Cybersecurity Updates

Cisco Updates

Click here for the latest information on cyber security by Cisco

Source: Threat Post

Telehealth Poll: How Risky Are Remote Doctor Visits?
Threatpost's latest poll probes telehealth security risks and asks for IT cures.

Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials
Researchers warn of emails pretending to help business employees upgrade to Windows 10 - and then stealing their Outlook emails and passwords.

Mac, Linux Users Now Targeted by FinSpy Variants
FinSpy has returned in new campaigns targeting dissident organizations in Egypt - and researchers uncovered new samples of the spyware targeting macOS and Linux users.

Universal Health Services Ransomware Attack Impacts Hospitals Nationwide
The Ryuk ransomware is suspected to be the culprit.

Joker Trojans Flood the Android Ecosystem
September saw dozens of Joker malware variants hitting Google Play and third-party app stores.

Twitter Warns Developers of API Bug That Exposed App Keys, Tokens
Twitter has fixed a caching issue that could have exposed developers' API keys and tokens.

Bug Bounty FAQ: Top Questions, Expert Answers
Four leading voices in the bug bounty community answer frequently asked questions from bounty hunters, companies and curious cybersecurity professionals.

FortiGate VPN Default Config Allows MitM Attacks
The client's default configuration for SSL-VPN has a certificate issue, researchers said.

Industrial Cyberattacks Get Rarer but More Complex
The first half of 2020 saw decreases in attacks on most ICS sectors, but oil/gas firms and building automation saw upticks.

Ring’s Flying In-Home Camera Drone Escalates Privacy Worries
Privacy fears are blasting off after Amazon's Ring division unveiled the new Always Home Cam, a smart home security camera drone.

Source: Wired.com

A Ransomware Attack Has Struck a Major US Hospital Chain
“All computers are completely shut down,” one Universal Health Services employee told WIRED.

The Election Threats That Keep US Intelligence Up at Night
Government officials have increasingly sounded alarms on the risks of foreign interference and disinformation campaigns leading up to—and after—November 3.

The Android 11 Privacy and Security Features You Should Know
Many of the updates to Google’s mobile OS are behind the scenes—but they can help you control your app permissions and keep your data safe.

Windows XP Source Code Got Leaked All Over the Internet
Plus: A cruel phishing test, ransomware hits Russia, and more of the week's top security news.

The Best Chrome Extensions to Prevent Creepy Web Tracking
Ad trackers follow you everywhere online—but it doesn’t have to be that way.

Facebook Busts Russian Disinfo Networks as US Election Looms
The campaigns primarily targeted countries outside the US. But the same mechanisms could be used in “hack and leak” operations like those that roiled the 2016 campaign.

Inside the Twitter Hack—and What Happened Next
On July 15, a massive Twitter hack rocked the inside and out. On Election Day, that's not an option.

A Tip From a Kid Helped Uncover a Slew of Scam Apps
After a girl reported a suspicious TikTok profile, researchers detected aggressive adware in apps that had been downloaded 2.4 million times.

CryptoHarlem’s Founder Warns Against ‘Digital Stop and Frisk'
On Day 2 of WIRED’s virtual conference, hacker Matt Mitchell cautions that law enforcement routinely trawls social media to surveil protestors.

179 Arrested in Massive Global Dark Web Takedown
Operation Disruptor is an unprecedented international law enforcement effort, stemming from last year’s seizure of a popular underground bazaar called Wall Street Market.

Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere
So-called single sign-on options offer a lot of convenience. But they have downsides that a good old fashioned password manager doesn't.

The Cheating Scandal That Ripped the Poker World Apart
Mike Postle was on an epic winning streak at a California casino. Veronica Brill thought he had to be playing dirty. Let the chips fall where they may.

The iOS 14 Privacy and Security Features You Should Know
The latest update for your iPhone and iPad will make them safer than ever.

A Bluetooth Flaw Leaves Billions of Devices Vulnerable
Indictments against Iranian hackers, a Veterans Affairs data breach, and more of the week's top security news.

A Patient Dies After a Ransomware Attack Hits a Hospital
The outage resulted in a significant delay in treatment. German authorities are investigating the perpetrators on suspicion of negligent manslaughter.

Gen Z Has a Plan to Save the Election—Starting With the Polls
Poll workers, who skew elderly, are in short supply during the pandemic. Meet some of the young people trying to make up the gap.

Companies Can Track Your Phone’s Movements to Target Ads
Brands are seeking new ways to customize messages. A startup that gathers data on when you pick up your phone, or when you go out on a run, can help.

The Wayback Machine and Cloudflare Want to Backstop the Web
The Internet Archive and the infrastructure company are teaming up to make sure sites never fully go down.

Feds Charge Chinese Hackers With Ripping Off Video Game Loot From 9 Companies
A group known as Barium allegedly attacked hundreds of targets around the globe—and manipulated in-game goods and currency.

Stacey Abrams on How We’ll Beat Back Voter Suppression
The former Democratic candidate for Georgia governor talks democracy, election tech, and why speaking Klingon doesn’t always help. As told to Gilad Edelman.

Source: US-Cert

AA20-266A: LokiBot Malware
Original release date: September 22, 2020 | Last revised: September 23, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).

CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Technical Details

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (Credentials from Password Stores [T1555]).
- (Credentials from Password Stores: Credentials from Web Browsers [T1555.003])
- (Input Capture: Keylogging [T1056.001])
LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (Event Triggered Execution: Accessibility Features [T1546.008]).
Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (User Execution: Malicious File [T1204.002]). See figure 1 for enterprise techniques used by LokiBot.

Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot

Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.

February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[1]
August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2]
August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[3]
June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[4]
April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[5]
February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[6]
October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[7]
May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[8]
March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9]
December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10]
February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[11]

MITRE ATT&CK Techniques

According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.

Table 1: LokiBot ATT&CK techniques

Technique	Use
System Network Configuration Discovery [T1016]	LokiBot has the ability to discover the domain name of the infected host.
Obfuscated Files or Information [T1027]	LokiBot has obfuscated strings with base64 encoding.
Obfuscated Files or Information: Software Packing [T1027.002]	LokiBot has used several packing methods for obfuscation.
System Owner/User Discovery [T1033]	LokiBot has the ability to discover the username on the infected host.
Exfiltration Over C2 Channel [T1041]	LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.
Process Injection: Process Hollowing [T1055.012]	LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.
Input Capture: Keylogging [T1056.001]	LokiBot has the ability to capture input on the compromised host via keylogging.
Application Layer Protocol: Web Protocols [T1071.001]	LokiBot has used Hypertext Transfer Protocol for command and control.
System Information Discovery [T1082]	LokiBot has the ability to discover the computer name and Windows product name/version.
User Execution: Malicious File [T1204.002]	LokiBot has been executed through malicious documents contained in spearphishing emails.
Credentials from Password Stores [T1555]	LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.
Credentials from Password Stores: Credentials from Web Browsers [T1555.003]	LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.
Hide Artifacts: Hidden Files and Directories [T1564.001]	LokiBot has the ability to copy itself to a hidden file and directory.

Detection

Signatures

CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.

alert tcp any any -> any $HTTP_PORTS (msg:"Lokibot:HTTP URI POST contains '/*/fre.php' post-infection"; flow:established,to_server; flowbits:isnotset,.tagged; content:"/fre.php"; http_uri; fast_pattern:only; urilen:<50,norm; content:"POST"; nocase; http_method; pcre:"/\/(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)\/fre\.php$/iU"; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)

Mitigations

CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Keep operating system patches up to date. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication. See Supplementing Passwords for more information.
Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/

References

Revisions

September 22, 2020: Initial Version
September 23, 2020: Added hyperlink to MS-ISAC

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities
Original release date: September 15, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.

This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.

Click here for a PDF version of this report.

Technical Details

CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.

After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.

CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.

Table 1 illustrates some of the common tools this threat actor has used.

Table 1: Common exploit tools

Tool	Detail
ChunkyTuna web shell	ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.
Tiny web shell	Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.
China Chopper web shell	China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.
FRPC	FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence.
Chisel	Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network.
ngrok	ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS.
Nmap	Nmap is used for vulnerability scanning and network discovery.
Angry IP Scanner	Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc.
Drupwn	Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.

Notable means of detecting this threat actor:

CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.
The threat actor uses FRPC over port 7557.
Malware Analysis Report MAR-10297887-1.v1 details some of the tools this threat actor used against some victims.

The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.

Tiny web shell

/netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php /netscaler/ns_gui/vpn/images/vpn_ns_gui.php /var/vpn/themes/imgs/tiny.php

ChunkyTuna web shell

/var/vpn/themes/imgs/debug.php /var/vpn/themes/imgs/include.php /var/vpn/themes/imgs/whatfile

Chisel

/var/nstmp/chisel

MITRE ATT&CK Framework

Initial Access

As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.

Table 2: Initial access techniques

ID	Technique/Sub-Technique	Context
T1190	Exploit Public-Facing Application	The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902.

Execution

After gaining initial access, the threat actor began executing scripts, as shown in table 3.

Table 3: Execution techniques

ID	Technique/Sub-Technique	Context
T1059.001	Command and Scripting Interpreter: PowerShell	A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data.
T1059.003	Command and Scripting Interpreter: Windows Command Shell	`cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism.

Persistence

CISA observed the threat actor using the techniques identified in table 4 to establish persistence.

Table 4: Persistence techniques

ID	Technique/Sub-Technique	Context
T1053.003	Scheduled Task/Job: Cron	The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms).
T1053.005	Scheduled Task/Job: Scheduled Task	The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily.
T1505.003	Server Software Component: Web Shell	The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna.
T1546.008	Event Triggered Execution: Accessibility Features	The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`.

Privilege Escalation

CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.

Defense Evasion

CISA observed the threat actor using the techniques identified in table 5 to evade detection.

Table 5: Defensive evasion techniques

ID	Technique/Sub-Technique	Context
T1027.002	Obfuscated Files or Information: Software Packing	The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection.
T1027.004	Obfuscated Files or Information: Compile After Delivery	The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection.
T1036.004	Masquerading: Masquerade Task or Service	The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.
T1036.005	Masquerading: Match Legitimate Name or Location	The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library.
T1070.004	Indicator Removal on Host: File Deletion	To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device.

Credential Access

CISA observed the threat actor using the techniques identified in table 6 to further their credential access.

Table 6: Credential access techniques

ID	Technique/Sub-Technique	Context
T1003.001	OS Credential Dumping: LSASS Memory	The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS).
T1003.003	OS Credential Dumping: Windows NT Directory Services (NTDS)	The threat actor used Volume Shadow Copy to access credential information from the NTDS file.
T1552.001	Unsecured Credentials: Credentials in Files	The threat actor accessed files containing valid credentials.
T1555	Credentials from Password Stores	The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script.
T1558	Steal or Forge Kerberos Tickets	The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account.

Discovery

CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.

Table 7: Discovery techniques

ID	Technique/Sub-Technique	Context
T1018	Remote System Discovery	The threat actor used Angry IP Scanner to detect remote systems.
T1083	File and Directory Discovery	The threat actor used WizTree to obtain network files and directory listings.
T1087	Account Discovery	The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts.
T1217	Browser Bookmark Discovery	The threat actor used Google Chrome bookmarks to find internal resources and assets.

Lateral Movement

CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.

Table 8: Lateral movement techniques

ID	Technique/Sub-Technique	Context
T1021	Remote Services	The threat actor used RDP with valid account credentials for lateral movement in the environment.
T1021.001	Remote Services: Remote Desktop Protocol	The threat actor used RDP to log in and then conduct lateral movement.
T1021.002	Remote Services: SMB/Windows Admin Shares	The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares.
T1021.004	Remote Services: SSH	The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive.
T1021.005	Remote Services: Virtual Network Computing (VNC)	The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool.
T1563.002	Remote Service Session Hijacking: RDP Hijacking	The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment.

Collection

CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.

Table 9: Collection techniques

ID	Technique/Sub-Technique	Context
T1005	Data from Local System	The threat actor searched local system sources to accessed sensitive documents.
T1039	Data from Network Shared Drive	The threat actor searched network shares to access sensitive documents.
T1213	Data from Information Repositories	The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information.
T1530	Data from Cloud Storage Object	The threat actor obtained files from the victim cloud storage instances.
T1560.001	Archive Collected Data: Archive via Utility	The threat actor used 7-Zip to archive data.

Command and Control

CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).

Table 10: Command and control techniques

ID	Technique/Sub-Technique	Context
T1071.001	Application Layer Protocol: Web Protocols	The threat actor used various web mechanisms and protocols, including the web shells listed in table 1.
T1105	Ingress Tool Transfer	The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes.
T1572	Protocol Tunneling	The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.

Exfiltration

CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.

Mitigations

Recommendations

CISA and FBI recommend implementing the following recommendations.

If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert AA20-031A.
This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.
If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest.
- If compromised, rebuild/reimage compromised NetScaler devices.
Routinely audit configuration and patch management programs.
Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
Implement multi-factor authentication, especially for privileged accounts.
Use separate administrative accounts on separate administration workstations.
Implement the principle of least privilege on data access.
Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.
Keep software up to date.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at central@cisa.dhs.gov.

Resources

CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
CISA Alert AA20-073A: Enterprise VPN Security
CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CISA Security Tip: Securing Network Infrastructure Devices

Revisions

September 15, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
Original release date: September 14, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these—and other threat actors with varying degrees of skill—routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).

Key Takeaways

Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.
Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.
Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.
If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.
This Advisory identifies some of the more common—yet most effective—TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.

Click here for a PDF version of this report.

Technical Details

Through the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.

According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years.[1] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[2]

According to the indictment,

To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.

The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.

MITRE PRE-ATT&CK® Framework for Analysis

In the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK® Framework TTPs.

Target Selection and Technical Information Gathering

Target Selection [TA0014] is a critical part of cyber operations. While cyber threat actors’ motivations and intents are often unknown, they often make their selections based on the target network’s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[3][4][5]

Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.

These information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.

While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.

CISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015]).

Table 1: Technical information gathering techniques observed by CISA

MITRE ID	Name	Observation
T1245	Determine Approach/Attack Vector	The threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits.
T1247	Acquire Open Source Intelligence (OSINT) Data Sets and Information	CISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities.
T1254	Conduct Active Scanning	CISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices.

Technical Weakness Identification

CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[6]

Additionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.

Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months

Vulnerability	Observations
CVE-2020-5902: F5 Big-IP Vulnerability	CISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[7]
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances	CISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[8]
CVE-2019-11510: Pulse Secure VPN Servers	CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[9]
CVE-2020-0688: Microsoft Exchange Server	CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks.

Additionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018]).

Table 3: Technical weakness identification techniques observed by CISA

MITRE ID	Name	Observation
T1288	Analyze Architecture and Configuration Posture	CISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510.
T1291	Research Relevant Vulnerabilities	CISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs.

Build Capabilities

CISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build Capabilities [TA0024]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.

Table 4: Build capabilities observed by CISA

MITRE ID	Name	Observation
T1352	C2 Protocol Development	CISA observed beaconing from a Federal Government entity to the threat actors’ C2 server.
T1328	Buy Domain Name	CISA has observed the use of domains purchased by the threat actors.
T1329	Acquire and / or use of 3rd Party Infrastructure	CISA has observed the threat actors using virtual private servers to conduct cyber operations.
T1346	Obtain/Re-use Payloads	CISA has observed the threat actors use and reuse existing capabilities.
T1349	Build or Acquire Exploit	CISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks.

MITRE ATT&CK Framework for Analysis

CISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[10][11] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.

During incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.

Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors

Tool	Observations
Cobalt Strike	CISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers.
China Chopper Web Shell	CISA has observed the actors successfully deploying China Chopper against organizations’ networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.
Mimikatz	CISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[12]

The following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.

Initial Access

In the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.

CISA has observed the threat actors using the Initial Access [TA0001] techniques identified in table 6.

Table 6: Initial access techniques observed by CISA

MITRE ID	Name	Observation
T1204.001	User Execution: Malicious Link	CISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent
T1566.002	Phishing: Spearphishing Link	CISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links.
T1190	Exploit Public-Facing Application	CISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers.

Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information.

Execution

CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.

CISA has observed Chinese MSS-affiliated actors using the Execution [TA0002] technique identified in table 7.

Table 7: Execution technique observed by CISA

MITRE ID	Name	Observation
T1072	Software Deployment Tools	CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ C2 server, which is usually an indication of compromise.

Credential Access

Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.

CISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006] techniques highlighted in table 8.

Table 8: Credential access techniques observed by CISA

MITRE ID	Name	Observation
T1003.001	Operating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory	CISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool.
T1110.004	Brute Force: Credential Stuffing	CISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server.

Discovery

As with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (Discovery [TA0007]).

Table 9: Discovery technique observed by CISA

MITRE ID	Name	Observation
T1046	Network Service Scanning	CISA has observed suspicious network scanning activity for various ports at Federal Government entities.

Collection

Within weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009] technique listed in table 10.

Table 10: Collection technique observed by CISA

MITRE ID	Name	Observation
T1114	Email Collection	CISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments.

Command and Control

CISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.

CISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011] techniques listed in table 11.

Table 11: Command and control techniques observed by CISA

MITRE ID	Name	Observation
T1090.002	Proxy: External Proxy	CISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses.
T1090.003	Proxy: Multi-hop Proxy	CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.
T1573.002	Encrypted Channel: Asymmetric Cryptography	CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.

Mitigations

CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.

CISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see CISA Alert: Top 10 Routinely Exploited Vulnerabilities.

Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors

Vulnerability	Vulnerable Products	Patch Information
CVE-2020-5902	Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)	F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902
CVE-2019-19781	Citrix Application Delivery Controller Citrix Gateway Citrix SDWAN WANOP	Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0 Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
CVE-2019-11510	Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15	Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
CVE-2020-0688	Microsoft Exchange Servers	Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability

CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.

Contact Information

References

Revisions

September 14, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity
Original release date: September 1, 2020 | Last revised: September 24, 2020

Summary

This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia,[1] Canada,[2] New Zealand,[3][4] the United Kingdom,[5] and the United States.[6] It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.

Key Takeaways

When addressing potential incidents and applying best practice incident response procedures:

First, collect and remove for further analysis:
- Relevant artifacts,
- Logs, and
- Data.
Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
Finally, consider soliciting incident response support from a third-party IT security organization to:
- Provide subject matter expertise and technical support to the incident response,
- Ensure that the actor is eradicated from the network, and
- Avoid residual issues that could result in follow-up compromises once the incident is closed.

Click here for a PDF version of this report.

Technical Details

The incident response process requires a variety of technical approaches to uncover malicious activity. Incident responders should consider the following activities.

Indicators of Compromise (IOC) Search – Collect known-bad indicators of compromise from a broad variety of sources, and search for those indicators in network and host artifacts. Assess results for further indications of malicious activity to eliminate false positives.
Frequency Analysis – Leverage large datasets to calculate normal traffic patterns in both network and host systems. Use these predictive algorithms to identify activity that is inconsistent with normal patterns. Variables often considered include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.
Pattern Analysis – Analyze data to identify repeating patterns that are indicative of either automated mechanisms (e.g., malware, scripts) or routine human threat actor activity. Filter out the data containing normal activity and evaluate the remaining data to identify suspicious or malicious activity.
Anomaly Detection – Conduct an analyst review (based on the team’s knowledge of, and experience with, system administration) of collected artifacts to identify errors. Review unique values for various datasets and research associated data, where appropriate, to find anomalous activity that could be indicative of threat actor activity.

Recommended Artifact and Information Collection

When hunting and/or investigating a network, it is important to review a broad variety of artifacts to identify any suspicious activity that may be related to the incident. Consider collecting and reviewing the following artifacts throughout the investigation.

Host-Based Artifacts

Running Processes
Running Services
Parent-Child Process Trees
Integrity Hash of Background Executables
Installed Applications
Local and Domain Users
Unusual Authentications
Non-Standard Formatted Usernames
Listening Ports and Associated Services
Domain Name System (DNS) Resolution Settings and Static Routes
Established and Recent Network Connections
Run Key and other AutoRun Persistence
Scheduled Tasks
Artifacts of Execution (Prefetch and Shimcache)
Event logs
Anti-virus detections

Information to Review for Host Analysis

Identify any process that is not signed and is connecting to the internet looking for beaconing or significant data transfers.
Collect all PowerShell command line requests looking for Base64-encoded commands to help identify malicious fileless attacks.
Look for excessive .RAR, 7zip, or WinZip processes, especially with suspicious file names, to help discover exfiltration staging (suspicious file names include naming conventions such as, 1.zip, 2.zip, etc.).
Collect all user logins and look for outlier behavior, such as a time of login that is out of the ordinary for the user or a login from an Internet Protocol (IP) address not normally used by the user.
On Linux/Unix operating systems (OSs) and services, collect all cron and systemd /etc/passwd files looking for unusual accounts and log files, such as accounts that appear to be system / proc users but have an interactive shell such as /bin/bash rather than /bin/false/nologin
On Microsoft OSs, collect Scheduled Tasks, Group Policy Objects (GPO), and Windows Management Instrumentation (WMI) database storage on hosts of interest looking for malicious persistence.
Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners to view—and, if needed, easily disable—most programs that automatically load onto the system.
Check the Windows registry and Volume Shadow Copy Service for evidence of intrusion.
Consider blocking script files like .js, .vbs, .zip, .7z, .sfx and even Microsoft Office documents or PDFs.
Collect any scripts or binary ELF files from /dev/shm/tmp and /var/tmp.
Kernel modules listed (lsmod) for signs of a rootkit; dmesg command output can show signs of rootkit loading and device attachment amongst other things.
Archive contents of /var/log for all hosts.
Archive output from journald. These logs are pretty much the same as /var/log; however, they provide some integrity checking and are not as easy to modify. This will eventually replace the /var/log contents for some aspects of the system. Check for additional Secure Shell (SSH) keys added to user’s authorized_keys.

Network-Based Artifacts

Anomalous DNS traffic and activity, unexpected DNS resolution servers, unauthorized DNS zone transfers, data exfiltration through DNS, and changes to host files
Remote Desktop Protocol (RDP), virtual private network (VPN) sessions, SSH terminal connections, and other remote abilities to evaluate for inbound connections, unapproved third-party tools, cleartext information, and unauthorized lateral movement
Uniform Resource Identifier (URI) strings, user agent strings, and proxy enforcement actions for abusive, suspicious, or malicious website access
Hypertext Transfer Protocol Secure/Secure Sockets Layer (HTTPS/SSL)
Unauthorized connections to known threat indicators
Telnet
Internet Relay Chat (IRC)
File Transfer Protocol (FTP)

Information to Review for Network Analysis

Look for new connections on previously unused ports.
Look for traffic patterns related to time, frequency, and byte count of the connections.
Preserve proxy logs. Add in the URI parameters to the event log if possible.
Disable LLMNR on the corporate network; if unable to disable, collect LLMNR (UDP port 5355) and NetBIOS-NS (UDP port 137).
Review changes to routing tables, such as weighting, static entries, gateways, and peer relationships.

Common Mistakes in Incident Handling

After determining that a system or multiple systems may be compromised, system administrators and/or system owners are often tempted to take immediate actions. Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of:

Modifying volatile data that could give a sense of what has been done; and
Tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).

Below—and partially listed in figure 1—are actions to avoid taking and some of the consequence of taking such actions.

Mitigating the affected systems before responders can protect and recover data
- This can cause the loss of volatile data such as memory and other host-based artifacts.
- The adversary may notice and change their tactics, techniques, and procedures.
Touching adversary infrastructure (Pinging, NSlookup, Browsing, etc.)
- These actions can tip off the adversary that they have been detected.
Preemptively blocking adversary infrastructure
- Network infrastructure is fairly inexpensive. An adversary can easily change to new command and control infrastructure, and you will lose visibility of their activity.
Preemptive credential resets
- Adversary likely has multiple credentials, or worse, has access to your entire Active Directory.
- Adversary will use other credentials, create new credentials, or forge tickets.
Failure to preserve or collect log data that could be critical to identifying access to the compromised systems
- If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable. Retain log data for at least one year.
Communicating over the same network as the incident response is being conducted (ensure all communications are held out-of-band)
Only fixing the symptoms, not the root cause
- Playing “whack-a-mole” by blocking an IP address—without taking steps to determine what the binary is and how it got there—leaves the adversary an opportunity to change tactics and retain access to the network.

Figure 1: Common missteps to be avoided when responding to an incident

Mitigations

The following recommendations and best practices may be helpful during the investigation and remediation process. Note: Although this guidance provides best practices to mitigate common attack vectors, organizations should tailor mitigations to their network.

General Mitigation Guidance

Restrict or Discontinue Use of FTP and Telnet Services

The FTP and Telnet protocols transmit credentials in cleartext, which are susceptible to being intercepted. To mitigate this risk, discontinue FTP and Telnet services by moving to more secure file storage/file transfer and remote access services.

Evaluate business needs and justifications to host files on alternative Secure File Transfer Protocol (SFTP) or HTTPS-based public sites.
Use Secure Shell (SSH) for access to remote devices and servers.

Restrict or Discontinue Use of Non-approved VPN Services

Investigate the business needs and justification for allowing traffic from non-approved VPN services.
Identify such services across the enterprise and develop measures to add the application and browser plugins that enable non-approved VPN services to the denylist.
Enhance endpoint monitoring to obtain visibility on devices with non-approved VPN services running. Enhanced endpoint monitoring and detection capabilities would enable an organization’s IT security personnel to manage approved software as well as identify and remove any instances of unapproved software.

Shut down or Decommission Unused Services and Systems

Cyber actors regularly identify servers that are out of date or end of life (EOL) to gain access to a network and perform malicious activities. These present easy and safe locations to maintain persistence on a network.
Often these services and servers are systems that have begun decommissioning, but the final stage has not been completed by shutting down the system. This means they are still running and vulnerable to compromise.
Ensuring that decommissioning of systems has been completed or taking appropriate action to remove them from the network limits their susceptibility and reduces the investigative surface to be analyzed.

Quarantine and Reimage Compromised Hosts

Note: proceed with caution to avoid the adverse effects detailed in the Common Mistakes in Incident Handling section above.

Reimage or remove any compromised systems found on the network.
Monitor and educate users to be cautious of any downloads from third-party sites or vendors.
Block the known bad domains and add a web content filtering capability to block malicious sites by category to prevent future compromise.
Sanitize removable media and investigate network shares accessible by users.
Improve existing network-based malware detection tools with sandboxing capabilities.

Disable Unnecessary Ports, Protocols, and Services

Identify and disable ports, protocols, and services not needed for official business to prevent would-be attackers from moving laterally to exploit vulnerabilities. This includes external communications as well as communications between networks.
Document allowed ports and protocols at the enterprise level.
Restrict inbound and outbound access to ports and protocols not justified for business use.
Restrict allowed access list to assets justified by business use.
Enable a firewall log for inbound and outbound network traffic as well as allowed and denied traffic.

Restrict or Disable Interactive Login for Service Accounts

Service accounts are privileged accounts dedicated to certain services to perform activities related to the service or application without being tied to a single domain user. Given that services tend to be privileged accounts and thereby have administrative privileges, they are often a target for attackers aiming to obtain credentials. Interactive login to a service account not directly tied to an end-user account makes it difficult to identify accountability during cyber incidents.

Audit the Active Directory (AD) to identify and document active service accounts.
Restrict use of service accounts using AD group policy.
Disallow interactive login by adding service account to a group of non-interactive login users.
Continuously monitor service account activities by enhancing logging.
Rotate service accounts and apply password best practices without service, degradation, or disruption.

Disable Unnecessary Remote Network Administration Tools

If an attacker (or malware) gains access to a remote user’s computer, steals authentication data (login/password), hijacks an active remote administration session, or successfully attacks a vulnerability in the remote administration tool’s software, the attacker (or malware) will gain unrestricted control of the enterprise network environment. Attackers can use compromised hosts as a relay server for reverse connections, which could enable them to connect to these remote administration tools from anywhere.
Remove all remote administration tools that are not required for day-to-day IT operations. Closely monitor and log events for each remote-control session required by department IT operations.

Manage Unsecure Remote Desktop Services

Allowing unrestricted RDP access can increase opportunities for malicious activity such as on path and Pass-the-Hash (PtH) attacks.

Implement secure remote desktop gateway solutions.
Restrict RDP service trust across multiple network zones.
Implement privileged account monitoring and short time password lease for RDP service use.
Implement enhanced and continuous monitoring of RDP services by enabling logging and ensure RDP logins are captured in the logs.

Credential Reset and Access Policy Review

Credential resets need to be done to strategically ensure that all the compromised accounts and devices are included and to reduce the likelihood that the attacker is able to adapt in response to this.

Force password resets; revoke and issue new certificates for affected accounts/devices.
If it is suspected that the attacker has gained access to the Domain Controller, then the passwords for all local accounts—such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and kbrtgt—should be reset. It is essential that the password for the kbrtgt account is reset as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The account should be reset twice (as the account has a two-password history).
- The first account reset for the kbrtgt needs to be allowed to replicate prior to the second reset to avoid any issues.
If it is suspected that the ntds.dit file has been exfiltrated, then all domain user passwords will need to be reset.
Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.

Patch Vulnerabilities

Attackers frequently exploit software or hardware vulnerabilities to gain access to a targeted system.

Known vulnerabilities in external facing devices and servers should be patched immediately, starting with the point of compromise, if known.
- Ensure external-facing devices have not been previously compromised while going through the patching process.
If the point of compromise (i.e., the specific software, device, server) is known, but how the software, device, or server was exploited is unknown, notify the vendor so they can begin analysis and develop a new patch.
Follow vendor remediation guidance including the installation of new patches as soon as they become available.

General Recommendations and Best Practices Prior to an Incident

Properly implemented defensive techniques and programs make it more difficult for a threat actor to gain access to a network and remain persistent yet undetected. When an effective defensive program is in place, attackers should encounter complex defensive barriers. Attacker activity should also trigger detection and prevention mechanisms that enable organizations to identify, contain, and respond to the intrusion quickly. There is no single technique, program, or set of defensive techniques or programs that will completely prevent all attacks. The network administrator should adopt and implement multiple defensive techniques and programs in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful attack. This layered mitigation approach is known as defense-in-depth.

User Education

End users are the frontline security of the organizations. Educating them in security principles as well as actions to take and not take during an incident will increase the organization’s resilience and might prevent easily avoidable compromises.

Educate users to be cautious of any downloads from third-party sites or vendors.
Train users on recognizing phishing emails. There are several systems and services (free and otherwise) that can be deployed or leveraged.
Train users on identifying which groups/individuals to contact when they suspect an incident.
Train users on the actions they can and cannot take if they suspect an incident and why (some users will attempt to remediate and might make things worst).

Allowlisting

Enable application directory allowlisting through Microsoft Software Restriction Policy or AppLocker.
Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted.
Prevent the execution of unauthorized software by using application allowlisting as part of the OS installation and security hardening process.

Account Control

Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege.
Limit the ability of a local administrator account to log in from a local interactive session (e.g., Deny access to this computer from the network) and prevent access via an RDP session.
Remove unnecessary accounts and groups; restrict root access.
Control and limit local administration; e.g. implementing Just Enough Administration (JEA), just-in-time (JIT) administration, or enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy.
Make use of the Protected Users Active Directory group in Windows domains to further secure privileged user accounts against pass-the-hash attacks.

Backups

Identify what data is essential to keeping operations running; make regular backup copies.
Test that backups are working to ensure they can restore the data in the event of an incident.
Create offline backups to help recover from a ransomware attack or from disasters (fire, flooding, etc.).
Securely store offline backups at an offsite location. If feasible, choose an offsite location that is at a distance from the primary location that would be unaffected in the event of a regional natural disaster.

Workstation Management

Create and deploy a secure system baseline image to all workstations.
Mitigate potential exploitation by threat actors by following a normal patching cycle for all OSs, applications, and software, with exceptions for emergency patches.
Apply asset and patch management processes.
Reduce the number of cached credentials to one (if a laptop) or zero (if a desktop or fixed asset).

Host-Based Intrusion Detection / Endpoint Detection and Response

Configure and monitor workstation system logs through a host-based endpoint detection and response platform and firewall.
Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the OS security baseline.
- Ensure that your anti-malware solution remains up to date.
Monitor antivirus scan results on a regular basis.

Server Management

Create a secure system baseline image and deploy it to all servers.
Upgrade or decommission end-of-life non-Windows servers.
Upgrade or decommission servers running Windows Server 2003 or older versions.
Implement asset and patch management processes.
Audit for and disable unnecessary services.

Server Configuration and Logging

Establish remote server logging and retention.
Reduce the number of cached credentials to zero.
Configure and monitor system logs via a centralized security information and event management (SIEM) appliance.
Add an explicit DENY for %USERPROFILE%.
Restrict egress web traffic from servers.
In Windows environments, use Restricted Admin mode or remote credential guard to further secure remote desktop sessions against pass-the-hash attacks.
Restrict anonymous shares.
Limit remote access by only using jump servers for such access.
On Linux, use SELINUX or AppArmor in enforcing mode and/or turn on audit logging.
Turn on bash shell logging; ship this and all logs to a remote server.
Do not allow users to use su. Use Sudo -l instead.
Configure automatic updates in yum or apt.
Mount /var/tmp and /tmp as noexec.

Change Control

Create a change control process for all implemented changes.

Network Security

Implement an intrusion detection system (IDS).
- Apply continuous monitoring.
- Send alerts to a SIEM tool.
- Monitor internal activity (this tool may use the same tap points as the netflow generation tools).
Employ netflow capture.
- Set a minimum retention period of 180 days.
- Capture netflow on all ingress and egress points of network segments, not just at the Managed Trusted Internet Protocol Services or Trusted Internet Connections locations.
Capture all network traffic
- Retain captured traffic for a minimum of 24 hours.
- Capture traffic on all ingress and egress points of the network.
Use VPN
- Maintain site-to-site VPN with customers and vendors.
- Authenticate users utilizing site-to-site VPNs.
- Use authentication, authorization, and accounting for controlling network access.
- Require smartcard authentication to an HTTPS page in order to control access. Authentication should also require explicit rostering of permitted smartcard distinguished names to enhance the security posture on both networks participating in the site-to-site VPN.
Establish appropriate secure tunneling protocol and encryption.
Strengthen router configuration (e.g., avoid enabling remote management over the internet and using default IP ranges, automatically log out after configuring routers, and use encryption.).
Turn off Wi-Fi protected setup, enforce the use of strong passwords, and keep router firmware up-to-date.
Improve firewall security (e.g., enable automatic updates, revise firewall rules as appropriate, implement allowlists, establish packet filtering, enforce the use of strong passwords, encrypt networks).
- Whenever possible, ensure access to network devices via external or untrusted networks (specifically the internet) is disabled.
Manage access to the internet (e.g., providing internet access from only devices/accounts that need it, proxying all connections, disabling internet access for privileged/administrator accounts, enabling policies that restrict internet access using a blocklist, a resource allowlist, content type, etc.)
- Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.
- Define areas within the network that should be segmented to increase the visibility of lateral movement by a threat and increase the defense-in-depth posture.
- Develop a process to block traffic to IP addresses and domain names that have been identified as being used to aid previous attacks.
Evaluate and consider the security configurations of Microsoft Office 365 (O365) and other cloud collaboration service platforms prior to deployment.
- Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
- Protect Global Admins from compromise and use the principle of “Least Privilege.”
- Enable unified audit logging in the Security and Compliance Center.
- Enable alerting capabilities.
- Integrate with organizational SIEM solutions.
- Disable legacy email protocols, if not required, or limit their use to specific users.

Network Infrastructure Recommendations

Create a secure system baseline image and deploy it to all networking equipment (e.g., switches, routers, firewalls).
Remove unnecessary OS files from the internetwork operating system (IOS). This will limit the possible targets of persistence (i.e., files to embed malicious code) if the device is compromised and will align with National Security Agency Network Device Integrity best practices.
Remove vulnerable IOS OS files (i.e., older iterations) from the device’s boot variable (i.e., show boot or show bootvar).
Update to the latest available operating system for IOS devices.
On devices with a Secure Sockets Layer VPN enabled, routinely verify customized web objects against the organization’s known good files for such VPNs, to ensure the devices remain free of unauthorized modification.
Ensure that any incident response tools that point to external domains are either removed or updated to point to internal security tools. If this is not done and an external domain to which a tool points expires, a malicious threat actor may register it and start collecting telemetry from the infrastructure.

Host Recommendations

Implement policies to block workstation-to-workstation RDP connections through a Group Policy Object on Windows, or by a similar mechanism.
Store system logs of mission critical systems for at least one year within a SIEM tool.
Review the configuration of application logs to verify that recorded fields will contribute to an incident response investigation.

User Management

Reduce the number of domain and enterprise administrator accounts.
Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).
If possible, use technical methods to detect or prevent browsing by privileged accounts (authentication to web proxies would enable blocking of Domain Administrators).
Use two-factor authentication (e.g., security tokens for remote access and access to any sensitive data repositories).
If soft tokens are used, they should not exist on the same device that is requesting remote access (e.g., a laptop) and instead should be on a smartphone, token, or other out-of-band device.
Create privileged role tracking.
Create a change control process for all privilege escalations and role changes on user accounts.
Enable alerts on privilege escalations and role changes.
Log privileged user changes in the network environment and create an alert for unusual events.
Establish least privilege controls.
Implement a security-awareness training program.

Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:

Implement Principles of Least Privilege and need-to-know when designing network segments.
Separate sensitive information and security requirements into network segments.
Apply security recommendations and secure configurations to all network segments and network layers.

Virtual Separation of Sensitive Information

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:

Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
Use VPNs to securely extend a host/network by tunneling through public or private networks.

Additional Best Practices

Implement a vulnerability assessment and remediation program.
Encrypt all sensitive data in transit and at rest.
Create an insider threat program.
Assign additional personnel to review logging and alerting data.
Complete independent security (not compliance) audits.
Create an information sharing program.
Complete and maintain network and system documentation to aid in timely incident response, including:
- Network diagrams,
- Asset owners,
- Type of asset, and
- An up-to-date incident response plan.

Resources

References

Revisions

September 1, 2020: Initial Version
September 2, 2020: Revised to remove typo and to reference CCCS
September 24, 2020: Updated link to new version of CISA Incident Handling Overview for Election Officials

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-239A: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
Original release date: August 26, 2020 | Last revised: September 3, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks.”

CISA, Treasury, FBI, and USCYBERCOM highlight the cyber threat posed by North Korea—formally known as the Democratic People’s Republic of Korea (DPRK)—and provide recommended steps to mitigate the threat.

Refer to the following Malware Analysis Reports for associated IOCs: CROWDEDFLOUNDER, ECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.

Click here for a PDF version of this report.

!!!WARNING!!!

Since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late 2019. This advisory provides an overview of North Korea’s extensive, global cyber-enabled bank robbery scheme, a short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation recommendations to counter this ongoing threat to the Financial Services sector.

!!!WARNING!!!

Technical Details

North Korea's intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.

The BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs. The BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, according to public estimates. Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.

In 2018, a bank in Africa could not resume normal ATM or point of sale services for its customers for almost two months following an attempted FASTCash incident.
The BeagleBoyz often put destructive anti-forensic tools onto computer networks of victim institutions. Additionally, in 2018, they deployed wiper malware against a bank in Chile that crashed thousands of computers and servers to distract from efforts to send fraudulent messages from the bank’s compromised SWIFT terminal.

North Korea’s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world. Any BeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the flow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the international financial system for profit.

Fraudulent ATM cash outs have affected upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States.
The BeagleBoyz also use unwitting banks, including banks in the United States, for their SWIFT fraud scheme. These banks are custodians of accounts belonging to victim banks or unknowingly serve as a pass-through for the fraud. Most infamously, the BeagleBoyz stole $81 million from the Bank of Bangladesh in 2016. The Federal Reserve Bank of New York stopped the remainder of this attempted $1 billion theft after detecting anomalies in the transfer instructions they had received.

FASTCash Update

North Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks’ retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).

Since the publication of the in October 2018, there have been two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.

In October 2018, the U.S. Government identified malware used in the FASTCash scheme that has the capability to manipulate AIX servers running a bank's switch application to intercept financial request messages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable extensive ATM cash outs. The U.S. Government has since identified functionally equivalent malware for the Windows operating system. Please see the Technical Analysis section below for more information about the ISO 8583 malware for Windows.
The BeagleBoyz initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors. This suggests the BeagleBoyz are exploring upstream opportunities in the payments ecosystem.

For more information about FASTCash, please see https://www.us-cert.gov/ncas/alerts/TA18-275A.

BEAGLEBOYZ Profile

The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been active since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.

Community Identifiers

The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).

Targeted Nations

The BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia (figure 1).

Figure 1: Nations probably targeted by BeagleBoyz since 2015

Anatomy of a BeagleBoyz Bank Heist

Figure 2 provides a graphical depiction of a BeagleBoyz bank heist. The next section describes in detail the end-to-end actions the BeagleBoyz take to rob financial institutions with a malicious cyber operation.

Figure 2: BeagleBoyz Bank Heist overview

Technical Analysis

The BeagleBoyz use a variety of tools and techniques to gain access to a financial institution’s network, learn the topology to discover key systems, and monetize their access. The technical analysis below represents an amalgamation of multiple known incidents, rather than details of a single operation. These findings are presented to highlight the group’s ability to tailor their techniques to different targets and to adapt their methods over time. Consequently, there is a need for layered mitigations to effectively defend against this activity, as relying solely on network signature detection will not sufficiently protect against North Korea’s BeagleBoyz.

Initial Access

The BeagleBoyz have used a variety of techniques, such as spearphishing and watering holes, to enable initial access into targeted financial institutions. Towards the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing attacks using the following publicly available malicious files.

MD5: b484b0dff093f358897486b58266d069

MD5: f34b72471a205c4eee5221ab9a349c55

MD5: 4c26b2d0e5cd3bfe0a3d07c4b85909a4

MD5: 52ec074d8cb8243976963674dd40ffe7

MD5: d1d779314250fab284fd348888c2f955

MD5: 41fd85ff44107e4604db2f00e911a766

MD5: cf733e719e9677ebfbc84a3ab08dd0dc

MD5: 01d397df2a1cf1d4c8e3615b7064856c

The BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development. The third party typically uses commodity malware to establish initial access on a victim’s network and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until months later.

The BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer network (Initial Access [TA0001]).

Email an attachment with malware to a specific individual, company, or industry (Phishing: Spearphishing Attachment [T1566.001])
Compromise a website visited by users in specific communities, industries, or regions (Drive-by Compromise [T1189])
Exploit a weakness (a bug, glitch, or design vulnerability) in an internet-facing computer system (such as a database or web server) (Exploit Public Facing Application [T1190])
Steal the credentials of a specific user or service account to bypass access controls and gain increased privileges (Valid Accounts [T1078])
Breach organizations that have access to the intended victim’s organization and exploit their trusted relationship (Trusted Relationship [T1199])
Use remote services to initially access and persist within a victim’s network (External Remote Services [T1133])

Execution

The BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected to a financial institution’s corporate network. After gaining initial access to a financial institution’s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems [Execution [TA0002]).

Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059])
Use scripts (e.g., VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005])
Rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204])
Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203])
Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002])
Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129])
Use the Windows API to execute arbitrary code on the victim's system (Native API [T1106])
Use a system's graphical user interface (GUI) to search for information and execute files (Remote Services [T1021])
Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001])
Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001])
Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task/Job: Cron [T1053.003], Scheduled Task/Job: Launchd [T1053.004])

Persistence

The BeagleBoyz use many techniques to maintain access on compromised networks through system restarts, changed credentials, and other interruptions that could affect their access (Persistence [TA0003]).

Add an entry to the “run keys” in the Registry or an executable to the startup folder to execute malware as the user logs in under the context of the user’s associated permissions levels (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001])
Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003])
Compromise an openly accessible web server with a web script (known as web shell) to use the web server as a gateway into a network and to serve as redundant access or persistence mechanism (Server Software Component: Web Shell [T1505.003])
Manipulate accounts (e.g., modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098])
Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (Valid Accounts [T1078])
Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004])
Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001])
Use remote services to persist within a victim’s network (External Remote Services [T1133])

Privilege Escalation

The BeagleBoyz often seek access to financial institutions’ systems that have tiered user and system accounts with customized privileges. The BeagleBoyz must overcome these restrictions to access necessary systems, monitor normal user behavior, and install and execute additional malicious tools. To do so, the BeagleBoyz have used the following techniques to gain higher-level permissions on a system or network (Privilege Escalation [TA0004]).

Inject code into processes to evade process-based defenses and elevate privileges (Process Injection [T1055])
Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003])
Compromise an openly accessible web server with web shell to use the web server as a gateway into a network (Server Software Component: Web Shell [T1505.003])
Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution as part of lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (Valid Accounts [T1078])
Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001])
Perform Sudo (sometimes referred to as “super user do”) caching or use the Soudoers file to elevate privileges in Linux and macOS systems (Abuse Elevation Control Mechanism: Sudo and Sudo Caching [T1548.003])
Execute malicious payloads by hijacking the search order used to load DLLs (Hijack Execution Flow: DLL Search Order Hijacking [T1574.001])

Defense Evasion

Throughout their exploitation of a financial institution’s computer network, the BeagleBoyz have used different techniques to avoid detection by OS security features, system and network security software, and system audits (Defense Evasion [TA0005]).

Exploit code signing certificates to masquerade malware and tools as legitimate binaries and bypass security policies that allow only signed binaries to execute on a system (Subvert Trust Controls Signing [T1553.002])
Remove malware, tools, or other non-native files dropped or created throughout an intrusion to reduce their footprint or as part of the post-intrusion cleanup process (Indicator Removal on Host: File Deletion [T1070.004])
Inject code into processes to evade process-based defenses (Process Injection [T1055])
Use scripts (such as VBScript and PowerShell) to bypass process monitoring mechanisms by directly interacting with the OS at an API level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005])
Attempt to make an executable or file challenging to discover or analyze by encrypting, encoding, or obfuscating its contents on the system or in transit (Obfuscated Files or Information [T1027])
Use external previously compromised web services to relay commands to a victim system (Web Service [T1102])
Use software packing to change the file signature, bypass signature-based detection, and decompress the executable code in memory (Unsecured Credentials: Private Keys [T1552.004])
Use obfuscated files or information to hide intrusion artifacts (Deobfuscate/Decode Files or Information [T1140])
Modify the data timestamps (the modify, access, create, and change times fields) to mimic files that are in the same folder, making them appear inconspicuous to forensic analysts or file analysis tools (Indicator Removal on Host: Remove Timestamp [T1070.006])
Abuse Windows utilities to implement arbitrary execution commands and subvert detection and mitigation controls (such as Group Policy) that limit or prevent the usage of cmd.exe or file extensions commonly associated with malicious payloads (Indirect Command Execution [T1202])
Use various methods to prevent their commands from appearing in logs and clear command history to remove activity traces (Indicator Removal on Host: Clear Command History [T1070.003])
Disable security tools to avoid possible detection of tools and events (Impair Defenses: Disable or Modify Tools [T1562.001])
Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (Valid Accounts [T1078])
Delete or alter generated artifacts on a host system, including logs and potentially captured files, to remove traces of activity (Indicator Removal on Host: File Deletion [T1070.004])
Abuse compiled HTML files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001])
Prepend a space to all their terminal commands to operate without leaving traces in the HISTCONTROL environment, which is configured to ignore commands that start with a space (Impair Defenses: HISTCONTROL [T1562.003])
Modify malware so it has a different signature and re-use it in cases when the group determines it was quarantined (Obfuscated Files or Information: Indicator Removal from Tools [T1027.005])
Attempt to block indicators or events typically captured by sensors from being gathered and analyzed (Impair Defenses: Indicator Blocking [T1562.006])
Use the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1574.001])
Manipulate or abuse the attributes or location of an executable (masquerading) to better blend in with the environment and increase the chances of deceiving a security analyst or product (Masquerading [T1036])
Exploit rootkits to hide programs, files, network connections, services, drivers, and other system components (Rootkit [T1014])
Abuse the Windows rundll32.exe to execute binaries, scripts, and .CPL files, and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001])

Credential Access

The BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures. The U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4 encrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged data and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for persistence or self-loading and expects a specific configuration file to be present on the system. A full technical report for ECCENTRICBANDWAGON is available at https://us-cert.cisa.gov/northkorea.

The BeagleBoyz may not always need to use custom keyloggers like ECCENTRICBANDWAGON or other tools to obtain credentials from a compromised system. Depending on the victim’s environment, the BeagleBoyz have used the following techniques to steal credentials (Credential Access [TA0006]).

Capture user input, such as keylogging (the most prevalent type of input capture), to obtain credentials for valid accounts and information collection (Input Capture [T1056])
Obtain account login and password information, generally in the form of a hash or a clear text password, from the operating system and software (OS Credential Dumping [T1056])
Gather private keys from compromised systems to authenticate to remote services or decrypt other collected files (Unsecured Credentials: Private Keys [T1552.004])
Manipulate default, domain, local, and cloud accounts to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098])
Abuse hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process's memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1056.004])
Use brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable (Brute Force [T1110])

Discovery

Once inside a financial institution’s network, the BeagleBoyz appear to seek two specific systems—the SWIFT terminal and the server hosting the institution’s payment switch application. As they progress through a network, they learn about the systems they have accessed in order to map the network and gain access to the two goal systems. To do so, the BeagleBoyz have used the following techniques to gain knowledge about the systems and internal network (Discovery [TA0007]).

Attempt to get detailed information about the operating system and hardware, such as version, patches, hotfixes, service packs, and architecture (System Information Discovery [T1082])
Enumerate files and directories or search in specific locations of a host or network share for particular information within a file system (File and Directory Discovery [T1083])
Get a list of security software, configurations, defensive tools, and sensors installed on the system (Software Discovery: Security Software Discovery [T1518.001])
Procure information about running processes on a system to understand standard software running on network systems (Process Discovery [T1057])
Identify primary users, currently logged in users, sets of users that commonly use a system, or active or inactive users (System Owner/User Discovery [T1033])
Enumerate browser bookmarks to learn more about compromised hosts, reveal personal information about users, and expose details about internal network resources (Browser Bookmark Discovery [T1217])
Look for information on network configuration and system settings on compromised systems, or perform remote system discovery (System Network Configuration Discovery [T1016])
Interact with the Windows Registry to gather information about the system, configuration, and installed software (Query Registry [T1012])
Get a list of open application windows to learn how the system is used or give context to data collected (Application Window Discovery [T1010])
Attempt to get a listing of local system or domain accounts in the compromised system (Account Discovery [T1087])
Obtain a list of network connections to and from the compromised system or remote system by querying for information over the network (System Network Connections Discovery [T1049])

Lateral Movement

To access a compromised financial institution’s SWIFT terminal and the server hosting the institution’s payment switch application, the BeagleBoyz leverage harvested credentials and take advantage of the accessibility of these critical systems from other systems in the institution’s corporate network. Specifically, the BeagleBoyz have been known to create firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. Depending on the configuration of compromised systems and the security environment of the victim’s computer network, the BeagleBoyz have used the following techniques to enter and control remote systems on a compromised network (Lateral Movement [TA0008]).

Copy files from one system to another to stage adversary tools or other files throughout an operation (Ingress Tool Transfer [T1105])
Use Remote Desktop Protocol (RDP) to log into an interactive session with a system desktop GUI on a remote system (Remote Services: Remote Desktop Protocol [T1021.001])
Employ hidden network shares, in conjunction with administrator-level valid accounts, to remotely access a networked system over Server Message Block (SMB) in order to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote execution (Remote Services: SMB/Windows Admin Shares [T1021.002])
Exploit valid accounts to log into a service specifically designed to accept remote connections and perform actions as the logged-on user (Remote Services [T1021])

Collection

Depending on various environmental attributes the BeagleBoyz encounter during their exploitation, they may deploy a variety of reconnaissance tools or use commonly available administrative tools for malicious purposes.

The BeagleBoyz, like other sophisticated cyber actors, also appear to use resident, legitimate administrative tools for reconnaissance purposes when they are available; this is commonly known as “living off the land.” PowerShell appears to be a popular otherwise-legitimate tool the BeagleBoyz favor for reconnaissance activities. For example, the BeagleBoyz often use publicly available code from PowerShell Empire for malicious purposes.

The BeagleBoyz have used the following techniques to gather information from exploited systems (Collection [TA0009]).

Use automated methods, such as scripts, for collecting data (Automated Collection [T1119])
Capture user input to obtain credentials and collect information (Input Capture [T1056])
Collect local systems data from a compromised system (Data from Local System [T1005])
Take screen captures of the desktop (Screen Capture [T1113])
Collect data stored in the Windows clipboard from users (Clipboard Data [T1115])

Command and Control

The BeagleBoyz likely change tools—such as CROWDEDFLOUNDER and HOPLIGHT—over time to maintain remote access to financial institution networks and to interact with those systems.

Analysis of the following CROWDEDFLOUNDER samples was first released in October 2018 as part of the FASTCash campaign.

MD5 hash: 5cfa1c2cb430bec721063e3e2d144feb MD5 hash: 4f67f3e4a7509af1b2b1c6180a03b3e4

The BeagleBoyz have used CROWDEDFLOUNDER as a remote access trojan (RAT) since at least 2018. The implant is designed to operate on Microsoft Windows hosts and can upload and download files, launch a remote command shell, inject into victim processes, obtain user and host information, and securely delete files. The implant may be packed with Themida to degrade or prevent effective reverse engineering or evade detection on a Windows host. It can be set to act in beacon or listening modes, depending on command line arguments or configuration specifications. The implant obfuscates network communications using a simple encoding algorithm. The listening mode of CROWDEDFLOUNDER facilitates proxies like ELECTRICFISH (discussed below) with tunneling traffic in a victim’s network.

More recently, the U.S. Government has found HOPLIGHT malware on victim systems, suggesting the BeagleBoyz are using HOPLIGHT for similar purposes. HOPLIGHT has the same basic RAT functionality as the CROWDEDFLOUNDER implant. In addition, HOPLIGHT has the capability to create fraudulent Transport Layer Security (TLS) sessions to obfuscate command and control (C2) connections, making detection and tracking of the malware’s communications difficult.

Full technical reports for CROWDEDFLOUNDER and HOPLIGHT are available at https://us-cert.cisa.gov/northkorea.

The BeagleBoyz use network proxy tunneling tools—including VIVACIOUSGIFT and ELECTRICFISH—to tunnel communications from non-internet facing systems like an ATM switch application server or a SWIFT terminal to internet-facing systems. The BeagleBoyz use these network proxy tunneling tools, likely placed at or near a victim’s network boundary, to tunnel other protocols such as RDP and Secure Shell or other implant traffic out from the internal network.

It appears that as the BeagleBoyz change proxy tools, there is some overlap between their use of older and newer malware. For example, the BeagleBoyz appear to have begun using ELECTRICFISH as they wound down use of VIVACIOUSGIFT. There has been a noticeable decline in ELECTRICFISH use following the U.S. Government’s disclosure of it in May 2019.

Full technical reports for VIVACIOUSGIFT and ELECTRICFISH are available at https://us-cert.cisa.gov/northkorea.

In addition to these tools, the BeagleBoyz have used the following techniques to communicate with financial institution victim systems under their control (Command and Control [TA0011]).

Employ known encryption algorithms to conceal C2 traffic (Encrypted Channel [T1573])
Communicate over commonly used standard application layer protocols and ports to avoid detection or detailed inspection and to blend with existing traffic (Application Layer Protocol [T1071])
Encode C2 information using standard data encoding systems such as the American Standard Code for Information Interchange (ASCII), Unicode, Base64, Multipurpose Internet Mail Extensions, and 8-bit Unicode Transformation Format systems or other binary-to-text and character encoding systems (Data Encoding: Standard Encoding [T1132.001])
Copy files between systems to stage adversary tools or other files (Ingress Transfer Tool [T1105])
Use external previously compromised web services to relay commands to victim systems (Web Service [T1102])
Employ a custom C2 protocol that mimics well-known protocols, or develop custom protocols (including raw sockets) to supplement protocols provided by another standard network stack (Non-Application Layer Protocol [T1095])
Obfuscate C2 communications (but not necessarily encrypt them) to hide commands and make the content less conspicuous and more challenging to discover or decipher (Data Obfuscation [T1101])
Employ connection proxies to direct network traffic between systems, act as an intermediary for network communications to a C2 server, or avoid direct connections to its infrastructure (Proxy [T1090])
Exploit legitimate desktop support and remote access software to establish an interactive C2 channel to target systems within networks (Remote Access Software [T1219])

Cryptocurrency Exchange Heists

In addition to robbing traditional financial institutions, the BeagleBoyz target cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident. Cryptocurrency offers the BeagleBoyz an irreversible method of theft that can be converted into fiat currency because the permanent nature of cryptocurrency transfers do not allow for claw-back mechanisms. Working with U.S. Government partners, CISA, Treasury, FBI, and USCYBERCOM identified COPPERHEDGE as the tool of choice for the BeagleBoyz to exploit cryptocurrency exchanges. COPPERHEDGE is a full-featured remote access tool capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Full technical analysis of COPPERHEDGE is available at https://us-cert.cisa.gov/northkorea.

Exfiltration

During a cyber operation, the BeagleBoyz need to exfiltrate a variety of data from compromised systems. In addition to the C2 tools noted that have built-in exfiltration features, such as CROWDEDFLOUNDER and HOPLIGHT, the BeagleBoyz use the following techniques to steal data from a network (Exfiltration [TA0010]).

Compress and encrypt collected data before exfiltration to minimize the amount of data sent over the web and make it portable, less conspicuous, and less detectable (Archive Collected Data [T1560])
Steal collected data via scripts (although this may require other exfiltration techniques) (Automated Exfiltration [T1020])
Encode data using the same protocol as the C2 channel and exfiltrate it over the C2 channel (Exfiltration Over C2 Channel [T1041])

Impact

The U.S. Government has observed the BeagleBoyz successfully monetize illicit access to financial institutions’ SWIFT terminals to enable wire fraud and gain access to the institutions’ payment switch application servers, which allowed fraudulent ATM cash outs. After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization.

The cybersecurity community and Financial Services sector have released substantial information on the BeagleBoyz manipulation of compromised SWIFT terminals, describing their ability to monitor these systems, send fraudulent messages, and attempt to hide the fraudulent activity from detection. The discussion below focuses on the custom tools used to manipulate payment switch applications for ATM cash outs.

The BeagleBoyz use FASTCash malware to intercept financial request messages and reply with fraudulent but legitimate-looking affirmative response messages in the ISO 8583 format. The BeagleBoyz have functionally equivalent FASTCash malware for both UNIX and Windows that they deploy depending on the operating system running on the server hosting the bank’s payment switch application.

FASTCash for UNIX is composed of AIX executable files designed to inject code and libraries into a currently running process. One AIX executable provides export functions, which allows an application to manipulate transactions on financial systems using the ISO 8583 international standard for financial transaction card-originated interchange messaging. The injected executables interpret financial request messages and construct fraudulent financial response messages. For more details on FASTCash for UNIX malware, please see the FASTCash report at https://www.us-cert.gov/ncas/alerts/TA18-275A.

The BeagleBoyz use FASTCash for Windows to manipulate transactions processed by a switch application running on a Windows box. FASTCash for Windows is also specific to the ISO 8583 message format. The BeagleBoyz appear to have modified publicly available source code to write parts of the tool, likely to speed development. The malware contains code probably taken from open-source repositories on the internet to create hashmaps and hook functions and to parse ISO 8583 messages.

FASTCash for Windows injects itself into software running on a Windows platform. The malware then takes control of the software’s network send and receive functions, allowing it to manipulate ISO 8583 messages. The U.S. Government has identified two variants of FASTCash for Windows. One variant supports ASCII encoding. The BeagleBoyz appear to have modified the second variant’s message parsing code to support Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding. Both ASCII and EBCDIC are character encoding formats.

FASTCash for Windows malware uses code from github.com/petewarden/c_hashmap for hashmaps, code from Microsoft's Detours Library at github.com/Microsoft/Detours for hooking, and code from to parse ISO 8583 messages.

The malware hooks onto the send and receive function of the switch application so that it can process inbound request messages as they are received. FASTCash for Windows inspects the inbound message, probably looking for specific account numbers. If the account number matches an expected number, the malware constructs a fraudulent response message. If the account number does not match an expected number, the malware allows the request to pass through normally. If the malware constructs a fraudulent response message, it then sends it back to the acquirer without any further processing by the switch application, leaving the issuer without any awareness of the fraudulent transaction.

Full technical reports for FASTCash and FASTCash for Windows malware are available at https://us-cert.cisa.gov/northkorea.

The BeagleBoyz have used the following techniques to manipulate business and operational processes for monetary or destructive purposes (Impact [TA0040]).

Corrupt or wipe data storage, data structures, and Master Boot Records (MBR) to interrupt network availability, services, and resources (Disk Wipe: Disk Structure Wipe [T1561.002], Data Destruction [T1485])
Encrypt data on target systems and withhold access to the decryption key until a ransom is paid, or render data permanently inaccessible if the ransom is not paid (Data Encrypted for Impact [T1486])
Stop, disable, or render services unavailable on a system to damage the environment or inhibit incident response (Service Stop [T1489])
Insert, delete, or modify data at rest, in transit, or in use to manipulate outcomes, hide activity, and affect the business process, organizational understanding, and decision-making (Data Manipulation: Stored Data Manipulation [T1565.001], Data Manipulation: Transmitted Data Manipulation [T1565.002], Data Manipulation: Runtime Data Manipulation [T1565.003])

Mitigations

Contact law enforcement, CISA, or Treasury immediately regarding any identified activity related to BeagleBoyz. (Refer to the Contact Information section.)
Incorporate IOCs identified in CISA’s Malware Analysis Reports on https://us-cert.cisa.gov/northkorea into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.

Recommendations for all Financial Institutions

Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks, especially those related to Information Security and Payment Systems.
- https://ithandbook.ffiec.gov/
Verify compliance with industry security standards for critical systems, such as those available at:
- https://www.pcisecuritystandards.org
- https://www.swift.com/myswift/customer-security-programme-csp/swift-customer-security-controls-framework

Recommendations for Institutions with Retail Payment Systems

Require chip and personal identification number (PIN) cryptogram validation.

Implement chip and PIN requirements for debit cards.
Validate card-generated authorization request cryptograms.
Use issuer-generated authorization response cryptograms for response messages.
Require card-generated authorization response cryptogram validation to verify legitimate response messages.

Isolate payment system infrastructure.

Require multi-factor authentication for any user to access the switch application server.
Confirm perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
Confirm perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system, especially if your payment switch application server is internet accessible.

Logically segregate your operating environment.

Use firewalls to divide your operating environment into enclaves.
Use access control lists to permit/deny specific traffic from flowing between those enclaves.
Give special considerations to segregating enclaves holding sensitive information (e.g., card management systems) from enclaves requiring internet connectivity (e.g., email).

Encrypt data in transit.

Secure all links to payment system engines with a certificate-based mechanism, such as Mutual Transport Layer Security, for all external and internal traffic external.
Limit the number of certificates that can be used on the production server and restrict access to those certificates.

Monitor for anomalous behavior as part of layered security.

Configure the switch application server to log transactions and routinely audit transaction and system logs.
Develop a baseline of expected software, users, and logons and monitor switch application servers for unusual software installations, updates, account changes, or other activities outside of expected behavior.
Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.

Recommendations for Organizations with ATM or Point of Sale Devices

Validate issuer responses to financial request messages.

Implement chip and PIN requirements for debit cards.
Require and verify message authentication codes on issuer financial request response messages.
Perform authorization response cryptogram validation for chip and PIN transactions.

Recommendations for All Organizations

Users and administrators should use the following best practices to strengthen the security posture of their organization’s systems:

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up to date.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy and require regular password changes.
Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet before executing.
Maintain situational awareness of the latest threats.
Implement appropriate access control lists.

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

CISA (888-282-0870 or Central@cisa.dhs.gov),
The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office, or
Treasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000 or OCCIP-Coord@treasury.gov).

DISCLAIMER

This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.

The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

Revisions

August 26, 2020: Initial Version
September 3, 2020: Updated PDF template

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-227A: Phishing Emails Used to Deploy KONNI Malware
Original release date: August 14, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) has observed cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware. KONNI is a remote administration tool (RAT) used by malicious cyber actors to steal files, capture keystrokes, take screenshots, and execute arbitrary code on infected hosts.

Technical Details

KONNI malware is often delivered via phishing emails as a Microsoft Word document with a malicious VBA macro code (Phishing: Spearphising Attachment [T1566.001]). The malicious code can change the font color from light grey to black (to fool the user to enable content), check if the Windows operating system is a 32-bit or 64-bit version, and construct and execute the command line to download additional files (Command and Scripting Interpreter: Windows Command Shell [T1059.003]).

Once the VBA macro constructs the command line, it uses the certificate database tool CertUtil to download remote files from a given Uniform Resource Locator. It also incorporates a built-in function to decode base64-encoded files. The Command Prompt silently copies certutil.exe into a temp directory and renames it to evade detection.

The cyber actor then downloads a text file from a remote resource containing a base64-encoded string that is decoded by CertUtil and saved as a batch (.BAT) file. Finally, the cyber actor deletes the text file from the temp directory and executes the .BAT file.

MITRE ATT&CK Techniques

According to MITRE, KONNI uses the ATT&CK techniques listed in table 1.

Table 1: KONNI ATT&CK techniques

Technique	Use
System Network Configuration Discovery [T1016]	KONNI can collect the Internet Protocol address from the victim’s machine.
System Owner/User Discovery [T1033]	KONNI can collect the username from the victim’s machine.
Masquerading: Match Legitimate Name or Location [T1036.005]	KONNI creates a shortcut called `Anti virus service.lnk` in an apparent attempt to masquerade as a legitimate file.
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol [T1048.003]	KONNI has used File Transfer Protocol to exfiltrate reconnaissance data out.
Input Capture: Keylogging [T1056.001]	KONNI has the capability to perform keylogging.
Process Discovery [T1057]	KONNI has used `tasklist.exe` to get a snapshot of the current processes’ state of the target machine.
Command and Scripting Interpreter: PowerShell [T1059.001]	KONNI used PowerShell to download and execute a specific 64-bit version of the malware.
Command and Scripting Interpreter: Windows Command Shell [T1059.003]	KONNI has used `cmd.exe` to execute arbitrary commands on the infected host across different stages of the infection change.
Indicator Removal on Host: File Deletion [T1070.004]	KONNI can delete files.
Application Layer Protocol: Web Protocols [T1071.001]	KONNI has used Hypertext Transfer Protocol for command and control.
System Information Discovery [T1082]	KONNI can gather the operating system version, architecture information, connected drives, hostname, and computer name from the victim’s machine and has used `systeminfo.exe` to get a snapshot of the current system state of the target machine.
File and Directory Discovery [T1083]	A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.
Ingress Tool Transfer [T1105]	KONNI can download files and execute them on the victim’s machine.
Modify Registry [T1112]	KONNI has modified registry keys of ComSysApp service and Svchost on the machine to gain persistence.
Screen Capture [T1113]	KONNI can take screenshots of the victim’s machine.
Clipboard Data [T1115]	KONNI had a feature to steal data from the clipboard.
Data Encoding: Standard Encoding [T1132.001]	KONNI has used a custom base64 key to encode stolen data before exfiltration.
Access Token Manipulation: Create Process with Token [T1134.002]	KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.
Deobfuscate/Decode Files or Information [T1140]	KONNI has used CertUtil to download and decode base64 encoded strings.
Signed Binary Proxy Execution: Rundll32 [T1218.011]	KONNI has used Rundll32 to execute its loader for privilege escalation purposes.
Event Triggered Execution: Component Object Model Hijacking [T1546.015]	KONNI has modified ComSysApp service to load the malicious DLL payload.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]	A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification [T1547.009]	A version of KONNI drops a Windows shortcut on the victim’s machine to establish persistence.
Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]	KONNI bypassed User Account Control with the "AlwaysNotify" settings.
Credentials from Password Stores: Credentials from Web Browsers [T1555.003]	KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.

Detection

Signatures

CISA developed the following Snort signatures for use in detecting KONNI malware exploits.

alert tcp any any -> any $HTTP_PORTS (msg:"HTTP URI contains '/weget/*.php' (KONNI)"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; depth:7; offset:0; fast_pattern; content:".php"; http_uri; distance:0; within:12; content:!"Referrer|3a 20|"; http_header; classtype:http-uri; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP header contains 'User-Agent|3a 20|HTTP|0d 0a|'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|HTTP|0d 0a|"; http_header; fast_pattern:only; content:"POST"; nocase; http_method; classtype:http-header; priority:2; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"KONNI:HTTP URI contains '/weget/(upload|uploadtm|download)'"; sid:1; rev:1; flow:established,to_server; content:"/weget/"; http_uri; fast_pattern:only; pcre:"/^\/weget\x2f(?:upload|uploadtm|download)\.php/iU"; content:"POST"; http_method; classtype:http-uri; priority:2; reference:url,blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html; metadata:service http;)

Mitigations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Keep operating system patches up to date. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops."

Resources

Revisions

August 14, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-225A: Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails
Original release date: August 12, 2020 | Last revised: August 14, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.

Technical Details

CISA analysts observed an unknown malicious cyber actor sending a phishing email to various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients. The phishing email contains:

A subject line, SBA Application – Review and Proceed
A sender, marked as disastercustomerservice@sba[.]gov
Text in the email body urging the recipient to click on a hyperlink to address:
hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov
The domain resolves to IP address: 162.214.104[.]246

Figure 1 is a screenshot of the webpage arrived at by clicking on the hyperlink.

Figure 1: Webpage arrived at via malicious hyperlink.

Mitigations

CISA recommends using the following best practices to strengthen the security posture of an organization's systems. System owners and administrators should review any configuration change prior to implementation to avoid unwanted impacts.

Include warning banners for all emails external to the organization.
Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy. See Choosing and Protecting Passwords.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email vulnerability_info@cisa.dhs.gov to sign up. See https://www.cisa.gov/cyber-resource-hub for more information about vulnerability scanning and other CISA cybersecurity assessment services.

Resources

Revisions

August 12, 2020: Initial Version
August 14, 2020: Removed some IOCs

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-209A: Potential Legacy Risk from Malware Targeting QNAP NAS Devices
Original release date: July 27, 2020 | Last revised: August 6, 2020

Summary

This is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC are investigating a strain of malware known as QSnatch, which attackers used in late 2019 to target Network Attached Storage (NAS) devices manufactured by the firm QNAP.

All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes. The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe. Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.

This alert summarizes the findings of CISA and NCSC analysis and provides mitigation advice.

Click here for a PDF version of this report from NCSC.

For a downloadable copy of IOCs, see STIX file.

Technical Details

Campaigns

CISA and NCSC have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.

It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.

Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.

Global distribution of infections

Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 7,600 were in the United States and 3,900 were in the United Kingdom. Figure 1 below shows the location of these devices in broad geographic terms.

Figure 1: Locations of QNAP NAS devices infected by QSnatch

Delivery and exploitation

The infection vector has not been identified, but QSnatch appears to be injected into the device firmware during the infection stage, with the malicious code subsequently run within the device, compromising it. The attacker then uses a domain generation algorithm (DGA)—to establish a command and control (C2) channel that periodically generates multiple domain names for use in C2 communications—using the following HTTP GET request:

HTTP GET https://[generated-address]/qnap_firmware.xml?=t[timestamp][1]

Malware functionalities

Analysis shows that QSnatch malware contains multiple functionalities, such as:

CGI password logger
- This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page.
Credential scraper
SSH backdoor
- This allows the cyber actor to execute arbitrary code on a device.
Exfiltration
- When run, QSnatch steals a predetermined list of files, which includes system configurations and log files. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS.
Webshell functionality for remote access

Persistence

The malware appears to gain persistence by preventing updates from installing on the infected QNAP device. The attacker modifies the system host’s file, redirecting core domain names used by the NAS to local out-of-date versions so updates can never be installed.

Samples

The following tables provide hashes of related QSnatch samples found in open-source malware repositories. File types fall into two buckets: (1) shell scripts (see table 1) and (2) shell script compiler (SHC)-compiled executable and linking format (ELF) shell scripts (see table 2). One notable point is that some samples intentionally patch the infected QNAP for Samba remote code execution vulnerability CVE-2017-7494.

Table 1: QSnatch samples – shell scripts

SH Samples (SHA256)
09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764
3c38e7bb004b000bd90ad94446437096f46140292a138bfc9f7e44dc136bac8d
8fd16e639f99cdaa7a2b730fc9af34a203c41fb353eaa250a536a09caf78253b
473c5df2617cee5a1f73880c2d66ad9668eeb2e6c0c86a2e9e33757976391d1a
55b5671876f463f2f75db423b188a1d478a466c5e68e6f9d4f340396f6558b9f
9526ccdeb9bf7cfd9b34d290bdb49ab6a6acefc17bff0e85d9ebb46cca8b9dc2
4b514278a3ad03f5efb9488f41585458c7d42d0028e48f6e45c944047f3a15e9
fa3c2f8e3309ee67e7684abc6602eea0d1d18d5d799a266209ce594947269346
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
9791c5f567838f1705bd46e880e38e21e9f3400c353c2bf55a9fa9f130f3f077
a569332b52d484f40b910f2f0763b13c085c7d93dcdc7fea0aeb3a3e3366ba5d
a9364f3faffa71acb51b7035738cbd5e7438721b9d2be120e46b5fd3b23c6c18
62426146b8fcaeaf6abb24d42543c6374b5f51e06c32206ccb9042350b832ea8
5cb5dce0a1e03fc4d3ffc831e4a356bce80e928423b374fc80ee997e7c62d3f8
5130282cdb4e371b5b9257e6c992fb7c11243b2511a6d4185eafc0faa0e0a3a6
15892206207fdef1a60af17684ea18bcaa5434a1c7bdca55f460bb69abec0bdc
3cb052a7da6cda9609c32b5bafa11b76c2bb0f74b61277fecf464d3c0baeac0e
13f3ea4783a6c8d5ec0b0d342dcdd0de668694b9c1b533ce640ae4571fdbf63c

Table 2: QSnatch samples – SHC-compiled ELF shell scripts

SH Samples (SHA256)
18a4f2e7847a2c4e3c9a949cc610044bde319184ef1f4d23a8053e5087ab641b
3615f0019e9a64a78ccb57faa99380db0b36146ec62df768361bca2d9a5c27f2
845759bb54b992a6abcbca4af9662e94794b8d7c87063387b05034ce779f7d52
6e0f793025537edf285c5749b3fcd83a689db0f1c697abe70561399938380f89

Mitigations

As stated above, once a device has been infected, attackers have been known to make it impossible for administrators to successfully run the needed firmware updates. This makes it extremely important for organizations to ensure their devices have not been previously compromised. Organizations that are still running a vulnerable version should take the following steps to ensure the device is not left vulnerable:

Scan the device with the latest version of Malware Remover, available in QNAP App Center, to detect and remove QSnatch or other malware.
- If the installation via App Center fails, manually install Malware Remover following this QNAP tutorial, or contact QNAP Technical Support for further assistance.
Run a full factory reset on the device.
Update the firmware to the latest version.

The usual checks to ensure that the latest updates are installed still apply. To prevent reinfection, this recommendation also applies to devices previously infected with QSnatch but from which the malware has been removed.

To prevent QSnatch malware infections, CISA and NCSC strongly recommend that organizations take the recommended measures in QNAP’s November 2019 advisory.[2]

CISA and NCSC also recommend organizations consider the following mitigations:

Verify that you purchased QNAP devices from reputable sources.
- If sources are in question then, in accordance with the instructions above, scan the device with the latest version of the Malware Remover and run a full factory reset on the device prior to completing the firmware upgrade. For additional supply chain recommendations, see CISA’s tip on Securing Network Infrastructure Devices.
Block external connections when the device is intended to be used strictly for internal storage.

References

Revisions

July 27, 2020: Initial Version
August 4, 2020: Updated Mitigations section
August 6, 2020: Updated Mitigations section

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
Original release date: July 24, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this alert in response to recently disclosed exploits that target F5 BIG-IP devices that are vulnerable to CVE-2020-5902. F5 Networks, Inc. (F5) released a patch for CVE-2020-5902 on June 30, 2020.[1] Unpatched F5 BIG-IP devices are an attractive target for malicious actors. Affected organizations that have not applied the patch to fix this critical remote code execution (RCE) vulnerability risk an attacker exploiting CVE-2020-5902 to take control of their system. Note: F5’s security advisory for CVE-2020-5902 states that there is a high probability that any remaining unpatched devices are likely already compromised.

CISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions. CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.

This Alert also provides additional detection measures and mitigations for victim organizations to help recover from attacks resulting from CVE-2020-5902. CISA encourages administrators to remain aware of the ramifications of exploitation and to use the recommendations in this alert to help secure their organization’s systems against attack.

Background

CISA has conducted incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.”

On July 4, open-source reporting indicated a proof-of-concept code was available and threat actors were exploiting the vulnerability by attempting to steal credentials. On July 5, security researchers posted exploits that would allow threat actors to exfiltrate data or execute commands on vulnerable devices. The risk posed by the vulnerability is critical.

Technical Details

CISA has observed scanning and reconnaissance, as well as confirmed compromises, within a few days of F5’s patch release for this vulnerability. As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies—this activity is currently occurring as of the publication of this Alert.

CISA has been working with several entities across multiple sectors to investigate potential compromises relating to this vulnerability. CISA has confirmed two compromises and is continuing to investigate. CISA will update this Alert with any additional actionable information.

Detection Methods

CISA recommends administrators see the F5 Security Advisory K52145254 for indicators of compromise and F5’s CVE-2020-5902 IoC Detection Tool.[2] CISA also recommends organizations complete the following actions in conducting their hunt for this exploit:

Quarantine or take offline potentially affected systems
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
Deploy the following CISA-created Snort signature to detect malicious activity:

alert tcp any any -> any $HTTP_PORTS (msg:"BIG-IP:HTTP URI GET contains '/tmui/login.jsp/..|3b|/tmui/':CVE-2020-5902"; sid:1; rev:1; flow:established,to_server; content:"/tmui/login.jsp/..|3b|/tmui/"; http_uri; fast_pattern:only; content:"GET"; nocase; http_method; priority:2; reference:url,github.com/yassineaboukir/CVE-2020-5902; reference:cve,2020-5902; metadata:service http;)

Mitigations

CISA strongly urges organizations that have not yet done so to upgrade their BIG-IP software to the corresponding patches for CVE-2020-5902. If organizations detect evidence of CVE-2020-5902 exploitation after patching and applying the detection measures in this alert, CISA recommends taking immediate action to reconstitute affected systems.

Should an organization’s IT security personnel discover system compromise, CISA recommends they:

Reimage compromised hosts
Provision new account credentials
Limit access to the management interface to the fullest extent possible
Implement network segmentation
- Note: network segmentation is a very effective security mechanism to help prevent an intruder from propagating exploits or laterally moving within an internal network. Segregation separates network segments based on role and functionality. A securely segregated network can limit the spread of malicious occurrences, reducing the impact from intruders that gain a foothold somewhere inside the network.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

Phone: (888) 282-0870
Email: CISAServiceDesk@cisa.dhs.gov

References

Revisions

July 24, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-205A: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
Original release date: July 23, 2020

Summary

Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise and ATT&CK for Industrial Control Systems frameworks for all referenced threat actor techniques and mitigations.

Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets.[1] Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression. OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure. At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term. The National Security Agency (NSA) along with the Cybersecurity and Infrastructure Security Agency (CISA) recommend that all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.

Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance. Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the internet (e.g., Shodan,[2] Kamerka [3]), are creating a “perfect storm” of 1) easy access to unsecured assets, 2) use of common, open-source information about devices, and 3) an extensive list of exploits deployable via common exploit frameworks [4] (e.g., Metasploit,[5] Core Impact,[6] and Immunity Canvas [7]). Observed cyber threat activities can be mapped to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for Industrial Controls Systems (ICS) framework.[8] It is important to note that while the behavior may not be technically advanced, it is still a serious threat because the potential impact to critical assets is so high.

Click here for a PDF version of this report.

Technical Details

Recently Observed Tactics, Techniques, and Procedures

Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
Use of vendor engineering software and Program Downloads [T843].
Modifying Control Logic [T833] and Parameters [T836] on PLCs.

Impacts

Impacting a Loss of Availability [T826] on the OT network.
Partial Loss of View [T829] for human operators.
Resulting in Loss of Productivity and Revenue [T828].
Adversary Manipulation of Control [T831] and disruption to physical processes.

Mitigations

Have a Resilience Plan for OT

Since the Ukraine cyberattack of 2015 organizations must assume in their planning of not only a malfunctioning or inoperative control system, but a control system that is actively acting contrary to the safe and reliable operation of the process. Organizations need an OT resilience plan that allows them to:

Immediately disconnect systems from the Internet that do not need internet connectivity for safe and reliable operations. Ensure that compensating controls are in place where connectivity cannot be removed.
Plan for continued manual process operations should the ICS become unavailable or need to be deactivated due to hostile takeover.
Remove additional functionality that could induce risk and attack surface area.
Identify system and operational dependencies.
Restore OT devices and services in a timely manner. Assign roles and responsibilities for OT network and device restoration.
Backup “gold copy” resources, such as firmware, software, ladder logic, service contracts, product licenses, product keys, and configuration information. Verify that all “gold copy” resources are stored off-network and store at least one copy in a locked tamperproof environment (e.g., locked safe).
Test and validate data backups and processes in the event of data loss due to malicious cyber activity.

Exercise your Incident Response Plan

In a state of heightened tensions and additional risk and exposure, it is critical to have a well-exercised incident response plan that is developed before an incident.

Conduct a tabletop exercise, including executive personnel, to test your existing incident response plan.
Be sure to include your public affairs and legal teams in your exercise in addition to your IT, OT, and executive management.
Discuss key decisions points in the response plan and identify who has the authority to make key decisions under what circumstances.
Ensure your plan takes into account a scenario inclusive of the TTPs above and where the control system is actively operating counter to safe and reliable operations.
Partner with third parties for support. Review service contracts and government services for emergency incident response and recovery support.

Harden Your Network

Remote connectivity to OT networks and devices provides a known path that can be exploited by cyber actors. External exposure should be reduced as much as possible.
Remove access from networks, such as non-U.S. IP addresses, if applicable, that do not have legitimate business reasons to communicate with the system.
Use publicly available tools, such as Shodan, to discover internet-accessible OT devices. Take corrective actions to eliminate or mitigate internet-accessible connections immediately. Best practices include:
- Fully patch all Internet-accessible systems.
- Segment networks to protect PLCs and workstations from direct exposure to the internet. Implement secure network architectures utilizing demilitarized zones (DMZs), firewalls, jump servers, and/or one-way communication diodes.
- Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption further secured with multifactor authentication.
- Check and validate the legitimate business need for such access.
- Filter network traffic to only allow IP addresses that are known to need access, and use geo-blocking where appropriate.
- Connect remote PLCs and workstations to network intrusion detection systems where feasible.
- Capture and review access logs from these systems.
- Encrypt network traffic preferably using NIAP-validated VPN products and/or CNSSP- or NIST-approved algorithms when supported by OT system components to prevent sniffing and man-in-the-middle tactics. Available at: https://niap-ccevs.org.
Use the validated inventory to investigate which OT devices are internet-accessible.
Use the validated inventory to identify OT devices that connect to business, telecommunications, or wireless networks.
Secure all required and approved remote access and user accounts.
- Prohibit the use of default passwords on all devices, including controllers and OT equipment.
- Remove, disable, or rename any default system accounts wherever possible, especially those with elevated privileges or remote access.
- Enforce a strong password security policy (e.g., length, complexity).
- Require users to change passwords periodically, when possible.
- Enforce or plan to implement two-factor authentication for all remote connections.
Harden or disable unnecessary features and services (e.g., discovery services, remote management services, remote desktop services, simulation, training, etc.).

Create an Accurate “As-operated” OT Network Map Immediately

An accurate and detailed OT infrastructure map provides the foundation for sustainable cyber-risk reduction.

Document and validate an accurate “as-operated” OT network map.
- Use vendor-provided tools and procedures to identify OT assets.
- Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10] GRASSMARLIN,[11] and/or other passive network mapping tools.
- Physically walk down to check and verify the OT infrastructure map.
Create an asset inventory.
- Include OT devices assigned an IP address.
- Include software and firmware versions.
- Include process logic and OT programs.
- Include removable media.
- Include standby and spare equipment.
Identify all communication protocols used across the OT networks.
- Use vendor-provided tools and procedures to identify OT communications.
- Use publicly available tools, such as Wireshark,[9] NetworkMiner,[10] GRASSMARLIN,[11] and/or other passive network mapping tools.
Investigate all unauthorized OT communications.
Catalog all external connections to and from the OT networks.
- Include all business, vendor, and other remote access connections.
- Review service contracts to identify all remote connections used for third-party services.

Understand and Evaluate Cyber-risk on “As-operated” OT Assets

Informed risk awareness can be developed using a variety of readily available resources, many of which include specific guidance and mitigations.

Use the validated asset inventory to investigate and determine specific risk(s) associated with existing OT devices and OT system software.
- Vendor-specific cybersecurity and technical advisories.
- CISA Advisories [12].
- Department of Homeland Security – Cybersecurity and Infrastructure Security Agency Cyber Security Evaluation Tool [13].
- MITRE Common Vulnerabilities and Exposures (CVE) for both Information Technology and OT devices and system software [14]. Available at https://cve.mitre.org.
- National Institute of Standards and Technology – National Vulnerability Database [15]. Available at https://nvd.nist.gov.
Implement mitigations for each relevant known vulnerability, whenever possible (e.g., apply software patches, enable recommended security controls, etc.).
Audit and identify all OT network services (e.g., system discovery, alerts, reports, timings, synchronization, command, and control) that are being used.
- Use vendor provided programming and/or diagnostic tools and procedures.

Implement a Continuous and Vigilant System Monitoring Program

A vigilant monitoring program enables system anomaly detection, including many malicious cyber tactics like “living off the land” techniques within OT systems.

Log and review all authorized external access connections for misuse or unusual activity.
Monitor for unauthorized controller change attempts.
- Implement integrity checks of controller process logic against a known good baseline.
- Where possible, ensure process controllers are prevented from remaining in remote program mode while in operation.
- Lock or limit set points in control processes to reduce the consequences of unauthorized controller access.

Contact Information

CISA

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

1-888-282-0870 (From outside the United States: +1-703-235-8832)
CISAServiceDesk@cisa.dhs.gov

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found at http://www.us-cert.gov/.

CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.

NSA Cybersecurity

Client Requirements / General Cybersecurity Inquiries: Cybersecurity Requirements Center, 410-854-4200, Cybersecurity_Requests@nsa.gov
Media inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

Registered Trademarks

Shodan is a registered trademark of Shodan Limited Liability Company.
Metasploit is a registered trademark of Rapid7 Limited Liability Company.
Core Impact is a registered trademark of Help/Systems, Limited Liability Company.
Canvas is a registered trademark of Immunity Products, Limited Liability Company.
MITRE is a registered trademark of The MITRE Corporation.
ATT&CK is a registered trademark of The MITRE Corporation.
Wireshark is a registered trademark of Wireshark Foundation, Inc.

Disclaimer of Endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

References

Revisions

July 23, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.