase efficiency and ease collaboration for organizations and their legal representatives.
USCIS will launch organizational accounts for non-cap filings and the fiscal year (FY) 2025 H-1B cap season. The introduction of organizational accounts will allow multiple individuals within an organization, such as a company or other business entity, and their legal representatives to collaborate on and prepare H-1B registrations, Form I-129, Petition for a Nonimmigrant Worker, and associated Form I-907, Request for Premium Processing Service.
“USCIS is always striving to improve and streamline our processes, and this is a big step forward,” said USCIS Director Ur M. Jaddou. “Once we launch the organizational accounts and online filing of I-129 H-1B petitions, the entire H-1B lifecycle becomes fully electronic — from registration, if applicable, to our final decision and transmission to the Department of State.”
USCIS expects to launch the organizational accounts in February 2024, with online filing of Forms I-129 and I-907 following shortly thereafter. In addition to streamlining the Form I-129 H-1B petition process, these changes should help reduce duplicate H-1B registrations and other common errors.
USCIS will also transition the paper filing location for Forms I-129 and I-907 from service centers to the USCIS lockbox as part of our efforts to increase efficiency by standardizing processes and reducing costs.
USCIS will host two national engagements on organizational accounts on Jan. 23 and 24 as well as several smaller sessions leading up to the H-1B registration period to help guide organizations and legal representatives through the process. During these sessions individuals will have the opportunity to ask questions about the organizational accounts in preparation for the FY 2025 H-1B electronic registration process and launch of online filing of Form I-129 for H-1B petitions. USCIS encourages all individuals involved in the H-1B registration and petition filing process to attend these engagements. Invitations to these engagements will be sent later this month. Visit our Contact Public Engagement page to subscribe to notifications about upcoming engagements. Additional details regarding organizational accounts will be available on the H-1B Electronic Registration Process page.
For more information on USCIS and its programs, please visit uscis.gov or follow us on Twitter (@uscis), Instagram (/uscis), YouTube (/uscis), Facebook (/uscis), and LinkedIn (/uscis).
Note:This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visitstopransomware.govto see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as Dec. 6, 2023.
This advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022. Since previous reporting, ALPHV Blackcat actors released a new version of the malware, and the FBI identified over 1000 victims worldwide targeted via ransomware and/or data extortion.
FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.
In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience with ransomware and data extortion operations. According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
ALPHV Blackcat affiliates use advanced social engineering techniques and open source research on a company to gain initial access. Actors pose as company IT and/or helpdesk staff and use phone calls or SMS messages [T1598] to obtain credentials from employees to access the target network [T1586]. ALPHV Blackcat affiliates use uniform resource locators (URLs) to live-chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.
After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. After gaining access to networks, ALPHV Blackcat affiliates use legitimate remote access and tunneling tools, such as Plink and Ngrok [S0508]. ALPHV Blackcat affiliates claim to use Brute Ratel C4 [S1063] and Cobalt Strike [S1054] as beacons to command and control servers. ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack [T1557] framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network [T1555].
To evade detection, affiliates employ allowlisted applications such as Metasploit. Once installed on the domain controller, the logs are cleared on the exchange server. Then Mega.nz or Dropbox are used to move, exfiltrate, and/or download victim data. The ransomware is then deployed, and the ransom note is embedded as a file.txt. According to public reporting, affiliates have additionally used POORTRY and STONESTOP to terminate security processes.
Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR [S0183], Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system.
ALPHV Blackcat affiliates offer to provide unsolicited cyber remediation advice as an incentive for payment, offering to provide victims with “vulnerability reports” and “security recommendations” detailing how they penetrated the system and how to prevent future re-victimization upon receipt of ransom payment.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 1 through Table 3 for all referenced threat actor tactics and techniques in this advisory.
ALPHV Blackcat affiliates pose as company IT and/or helpdesk staff using phone calls or SMS messages to obtain credentials from employees to access the target network.
ALPHV Blackcat/ALPHV affiliates use the open-source framework Evilginx2 to obtain MFA credentials, login credentials, and session cookies for targeted networks.
INCIDENT RESPONSE
If compromise is detected, organizations should:
Quarantine or take offline potentially affected hosts.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise or phishing incident to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).
To report spoofing or phishing attempts (or to report that you’ve been a victim), file a complaint with the FBI’s Internet Crime Complaint Center (IC3), or contact your local FBI Field Office to report an incident.
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI and CISA recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices limiting the impact of ransomware techniques, thus, strengthening the security posture for their customers.
FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity and to reduce the risk of compromise by ALPHV Blackcat threat actors. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Secure remote access tools by:
Implementingapplication controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Implementing FIDO/WebAuthn authentication or Public key Infrastructure (PKI)-based MFA [CPG 2.H]. These MFA implementations are resistant to phishing and not susceptible to push bombing or SIM swap attacks, which are techniques known be used by ALPHV Blackcat affiliates. See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Implement user training on social engineering and phishing attacks [CPG 2.I]. Regularly educate users on identifying suspicious emails and links, not interacting with those suspicious items, and the importance of reporting instances of opening suspicious emails, links, attachments, or other potential lures.
Implement internal mail and messaging monitoring. Monitoring internal mail and messaging traffic to identify suspicious activity is essential as users may be phished from outside the targeted network or without the knowledge of the organizational security team. Establish a baseline of normal network traffic and scrutinize any deviations.
Implement free security tools to prevent cyber threat actors from redirecting users to malicious websites to steal their credentials. For more information see, CISA’s Free Cybersecurity Services and Tools webpage.
Install and maintain antivirus software. Antivirus software recognizes malware and protects your computer against it. Installing antivirus software from a reputable vendor is an important step in preventing and detecting infections. Always visit vendor sites directly rather than clicking on advertisements or email links. Because attackers are continually creating new viruses and other forms of malicious code, it is important to keep your antivirus software up to date.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 1-3).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.
Note:This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visitstopransomware.govto see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.
Download a PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK for Enterprise section for all referenced tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Initial Access
The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [T1078] and exploitation of public-facing applications [T1190], specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Play ransomware actors have been observed to use external-facing services [T1133] such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.
Discovery and Defense Evasion
Play ransomware actors use tools like AdFind to run Active Directory queries [TA0007] and Grixba [1], an information-stealer, to enumerate network information [T1016] and scan for anti-virus software [T1518.001]. Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software [T1562.001] and remove log files [T1070.001]. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.[2]
Lateral Movement and Execution
Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials [T1552] and use the Mimikatz credential dumper to gain domain administrator access [T1003]. According to open source reporting [2], to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) [T1059] to search for additional privilege escalation paths. Actors then distribute executables [T1570] via Group Policy Objects [T1484.001].
Exfiltration and Encryption
Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files [T1560.001] into .RAR format for exfiltration. The actors then use WinSCP to transfer data [T1048] from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted [T1486] with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. [3] (Note: System files are skipped during the encryption process.) A .play extension is added to file names and a ransom note titled ReadMe[.]txt is placed in file directory C:.
Impact
The Play ransomware group uses a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de. Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([.]onion URL).
Leveraged Tools
Table 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this product are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
Table 1: Tools Leveraged by Play Ransomware Actors
Name
Description
AdFind
Used to query and retrieve information from Active Directory.
Bloodhound
Used to query and retrieve information from Active Directory.
GMER
A software tool intended to be used for detecting and removing rootkits.
IOBit
An anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors have accessed IOBit to disable anti-virus software.
PsExec
A tool designed to run programs and execute commands on remote systems.
PowerTool
A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.
PowerShell
A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Cobalt Strike
A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.
Mimikatz
Allows users to view and save authentication credentials such as Kerberos tickets. Play ransomware actors have used it to add accounts to domain controllers.
WinPEAS
Used to search for additional privilege escalation paths.
WinRAR
Used to split compromised data into segments and to compress files into .RAR format for exfiltration.
WinSCP
Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.
Microsoft Nltest
Used by Play ransomware actors for network discovery.
Nekto / PriviCMD
Used by Play ransomware actors for privilege escalation.
Process Hacker
Used to enumerate running processes on a system.
Plink
Used to establish persistent SSH tunnels.
Indicators of Compromise
See Table 2 for Play ransomware IOCs obtained from FBI investigations as of October 2023.
Table 2: Hashes Associated with Play Ransomware Actors
Play ransomware actors use a double-extortion model for financial gain.
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 2.F, 2.R, 2.S] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies [CPG 2.C].
Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 2.B];
Store passwords in hashed format using industry-recognized password managers;
Add password user “salts” to shared login credentials;
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. Also see Patching Applications and Operating Systems | Cyber.gov.au.
Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Also see Implementing Network Segmentation and Segregation.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. Also see Inbound Traffic Filtering – Technique D3-ITF.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Consider adding an email banner to emails [CPG 2.M] received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privileged escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E].
Maintain offline backups of data and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 3-11).
Align your security technologies against this technique.
Test your technologies against this technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
The FBI, CISA, and ASD’s ACSC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, the FBI’s Internet Crime Complaint Center (IC3), or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
In January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a Risk and Vulnerability Assessment (RVA) at the request of a Healthcare and Public Health (HPH) sector organization to identify vulnerabilities and areas for improvement. An RVA is a two-week penetration test of an entire organization, with one week spent on external testing and one week spent assessing the internal network. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The assessed organization was a large organization deploying on-premises software.
During the one-week external assessment, the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network. Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.
In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the RVA team’s activities and key findings to provide network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access. CISA encourages the HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, to apply the recommendations in the Mitigations section of this CSA to harden networks against malicious activity and to reduce the likelihood of domain compromise.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Introduction
CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. See generally 6 U.S.C. §§ 652(c)(5), 659(c)(6). After receiving a request for an RVA from the organization and coordinating high-level details of the engagement with certain personnel at the organization, CISA conducted the RVA in January 2023.
During RVAs, CISA tests the security posture of an organization’s network over a two-week period to determine the risk, vulnerability, and exploitability of systems and networks. During the first week (the external phase), the team tests public facing systems to identify exploitable vulnerabilities. During the second week (the internal phase), the team determines the susceptibility of the environment to an actor with internal access (e.g., malicious cyber actor or insider threat). The assessment team offers five services:
Web Application Assessment: The assessment team uses commercial and open source tools to identify vulnerabilities in public-facing and internal web applications, demonstrating how they could be exploited.
Phishing Assessment: The assessment team tests the susceptibility of staff and infrastructure to phishing attacks and determines what impact a phished user workstation could have on the internal network. The RVA team crafts compelling email pretexts and generates payloads, similar to ones used by threat actors, in order to provide a realistic threat perspective to the organization.
Penetration Testing: The assessment team tests the security of an environment by simulating scenarios an advanced cyber actor may attempt. The team’s goals are to establish a foothold, escalate privileges, and compromise the domain. The RVA team leverages both open source and commercial tools for host discovery, port and service mapping, vulnerability discovery and analysis, and vulnerability exploitation.
Database Assessment: The assessment team uses commercial database tools to review databases for misconfigurations and missing patches.
Wireless Assessment: The assessment team uses specialized wireless hardware to assess wireless access points, connected endpoints, and user awareness for vulnerabilities.
The assessed organization was in the HPH sector. See Table 1 for services in-scope for this RVA.
Table 1: In-Scope RVA Services
Phase
Scope
Services
External Assessment
Publicly available HPH-organization endpoints discovered during scanning
Penetration Testing
Phishing Assessment
Web Application Assessment
Internal Assessment
Internally available HPH-organization endpoints discovered during scanning
Database Assessment
Penetration Testing
Web Application Assessment
Wireless Assessment
Phase I: External Assessment
Penetration and Web Application Testing
The CISA team did not identify any significant or exploitable conditions from penetration or web application testing that may allow a malicious actor to easily obtain initial access to the organization’s network.
Phishing Assessment
The CISA team conducted phishing assessments that included both user and systems testing.
The team’s phishing assessment was unsuccessful because the organization’s defensive tools blocked the execution of the team’s payloads. The payload testing resulted in most of the team’s payloads being blocked by host-based protections through a combination of browser, policy, and antivirus software. Some of the payloads were successfully downloaded to disk without being immediately removed, but upon execution, the antivirus software detected the malicious code and blocked it from running. Some payloads appeared to successfully evade host-based protections but did not create a connection to the command and control (C2) infrastructure, indicating they may have been incompatible with the system or blocked by border protections.
Since none of the payloads successfully connected to the assessment team’s C2 server, the team conducted a credential harvesting phishing campaign. Users were prompted to follow a malicious link within a phishing email under the pretext of verifying tax information and were then taken to a fake login form.
While twelve unique users from the organization submitted credentials through the malicious form, the CISA team was unable to leverage the credentials because they had limited access to external-facing resources. Additionally, the organization had multi-factor authentication (MFA) implemented for cloud accounts. Note: At the time of the assessment, the CISA team’s operating procedures did not include certain machine-in-the-middle attacks that could have circumvented the form of MFA in place. However, it is important to note that tools like Evilginx[1] can be leveraged to bypass non-phishing resistant forms of MFA. Furthermore, if a user executes a malicious file, opening a connection to a malicious actor’s command and control server, MFA will not prevent the actor from executing commands and carrying out actions under the context of that user.
Phase II: Internal Assessment
Database, Web Application, and Wireless Testing
The CISA assessment team did not identify any significant or exploitable conditions from database or wireless testing that may allow a malicious actor to easily compromise the confidentiality, integrity, and availability of the tested environment.
The team did identify default credentials [T1078.001] for multiple web interfaces during web application testing and used default printer credentials while penetration testing. (See the Attack Path 2 section for more information.)
Penetration Testing
The assessment team starts internal penetration testing with a connection to the organization’s network but without a valid domain account. The team’s goal is to compromise the domain by gaining domain admin or enterprise administrator-level permissions. Generally, the team first attempts to gain domain user access and then escalate privileges until the domain is compromised. This process is called the “attack path”—acquiring initial access to an organization and escalating privileges until the domain is compromised and/or vital assets for the organization are accessed. The attack path requires specialized expertise and is realistic to what adversaries may do in an environment.
For this assessment, the team compromised the organization’s domain through four unique attack paths, and in a fifth attack path the team obtained access to sensitive information.
See the sections below for a description of the team’s attack paths mapped to the MITRE ATT&CK for Enterprise framework. See the Findings section for information on issues that enabled the team to compromise the domain.
Attack Path 1
The assessment team initiated LLMNR/NBT-NS/mDNS/DHCP poisoning [T1557.001] with Responder[2], which works in two steps:
Responder listens to multicast name resolution queries (e.g., LLMNR UDP/5355, NBTNS UDP/137) [T1040] and under the right conditions spoofs a response to direct the victim host to a CISA-controlled machine on which Responder is running.
Once a victim connects to the machine, Responder exploits the connection to perform malicious functions such as stealing credentials or opening a session on a targeted host [T1021].
With this tool, the CISA team captured fifty-five New Technology Local Area Network Manager version 2 (NTLMv2) hashes, including the NTLMv2 hash for a service account. Note: NTLMv2 and other variations of the hash protocol are used for clients to join a domain, authenticate between Active Directory forests, authenticate between earlier versions of Windows operating systems (OSs), and authenticate computers that are not normally a part of the domain.[3] Cracking these passwords may enable malicious actors to establish a foothold in the domain and move laterally or elevate their privileges if the hash belongs to a privileged account.
The service account had a weak password, allowing the team to quickly crack it [T1110.002] and obtain access to the organization’s domain. With domain access, the CISA assessment team enumerated accounts with a Service Principal Name (SPN) set [T1087.002]. SPN is the unique service identifier used by Kerberos authentication[4], and accounts with SPN are susceptible to Kerberoasting.
The CISA team used Impacket’s[5] GetUserSPNs tool to request Ticket-Granting Service (TGS) tickets for all accounts with SPN set and obtained their Kerberos hashes [T1558.003]. Three of these accounts had domain administrator privileges—offline, the team cracked ACCOUNT 1 (which had a weak password).
Using CrackMapExec[6], the assessment team used ACCOUNT 1 [T1078.002] to successfully connect to a domain controller (DC). The team confirmed they compromised the domain because ACCOUNT 1 had READ,WRITE permissions over the C$ administrative share [T1021.002] (see Figure 1).
Figure 1: ACCOUNT 1 Domain Admin Privileges
To further demonstrate the impact of compromising ACCOUNT 1, the assessment team used it to access a virtual machine interface. If a malicious actor compromised ACCOUNT 1, they could use it to modify, power off [T1529], and/or delete critical virtual machines, including domain controllers and file servers.
Attack Path 2
The team first mapped the network to identify open web ports [T1595.001], and then attempted to access various web interfaces [T1133] with default administrator credentials. The CISA team was able to log into a printer interface with a default password and found the device was configured with domain credentials to allow employees to save scanned documents to a network share [T1080].
While logged into the printer interface as an administrator, the team 1) modified the “Save as file” configuration to use File Transfer Protocol (FTP) instead of Server Message Block (SMB) and 2) changed the Server Name and Network Path to point to a CISA-controlled machine running Responder [T1557]. Then, the team executed a “Connection Test” that sent the username and password over FTP [T1187] to the CISA machine running Responder, which captured cleartext credentials for a non-privileged domain account (ACCOUNT 2).
Using ACCOUNT 2 and Certipy[7], the team enumerated potential certificate template vulnerabilities found in Active Directory Certificate Services (ADCS). Note: ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network. Malicious actors can exploit template misconfigurations [T1649] to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to a domain administrator.
The WebServer template was misconfigured to allow all authenticated users permission to:
Change the properties of the template (via Object Control Permissions with Write Property Principals set to Authenticated Users).
Enroll for the certificate (via Enrollment Permissions including the Authenticated Users group).
Request a certificate for a different user (via EnrolleeSuppliesSubject set as True).
See Figure 2 for the displayed certificate template misconfigurations.
The template’s Client Authentication was set to False, preventing the CISA assessment team from requesting a certificate that could be used to authenticate to a server in the domain. To demonstrate how this misconfiguration could lead to privilege escalation, the assessment team, leveraging its status as a mere authenticated user, briefly changed the WebServer template properties to set Client Authentication to True so that a certificate could be obtained for server authentication, ensuring the property was set back to its original setting of False immediately thereafter.
The team used Certipy with the ACCOUNT 2 credentials to request a certificate for a Domain Administrator account (ACCOUNT 3). The team then authenticated to the domain controller as ACCOUNT 3 with the generated certificate [T1550] and retrieved the NTLM hash for ACCOUNT 3 [T1003]. The team used the hash to authenticate to the domain controller [T1550.002] and validated Domain Administrator privileges, demonstrating compromise of the domain via the WebServer template misconfiguration.
Attack Path 3
The CISA team used a tool called CrackMapExec to spray easily guessable passwords [T1110.003] across all domain accounts and obtained two sets of valid credentials for standard domain user accounts.
The assessment team leveraged one of the domain user accounts (ACCOUNT 4) to enumerate ADCS via Certipy and found that web enrollment was enabled (see Figure 3). If web enrollment is enabled, malicious actors can abuse certain services and/or misconfigurations in the environment to coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web enrollment service and obtain a certificate for the server’s account (known as a relay attack).
Figure 3: Misconfigured ADCS Enumerated via Certipy
The team used PetitPotam [8] with ACCOUNT 4 credentials to force the organization’s domain controller to authenticate to the CISA-operated machine and then used Certipy to relay the coerced authentication attempt to the ADCS web enrollment service to receive a valid certificate for ACCOUNT 5, the domain controller machine account. They used this certificate to acquire a TGT [T1558] for ACCOUNT 5.
With the TGT for ACCOUNT 5, the CISA team used DCSync to dump the NTLM hash [T1003.006] for ACCOUNT 3 (a Domain Administrator account [see Attack Path 2 section]), effectively leading to domain compromise.
Attack Path 4
The CISA team identified several systems on the organization’s network that do not enforce SMB signing. The team exploited this misconfiguration to obtain cleartext credentials for two domain administrator accounts.
First, the team used Responder to capture the NTLMv2 hash for a domain administrator account. Next, they used Impacket’s NTLMrelayx tool[9] to relay the authentication for the domain administrator, opening a SOCKS connection on a host that did not enforce SMB signing. The team then used DonPAPI[10] to dump cleartext credentials through the SOCKS connection and obtained credentials for two additional domain administrator accounts.
The CISA team validated the privileges of these accounts by checking for READ,WRITE access on a domain controller C$ share [T1039], demonstrating Domain Administrator access and therefore domain compromise.
Attack Path 5
The team did vulnerability scanning [T1046] and identified a server vulnerable to CVE-2017-0144 (an Improper Input Validation [CWE-20] vulnerability known as “EternalBlue” that affects SMB version 1 [SMBv1] and enables remote code execution [see Figure 4]).
Figure 4: Checking for EternalBlue Vulnerability
The CISA assessment team then executed a well-known EternalBlue exploit [T1210] and established a shell on the server. This shell allowed them to execute commands [T1059.003] under the context of the local SYSTEM account.
With this local SYSTEM account, CISA dumped password hashes from a Security Account Manager (SAM) database [T1003.002]. The team parsed the hashes and identified one for a local administrator account. Upon parsing the contents of the SAM database dump, the CISA team identified an NTLM hash for the local administrator account, which can be used to authenticate to various services.
The team sprayed the acquired NTLM hash across a network segment and identified multiple instances of password reuse allowing the team to access various resources including sensitive information with the hash.
Findings
Key Issues
The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Each finding, listed below, includes a description with supporting details. See the Mitigations section for recommendations on how to mitigate these issues.
The CISA team rated their findings on a severity scale from critical to informational (see Table 2).
Table 2: Severity Rating Criteria
Severity
Description
Critical
Critical vulnerabilities pose an immediate and severe risk to the environment because of the ease of exploitation and potential impact. Critical items are reported to the customer immediately.
High
Malicious actors may be able to exercise full control on the targeted device.
Medium
Malicious actors may be able to exercise some control of the targeted device.
Low
The vulnerabilities discovered are reported as items of interest but are not normally exploitable. Many low items reported by security tools are not included in this report because they are often informational, unverified, or of minor risk.
Informational
These vulnerabilities are potential weaknesses within the system that cannot be readily exploited. These findings represent areas that the customer should be cognizant of, but do not require any immediate action.
The CISA assessment team identified four High severity vulnerabilities and one Medium severity vulnerability during penetration testing that contributed to the team’s ability to compromise the domain. See Table 3 for a list and description of these findings.
Table 3: Key Issues Contributing to Domain Compromise
As part of their assessment, the team reviewed the organization’s domain password policy and found it was weak because the minimum password length was set to 8 characters. Passwords less than 15 characters without randomness are easily crackable, and malicious actors with minimal technical knowledge can use these credentials to access the related services.
The assessment team was able to easily crack many passwords throughout the assessment to move laterally and increase access within the domain. Specifically, the team:
Cracked the NTLMv2 hash for a domain account, and subsequently accessed the domain. (See the Attack Path 1 section.)
Cracked the password hash (obtained via Kerberoasting) of a domain administrator account and subsequently compromised the domain. (See the Attack Path 1 section.)
Poor Credential Hygiene: Guessable Credentials
High
Penetration Testing
As part of the penetration test, the assessment team tested to see if one or more services is accessible using a list of enumerated usernames alongside an easily guessed password. The objective is to see if a malicious actor with minimal technical knowledge can use these credentials to access the related services, enabling them to move laterally or escalate privileges. Easily guessable passwords are often comprised of common words, seasons, months and/or years, and are sometimes combined with special characters. Additionally, phrases or names that are popular locally (such as the organization being tested or a local sports teams) may also be considered easily guessable.
The team sprayed common passwords against domain user accounts and obtained valid credentials for standard domain users. (See the Attack Path 3 section.) (Cracking was not necessary for this attack.)
Misconfigured ADCS Certificate Templates
High
Penetration Testing
The team identified a WebServer template configured to allow all authenticated users permission to change the properties of the template and obtain certificates for different users. The team exploited the template to acquire a certificate for a Domain Administrator account (see the Attack Path 2 section).
Unnecessary Network Services Enabled
High
Penetration Testing
Malicious actors can exploit security vulnerabilities and misconfigurations in network services, especially legacy services.
The assessment team identified legacy name resolution protocols (e.g., NetBIOS, LLMNR, mDNS) enabled in the network, and abused LLMNR to capture NTLMv2 hashes, which they then cracked and used for domain access. (See the Attack Path 1 section.)
The team also identified an ADCS server with web enrollment enabled and leveraged it to compromise the domain through coercion and relaying. (See Attack Path 3 section.)
Additionally, the team identified hosts with WebClient and Spooler services, which are often abused by malicious actors to coerce authentication.
Elevated Service Account Privileges
High
Penetration Testing
Applications often require user accounts to operate. These user accounts, which are known as service accounts, often require elevated privileges. If an application or service running with a service account is compromised, an actor may have the same privileges and access as the service account.
The CISA team identified a service account with Domain Administrator privileges and used it to access the domain after cracking its password (See the Attack Path 1 section).
SMB Signing Not Enabled
High
Penetration Testing
The CISA team identified several systems on the organization’s network that do not enforce SMB signing and exploited this for relayed authentication to obtain cleartext credentials for two domain administrator accounts.
Many off-the-shelf applications are released with built-in administrative accounts using predefined credentials that can often be found with a simple web search. Malicious actors with minimal technical knowledge can use these credentials to access the related services.
During testing, the CISA team identified multiple web interfaces with default administrator credentials and used default credentials for a printer interface to capture domain credentials of a non-privileged domain account. (See the Attack Path 2 section.)
In addition to the issues listed above, the team identified three High and seven Medium severity findings. These vulnerabilities and misconfigurations may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment. See Table 4 for a list and description of these findings.
Table 4: Additional Key Issues
Issue
Severity
Service
Description
Poor Credential Hygiene: Password Reuse for Administrator and User Accounts
High
Penetration Testing
Elevated password reuse is when an administrator uses the same password for their user and administrator accounts. If the user account password is compromised, it can be used to gain access to the administrative account.
The assessment team identified an instance where the same password was set for an admin user’s administrative account as well as their standard user account.
Poor Credential Hygiene: Password Reuse for Administrator Accounts
Medium
Penetration Testing
If administrator passwords are the same for various administrator accounts, malicious actors can use the password to access all systems that share this credential after compromising one account.
The assessment team found multiple instances of local administrator accounts across various systems using the same password.
Poor Patch Management: Out-of-Date Software
High
Penetration Testing
Patches and updates are released to address existing and emerging security vulnerabilities, and failure to apply the latest leaves systems open to attack with publicly available exploits. (The risk presented by missing patches and updates depends on the severity of the vulnerability).
The assessment team identified several unpatched systems including instances of CVE-2019-0708 (known as “BlueKeep”) and EternalBlue.
The team was unable to successfully compromise the systems with BlueKeep, but they did exploit EternalBlue on a server to implant a shell on a server with local SYSTEM privileges (see the Attack Path 5 section).
Poor Patch Management: Unsupported OS or Application
High
Penetration Testing
Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched). There is no way to address security vulnerabilities on these devices to ensure that they are secure. The overall security posture of the entire network is at risk because an attacker can target these devices to establish an initial foothold into the network.
The assessment team identified end-of-life (EOL) Windows Server 2008 R2 and Windows Server 2008 and Windows 5.1.
Use of Weak Authentication Measures
Medium
Penetration Testing
Applications may have weak or broken mechanisms to verify user identity before granting user access to protected functionalities. Malicious actors can exploit these to bypass authentication and gain access to use application resources and functionality.
The assessment team abused the Cisco Smart Install protocol to obtain configuration files for several Cisco devices on the organization’s network. These files contained encrypted Cisco passwords. (The CISA team was unable to crack these passwords within the assessment timeframe.)
PII Disclosure
Medium
Penetration Testing
The assessment team identified an unencrypted Excel file containing PII on a file share.
Hosts with Unconstrained Delegation Enabled Unnecessarily
Medium
Penetration Testing
The CISA team identified two systems that appeared to be configured with Unconstrained Delegation enabled. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of all users that authenticate to that host, enabling actors to steal service tickets or compromise krbtgt accounts and perform golden ticket or silver ticket attacks.
Although the assessment team was unable to fully exploit this configuration because they lost access to one of the vulnerable hosts, it could have led to domain compromise under the right circumstances.
Cleartext Password Disclosure
Medium
Penetration Testing
Storing passwords in cleartext is a security risk because malicious actors with access to these files can use them.
The assessment team identified several unencrypted files on a file share containing passwords for various personal and organizational accounts.
Insecure File Shares
Medium
Penetration Testing
Access to sensitive data (e.g., data related to business functions, IT functions, and/or personnel) should be restricted to only certain authenticated and authorized users.
The assessment team found an unsecured directory on a file share with sensitive IT information. The directory was accessible to all users in the domain group. Malicious actors with user privileges could access and/or exfiltrate this data.
Additional Issues
The CISA team identified one Informational severity within the organization’s networks and systems. These issues may allow a malicious actor to compromise the confidentiality, integrity, and availability of the tested environment, but are not readily exploitable. The information provided is to encourage the stakeholder to investigate these issues further to adjust their environments or eliminate certain aspects as needed, but the urgency is low.
Table 5: Informational Issues That CISA Team Noted
Issue
Severity
Service
Description
Overly Permissive Accounts
Informational
Penetration Testing
Account privileges are intended to control user access to host or application resources to limit access to sensitive information in support of a least-privilege security model. When user (or other) accounts have high privileges, users can see and/or do things they normally should not, and malicious actors can exploit this to access host and application resources.
The assessment team identified Active Directory objects where the Human Resources group appeared to be part of the privileged Account Operators group. This may have provided elevated privileges to accounts in the Human Resources group. (The CISA team was unable to validate and demonstrate the potential impact of this relationship within the assessment period).
Noted Strengths
The CISA team noted the following business, technical, and administrative components that enhanced the network security posture of the tested environment:
The organization’s network was found to have several strong, security-oriented characteristics such as:
Effective antivirus software;
Endpoint detection and response capabilities;
Good policies and best practices for protecting users from malicious files including not allowing users to mount ISO files;
Minimal external attack surface, limiting an adversary’s ability to leverage external vulnerabilities to gain initial access to the organization’s networks and systems;
Strong wireless protocols;
And network segmentation.
The organization’s security also demonstrated their ability to detect some of the CISA team’s actions throughout testing and overall situational awareness through the use of logs and alerts.
The organization used MFA for cloud accounts. The assessment team obtained cloud credentials via a phishing campaign but was unable to use them because of MFA prompts.
MITIGATIONS
Network Defenders
CISA recommends HPH Sector and other critical infrastructure organizations implement the mitigations in Table 6 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Table 6: Recommendations to Mitigate Identified Issues
Follow National Institute of Standards and Technologies (NIST) guidelineswhen creating password policies to enforce use of “strong” passwords that cannot be cracked [CPG 2.B].[11] Consider using password managers to generate and store passwords.
Use “strong” passphrases for private keys to make cracking resource intensive [CPG 2.B]. Do not store credentials within the registry in Windows systems. Establish an organizational policy that prohibits password storage in files.
Ensure adequate password length (ideally 15+ characters) and complexity requirements for Windows service accounts and implement passwords with periodic expiration on these accounts [CPG 2.B]. Use Managed Service Accounts, when possible, to manage service account passwords automatically.
Poor Credential Hygiene: Guessable Credentials
Do not reuse local administrator account passwords across systems. Ensure that passwords are “strong” and unique [CPG 2.C].
Use phishing-resistant multi-factor authentication (MFA) for all administrative access, including domain administrative access [CPG 2.H]. If an organization that uses mobile push-notification-based MFA is unable to implement phishing-resistant MFA, use number matching to mitigate MFA fatigue. For more information, see CISA fact sheets on Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications.
Misconfigured ADCS Certificate Templates
Restrict enrollment rights in templates to only those users or groups that require it. Remove the Enrollee Supplies Subject flag from templates if it is not necessary or enforce manager approval if required. Consider removing Write Owner, Write DACL and Write Property permissions from low-privilege groups, such as Authenticated Users where those permissions are not needed.
Unnecessary Network Services Enabled
Ensure that only ports, protocols, and services with validated business needs are running on each system. Disable deprecated protocols (including NetBIOS, LLMNR, and mDNS) on the network that are not strictly necessary for business functions, or limit the systems and services that use the protocol, where possible [CPG 2.W].
Disable theWebClientand Spooler services where possible to minimize risk of coerced authentication.
Disable ADCS web-enrollment services. If this service cannot be disabled, disable NTLM authentication to prevent malicious actors from performing NTLM relay attacks or abusing the Spooler and WebClient services to coerce and relay authentication to the web-enrollment service.
Elevated Service Account Privileges
Run daemon applications using a non-Administrator account when appropriate.
Configure Service accounts with only the permissions necessary for the services they operate.
To mitigate Kerberoasting attacks, use AES or stronger encryption instead of RC4 for Kerberos hashes [CPG 2.K]. RC4 is considered weak encryption.
SMB Signing Not Enabled
Require SMB signing for both SMB client and server on all systems to prevent certain adversary-in-the-middle and pass-the-hash attacks. See Microsoft’s Overview of Server Message Block signing for more information.
Verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials [CPG 2.A].
Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts [CPG 2.A].
Poor Credential Hygiene: Password Reuse for Administrator and User Accounts
Discontinue reuse or sharing of administrative credentials among user/administrative accounts [CPG 2.C].
Use unique credentials across workstations, when possible, in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements.
Train users, especially privileged users, against password reuse [CPG 2.I].
Poor Credential Hygiene: Password Reuse for Administrator Accounts
Discontinue reuse or sharing of administrative credentials among systems [CPG 2.C]. When possible, use unique credentials across all workstations in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements.
Implement a security awareness program that focuses on the methods commonly used in intrusions that can be blocked through individual action [CPG 2.I].
Implement Local Administrator Password Solution (LAPS) where possible if your OS is older than Windows Server 2019 and Windows 10 as these versions do not have LAPS built in. Note: The authoring organizations recommend organizations upgrade to Windows Server 2019 and Windows 10 or greater.
Poor Patch Management: Out-of-Date Software
Enforce consistent patch management across all systems and hosts within the network environment [CPG 1.E].
Where patching is not possible due to limitations, implement network segregation controls [CPG 2.F] to limit exposure of the vulnerable system or host.
Consider deploying automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe.
Poor Patch Management: Unsupported OS or Application
Evaluate the use of unsupported hardware and software and discontinue where possible. If discontinuing the use of unsupported hardware and software is not possible, implement additional network protections to mitigate the risk.
Use of Weak Authentication Measures
Require phishing-resistant MFA for all user accounts that have access to sensitive data or systems. If MFA is not possible, it is recommended to, at a minimum, configure a more secure password policy by aligning with guidelines put forth by trusted entities such as NIST [CPG 2.H].
PII Disclosure
Implement a process to review files and systems for insecure handling of PII [CPG 2.L]. Properly secure or remove the information. Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext.
Encrypt PII and other sensitive data, and train users who handle sensitive data to utilize best practices for encrypting data and storing it securely. If sensitive data must be stored on shares or other locations, restrict access to these locations as much as possible through access controls and network segmentation [CPG 2.F, 2.K, 2.L].
Hosts with Unconstrained Delegation Enabled Unnecessarily
RemoveUnconstrained Delegationfrom all servers. If Unconstrained Delegation functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., configure Constrained Delegation, enable the Account is sensitive and cannot be delegated option) or explore whether systems can be retired or further isolated from the enterprise. CISA recommends Windows Server 2019 or greater.
Cleartext Password Disclosure
Implement a review process for files and systems to look for cleartext account credentials. When credentials are found, remove or change them to maintain security [CPG 2.L].
Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext. Consider implementing a secure password manager solution in cases where passwords need to be stored [CPG 2.L].
Insecure File Shares
Restrict access to file shares containing sensitive data to only certain authenticated and authorized users [CPG 2.L].
Additionally, CISA recommends that HPH sector organizations implement the following strategies to mitigate cyber threats:
Mitigation Strategy #1 Asset Management and Security:
CISA recommends that HPH sector organizations implement and maintain an asset management policy to reduce the risk of exposing vulnerabilities, devices, or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, or disrupt critical services. The focus areas for this mitigation strategy include asset management and asset security, addressing asset inventory, procurement, decommissioning, and network segmentation as they relate to hardware, software, and data assets.
Mitigation Strategy #2 Identity Management and Device Security:
CISA recommends entities secure their devices and digital accounts and manage their online access to protect sensitive data and PII/PHI from compromise. The focus areas for this mitigation strategy include email security, phising prevention, access management, password policies, data protection and loss prevention, and device logs and monitoring solutions.
Mitigation Strategy #3 Vulnerability, Patch, and Configuration Management:
CISA recommends entities mitigate known vulnerabilities and establish secure configuration baselines to reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks. The focus areas for this mitigation strategy include vulnerability and patch Management, and configuration and change management.
The above mitigations apply to HPH sector and other critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of the majority of these flaws, and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team:
Embed security into product architecture throughout theentire software development lifecycle (SDLC).
Eliminate default passwords. Do not provide software with default passwords. To eliminate default passwords, require administrators set a “strong” password [CPG 2.B] during installation and configuration.
Create secure configuration templates. Provide configuration templates with certain safe settings based on an organization’s risk appetite (e.g., low, medium, and high security templates). Support these templates with hardening guides based on the risks the manufacturer has identified. The default configuration should be a secure one, and organizations should need to opt in if they desire a less secure configuration.
Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, narrowly provision user privileges by default and employ ACLs to reduce the impact of a compromised account. This will make it more difficult for a malicious cyber actor to escalate privileges and move laterally.
These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
In addition to applying the listed mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 7 – 16).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The CISA team did identify default credentials for multiple web interfaces during web application testing and used default printer credentials while penetration testing.
The CISA team accessed a virtual machine interface enabling them to modify, power off, and/or delete critical virtual machines including domain controllers, file servers, and servers.
Command and Scripting Interpreter: Windows Command Shell
The CISA team modified the “Save as file” configuration, to use File Transfer Protocol (FTP) instead of Server Message Block (SMB) and changed the Server Name and Network Path to point to a CISA-controlled machine running Responder.
The CISA team used the hash to authenticate to the domain controller and validated Domain Administrator privileges, demonstrating compromise of the domain.
The CISA team used a tool called CrackMapExec to spray easily guessable passwords across all domain accounts, giving them two sets of valid credentials.
The CISA team assessed that with ACCOUNT 1, they could use it to modify, power off, and/or delete critical virtual machines, including domain controllers and file servers.
The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to the FBI and CISA.
Download the PDF version of this report:
THREAT OVERVIEW
SVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations.
A decade ago, public reports about SVR cyber activity focused largely on the SVR’s spear phishing operations, targeting government agencies, think tanks and policy analysis organizations, educational institutions, and political organizations. This category of targeting is consistent with the SVR’s responsibility to collect political intelligence, the collection of which has long been the SVR’s highest priority. For the Russian Government, political intelligence includes not only the development and execution of foreign policies, but also the development and execution of domestic policies and the political processes that drive them. In December 2016, the U.S. Government published a Joint Analysis Report titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” which describes the SVR’s compromise of a U.S. political party leading up to a presidential election. The SVR’s use of spear phishing operations are visible today in its ongoing Diplomatic Orbiter campaign, primarily targeting diplomatic agencies. In 2023, SKW and CERT.PL published a Joint Analysis Report describing tools and techniques used by the SVR to target embassies in dozens of countries.
Less frequently, reporting on SVR cyber activity has addressed other aspects of the SVR’s foreign intelligence collection mission. In July 2020, U.S., U.K., and Canadian Governments jointly published an advisory revealing the SVR’s exploitation of CVEs to gain initial access to networks, and its deployment of custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. Although not listed in the 2020 advisory did not mention it, the authoring agencies can now disclose that the SVR’s WellMess campaign also targeted energy companies. Such biomedical and energy targets are consistent with the SVR’s responsibility to support the Russian economy by pursuing two categories of foreign intelligence known as economic intelligence and science and technology.
In April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information technology company and its customers to the SVR. This attribution marked the discovery that the SVR had, since at least 2018, expanded the range of its cyber operations to include the widespread targeting of information technology companies. At least some of this targeting was aimed at enabling additional cyber operations. Following this attribution, the U.S. and U.K. Governments published advisories highlighting additional SVR TTPs, including its exploitation of various CVEs, the SVR’s use of “low and slow” password spraying techniques to gain initial access to some victims’ networks, exploitation of a zero-day exploit, and exploitation of Microsoft 365 cloud environments.
In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies. By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure.
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.
Initial Access – Exploitation
The SVR started to exploit Internet-connected JetBrains TeamCity servers [T1190] in late September 2023 using CVE-2023-42793, which enables the insecure handling of specific paths allowing for bypassing authorization, resulting in arbitrary code execution on the server. The authoring agencies’ observations show that the TeamCity exploitation usually resulted in code execution [T1203] with high privileges [T1203] granting the SVR an advantageous foothold in the network environment. The authoring agencies are not currently aware of any other initial access vector to JetBrains TeamCity currently being exploited by the SVR.
Host Reconnaissance
Initial observations show the SVR used the following basic, built-in commands to perform host reconnaissance [T1033],[T1059.003],[T1592.002]:
whoami /priv
whoami /all
whoami /groups
whoami /domain
nltest -dclist
nltest -dsgetdc
tasklist
netstat
wmic /node:””“” /user:””“” /password:””“” process list brief
wmic /node:””“” process list brief
wmic process get commandline -all
wmic process get commandline
wmic process where name=””GoogleCrashHandler64.exe”” get commandline,processed
Additionally, the authoring agencies have observed the SVR exfiltrating files [T1041] which may provide insight into the host system’s operating system:
C:Windowssystem32ntoskrnl.exe [T1547] – to precisely identify system version, likely as a prerequisite to deploy EDRSandBlast.
SQL Server executable files – based on the review of the post exploitation actions, the SVR showed an interest in specific files of the SQL Server installed on the compromised systems:
Update management agent files – based on the review of the post exploitation actions, the SVR showed an interest in executables and configuration of patch management software:
SVR cyber actors also exfiltrated secforwarder.dll
Tactics Used to Avoid Detection
To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068] technique to disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software. [T1562.001]
This was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The actors then inject code into AV/EDR processes for a small subset of victims [T1068]. Additionally, executables that are likely to be detected (i.e. Mimikatz) were executed in memory [T1003.001].
In several cases SVR attempted to hide their backdoors via:
Abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with their one containing GraphicalProton backdoor,
Backdooring an open source application developed by Microsoft named vcperf. SVR modified and copied publicly available sourcecode. After execution, backdoored vcperf dropped several DLLs to disc, one of those being a GraphicalProton backdoor,
Abusing a DLL hijacking vulnerability in Webroot antivirus software by replacing a legitimate DLL with one containing GraphicalProton backdoor.
To avoid detection by network monitoring, the SVR devised a covert C2 channel that used Microsoft OneDrive and Dropbox cloud services. To further enable obfuscation, data exchanged with malware via OneDrive and Dropbox were hidden inside randomly generated BMP files [T1564], illustrated below:
Privilege Escalation
To facilitate privilege escalation [T1098], the SVR used multiple techniques, including WinPEAS, NoLmHash registry key modification, and the Mimikatz tool.
The SVR modified the NoLMHash registry using the following reg command:
The SVR used the following Mimikatz commands [T1003]:
privilege::debug
lsadump::cache
lsadump::secrets
lsadump::sam
sekurlsa::logonpasswords
Persistence
The SVR relied on scheduled tasks [T1053.005] to secure persistent execution of backdoors. Depending on the privileges the SVR had, their executables were stored in one of following directories:
C:Windowstemp
C:WindowsSystem32
C:WindowsWinStore
The SVR made all modifications using the schtasks.exe binary. It then had multiple variants of arguments passed to schtasks.exe, which can be found in Appendix B – Indicators of Compromise.
To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs) [T1558.001].
The SVR exfiltrated the following Windows Registry hives from its victims [T1003]:
HKLMSYSTEM
HKLMSAM
HKLMSECURITY
In order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002], packed them, and then exfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry hives, and used powershell to stage .zip archives in the C:WindowsTemp directory.
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
SVR also used DSInternals open source tool to interact with Directory Services. DSInternals allows to obtain a sensitive Domain information.
Network Reconnaissance
After the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on network reconnaissance [T1590.004]. The SVR performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046]. The SVR executed the following PowerSploit commands:
In selected environments the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstun—to establish a tunnel to the C2 infrastructure [T1572].
The authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”:
65.20.97[.]203:443
Poetpages[.]com:8443
The SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command Line (WMIC) [T1047] utility after dropping it to disk:
In the course of the TeamCity operation, the SVR used multiple custom and open source available tools and backdoors. The following custom tools were observed in use during the operation:
GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs [T1027.001] to exchange data with the SVR operator.
After execution, GraphicalProton gathers environment information such as active TCP/UDP connections [T1049], running processes [T1049], as well as user, host, and domain names [T1590]. OneDrive is used as a primary communication channel while Dropbox is treated as a backup channel [T1567]. API keys are hardcoded into the malware. When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files – with both commands and results [T1564.001]. Directory name is re-randomized each time the GraphicalProton process is started.
BMP files that were used to exchange data were generated in the following way:
Compress data using zlib,
Encrypt data using custom algorithm,
Add “***” string literal to encrypted data,
Create a random BMP with random rectangle,
And finally, encode encrypted data within lower pixel bits.
While the GraphicalProton backdoor has remained mostly unchanged over the months we have been tracking it, to avoid detection the adversary wrapped the tool in various different layers of obfuscation, encryption, encoders, and stagers. Two specific variants of GraphicalProton “packaging” are especially noteworthy – a variant that uses DLL hijacking [T1574.002] in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf [T1036], an open-source C++ build analysis tool from Microsoft.
GraphicalProton HTTPS variant – a variant of GraphicalProton backdoor recently introduced by the SVR that forgoes using cloud-based services as a C2 channel and instead relies on HTTP request. To legitimize the C2 channel, SVR used a re-registered expired domain set up with dummy WordPress website. Execution of HTTPS variant of GraphicalProton is split into two files – stager and encrypted binary file that contains further code.
MITRE ATT&CK TACTICS AND TECHNIQUES
See below tables for all referenced threat actor tactics and techniques in this advisory. For additional mitigations, see the Mitigations section.
SVR cyber actors use a variant that uses DLL hijacking in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf, an open-source C++ build analysis tool from Microsoft.
When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files – with both commands and results.
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
SVR cyber actors use these built-in commands to perform host reconnaissance: whoami /priv, whoami / all, whoami / groups, whoami / domain to perform user discovery.
SVR cyber actors may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
In selected environments, the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstunm—to establish a tunnel to the C2 infrastructure.
Table 11: SVR Cyber Actors ATT&CK Techniques for Enterprise: Exfiltration
SVR cyber actors may steal data by exfiltrating it over an existing C2 channel. Stolen data is encoded into normal communications using the same protocol as C2 communications.
SVR cyber actors use OneDrive and Dropbox to exfiltrate data to their C2 station.
INDICATORS OF COMPROMISE
Note: Please refer to Appendix B for a list of IOCs.
VICTIM TYPES
As a result of this latest SVR cyber activity, the FBI, CISA, NSA, SKW, CERT Polska, and NCSC have identified a few dozen compromised companies in the United States, Europe, Asia, and Australia, and are aware of over a hundred compromised devices though we assess this list does not represent the full set of compromised organizations. Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack. Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.
DETECTION METHODS
The following rules can be used to detect activity linked to adversary activity. These rules should serve as examples and adapt to each organization’s environment and telemetry.
SIGMA Rules
title: Privilege information listing via whoami description: Detects whoami.exe execution and listing of privileges author: references: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami date: 2023/11/15 logsource: category: process_creation product: windows detection: selection: Image|endswith: - 'whoami.exe' CommandLine|contains: - 'priv' - 'PRIV' condition: selection falsepositives: legitimate use by system administrator
title: DC listing via nltest description: Detects nltest.exe execution and DC listing author: references: date: 2023/11/15 logsource: category: process_creation product: windows detection: selection: Image|endswith: - 'nltest.exe' CommandLine|re: '.*dclist:.*|.*DCLIST:.*|.*dsgetdc:.*|.*DSGETDC:.*' condition: selection falsepositives: legitimate use by system administrator
title: DLL execution via WMI description: Detects DLL execution via WMI author: references: date: 2023/11/15 logsource: category: process_creation product: windows detection: selection: Image|endswith: - 'WMIC.exe' CommandLine|contains|all: - 'call' - 'rundll32' condition: selection falsepositives: legitimate use by software or system administrator
title: Process with connect and pass as args description: Process with connect and pass as args author: references: date: 2023/11/15 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'pass' - 'connect' condition: selection falsepositives: legitimate use of rsockstun or software with exact same arguments
title: Service or Drive enumeration via powershell description: Service or Drive enumeration via powershell author: references: date: 2023/11/15 logsource: category: ps_script product: windows detection: selection_1: ScriptBlockText|contains|all: - 'Get-WmiObject' - '-Class' - 'Win32_Service' selection_2: ScriptBlockText|contains|all: - 'Get-WindowsDriver' - '-Online' - '-All' condition: selection_1 or selection_2 falsepositives: legitimate use by system administrator
title: Compressing files from temp to temp description: Compressing files from temp to temp used by SVR to prepare data to be exfiltrated references: author: date: 2023/11/15 logsource: category: ps_script product: windows detection: selection: ScriptBlockText|re: '.*Compress-Archive.*Path.*Windows\[Tt]{1}emp\[1-9]{1}.*DestinationPath.*Windows\[Tt]{1}emp\.*' condition: selection
title: DLL names used by SVR for GraphicalProton backdoor description: Hunts for known SVR-specific DLL names. references: author: date: 2023/11/15 logsource: category: image_load product: windows detection: selection: ImageLoaded|endswith: - 'AclNumsInvertHost.dll' - 'ModeBitmapNumericAnimate.dll' - 'UnregisterAncestorAppendAuto.dll' - 'DeregisterSeekUsers.dll' - 'ScrollbarHandleGet.dll' - 'PerformanceCaptionApi.dll' - 'WowIcmpRemoveReg.dll' - 'BlendMonitorStringBuild.dll' - 'HandleFrequencyAll.dll' - 'HardSwapColor.dll' - 'LengthInMemoryActivate.dll' - 'ParametersNamesPopup.dll' - 'ModeFolderSignMove.dll' - 'ChildPaletteConnected.dll' - 'AddressResourcesSpec.dll' condition: selection
title: Sensitive registry entries saved to file description: Sensitive registry entries saved to file author: references: date: 2023/11/15 logsource: category: process_creation product: windows detection: selection_base: Image|endswith: - 'reg.exe' CommandLine|contains: 'save' CommandLine|re: '.*HKLM\SYSTEM.*|.*HKLM\SECURITY.*|.*HKLM\SAM.*' selection_file: CommandLine|re: '.*sy.sa.*|.*sam.sa.*|.*se.sa.*' condition: selection_base and selection_file
The FBI, CISA, NSA, SKW, CERT Polska, and NCSC assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed.
Monitor the network for evidence of encoded commands and execution of network scanning tools.
Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
Require use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.
Organizations should adopt multi-factor authentication (MFA) as an additional layer of security for all users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
Keep all operating systems, software, and firmware up to date. Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
Deploy software to identify suspicious behavior on systems.
Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
Use available public resources to identify credential abuse with cloud environments.
Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see previous tables).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
APPENDIX A – INDICATORS OF COMPROMISE CVE-2023-42793
On a Windows system, the log file C:TeamCitylogsteamcity-server.log will contain a log message when an attacker modified the internal.properties file. There will also be a log message for every process created via the /app/rest/debug/processes endpoint. In addition to showing the command line used, the user ID of the user account whose authentication token was used during the attack is also shown. For example:
[2023-09-26 11:53:46,970] INFO - ntrollers.FileBrowseController - File edited: C:ProgramDataJetBrainsTeamCityconfiginternal.properties by user with id=1 [2023-09-26 11:53:46,970] INFO - s.buildServer.ACTIVITIES.AUDIT - server_file_change: File C:ProgramDataJetBrainsTeamCityconfiginternal.properties was modified by "user with id=1" [2023-09-26 11:53:58,227] INFO - tbrains.buildServer.ACTIVITIES - External process is launched by user user with id=1. Command line: cmd.exe "/c whoami"
An attacker may attempt to cover their tracks by wiping this log file. It does not appear that TeamCity logs individual HTTP requests, but if TeamCity is configured to sit behind a HTTP proxy, the HTTP proxy may have suitable logs showing the following target endpoints being accessed:
/app/rest/users/id:1/tokens/RPC2 – This endpoint is required to exploit the vulnerability.
/app/rest/users – This endpoint is only required if the attacker wishes to create an arbitrary user.
/app/rest/debug/processes – This endpoint is only required if the attacker wishes to create an arbitrary process.
WASHINGTON – Consistent with its September announcement, the Department of Homeland Security today published a Federal Register notice reiterating the extensions of the periods to re-register for Temporary Protected Status (TPS) under the existing designations of El Salvador, Haiti, Honduras, Nepal, Nicaragua, and Sudan. As previously announced, the re-registration period for each country is changing from 60 days to the full length of each country’s current TPS designation extension.
The 18-month re-registration period for current TPS beneficiaries under the designation of:
El Salvador is currently open and now runs through March 9, 2025;
Haiti is currently open and now runs through Aug. 3, 2024;
Honduras is currently open and runs through July 5, 2025;
Nepal is currently open and runs through June 24, 2025;
Nicaragua is currently open and runs through July 5, 2025; and
Sudan is currently open and now runs through April 19, 2025.
Extending re-registration allows current TPS beneficiaries to submit Form I-821, Application for Temporary Protected Status, at any time during the full extensions of the TPS designations of these six countries. They also may submit Form I-765, Application for Employment Authorization, to obtain an Employment Authorization Document, if desired, during the full extension period. This announcement does not change the previously announced extensions of the TPS designations for these six countries, and it does not change the eligibility requirements. This re-registration extension is solely for TPS beneficiaries who properly filed for TPS during a previous registration period.
Secretary of Homeland Security Alejandro N. Mayorkas previously announced on June 13, 2023, that he would rescind the previous administration’s terminations of TPS designations for El Salvador, Honduras, Nepal and Nicaragua and extend the TPS designations for these countries for 18 months. Re-registration periods under these TPS designations were initially set at 60 days; however, DHS reevaluated the length of the re-registration period due to the unique circumstances surrounding these designations. On Sept. 8, 2023, DHS announced the extension of the re-registration periods for these six TPS designations to the full length of the TPS designation extension.
Limiting the re-registration period to 60 days for these particular beneficiaries might place a burden on applicants who cannot timely file, but who otherwise would be eligible to re-register for TPS. In particular, ongoing litigation resulted in overlapping periods of TPS validity that were announced in several Federal Register notices, which may confuse some current beneficiaries. This notice allows beneficiaries of these countries who have not been required to re-register for TPS for the past few years due to litigation to re-register through the entire designation extension period.
The Federal Register notice does not change the previously announced extensions of the TPS designations for these six countries. It does not change the eligibility requirements or add any newly eligible beneficiaries. It simply extends the period when existing beneficiaries may re-register for their benefits.
The Russia-based actor is targeting organizations and individuals in the UK and other geographical areas of interest.
OVERVIEW
The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.
During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.
OUTLINE OF THE ATTACKS
The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.
Research and Preparation
Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].
Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.
Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.
To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].
Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.
Preference for Personal Email Addresses
Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.
Building a Rapport
Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.
Delivery of Malicious Link
Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.
Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].
Exploitation and Further Activity
Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.
Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].
The actor has also used their access to a victim email account to access mailing–list data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].
CONCLUSION
Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.
Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.
Information on effective defense against spear-phishing is included in the Mitigations section below.
MITRE ATT&CK®
This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites.
Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.
Star Blizzard abuses email- forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim’s emails, even after compromised credentials are reset.
MITIGATIONS
A number of mitigations will be useful in defending against the activity described in this advisory.
Use strong passwords. Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: Top Tips for Staying Secure Online.
Protect your devices and networks by keeping them up to date: Use the latest supported versions, apply security updates promptly, use anti-virus and scan regularly to guard against known malware threats. See NCSC guidance: Device Security Guidance.
Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: Phishing attacks: Defending Your Organization and Internet Crime Complaint Center(IC3) | Industry Alerts.
Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.
DISCLAIMER
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.
Overview
Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.
Incident 1
As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.
The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.
Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.
Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:
Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection. Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.
Threat actors created various files (see Table 1 below) in the C:IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:IBM directory as a staging folder to support threat actors’ malicious operations.
Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.
Table 1: Threat Actor Tools
File Name
Hash (SHA-1)
Description
eee.exe
b6818d2d5cbd902ce23461f24fc47e24937250e6
VirusTotal[3] flags this file as malicious. This was located in D:$RECYCLE.BIN.
The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error.
Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.
fscan.exe
be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656
Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:IBM directory [T1046].
RC.exe
9126b8320d18a52b1315d5ada08e1c380d18806b
RCDLL.dll attempted to execute via RC.exe but received an error.
Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.
Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.
Incident 2
As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.
Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.
Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file (sys.zip) was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.
Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.
As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]
Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file. Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.
Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.
Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.
Threat actors were able to upload malicious artifacts to the victim web server.
MITIGATIONS
CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.
Manage Vulnerabilities and Configurations
Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.
Segment Networks
Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.
Application Control
Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.
Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
Restrict file and directory permissions. Use file system access controls to protect folders such as C:WindowsSystem32.
Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 2-9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
