Cybersecurity Updates

Cisco Updates

Source: Threat Post

Cisco Warns of High-Severity Bug in Small Business Switch Lineup
A high-severity flaw allows remote, unauthenticated attackers to potentially gain administrative privileges for Cisco small business switches.

Alina Point-of-Sale Malware Spotted in Ongoing Campaign
The malware is using DNS tunneling to exfiltrate payment-card data.

EvilQuest: Inside A ‘New Class’ of Mac Malware
Mac expert Thomas Reed discusses how EvilQuest is ushering in a new class of Mac malware.

New Android Spyware Tools Emerge in Widespread Surveillance Campaign
Never-before-seen Android spyware tools have been used in a widespread APT campaign to spy on the Uyghur ethnic minority group - since 2013.

Email Sender Identity is Key to Solving the Phishing Crisis
Almost 90% of email attacks manipulate sender identity to fool recipients and initiate social engineering attacks.

Microsoft Releases Emergency Security Updates for Windows 10, Server
The patches fix two separate RCE bugs in Windows Codecs that allow hackers to exploit playback of multimedia files.

Verizon Media, PayPal, Twitter Top Bug-Bounty Rankings
Verizon Media has paid nearly $10 million to ethical hackers via HackerOne's platform.

EvilQuest Mac Ransomware Has Keylogger, Crypto Wallet-Stealing Abilities
A rare, new Mac ransomware has been discovered spreading via pirated software packages.

StrongPity APT Back with Kurdish-Aimed Watering Hole Attacks
The spy malware is being delivered via a complex infrastructure with multiple layers, in an effort to avoid analysis.

UCSF Pays $1.14M After NetWalker Ransomware Attack
UCSF has paid more than $1 million after a ransomware attack encrypted data related to "important" academic research on several servers.


New Mac Ransomware Is Even More Sinister Than It Appears
The malware known as ThiefQuest or EvilQuest also has spyware capabilities that allow it to grab passwords and credit card numbers.

Schools Already Struggled With Cybersecurity. Then Came Covid-19
A lack of dedicated funding and resources made it hard to keep data secure—and that was before classes moved almost entirely online.

How to Get Safari's New Privacy Features in Chrome and Firefox
Apple's browser is getting serious about security protections. If you can't or won't switch, don't worry: you don't have to fall behind.

Is It Legal for Cops to Force You to Unlock Your Phone?
Because the relevant Supreme Court precedents predate the smartphone era, the courts are divided on how to apply the Fifth Amendment.

Julian Assange Faces New Conspiracy Allegations
Plus: Evil Corp hacking, an anti-encryption bill, and more of the week's top security news.

An Embattled Group of Leakers Picks Up the WikiLeaks Mantle
After releasing over a million hacked law enforcement files, DDoSecrets got banned from Twitter. But it has no plans to slow down.

How Thousands of Misplaced Emails Took Over This Engineer's Inbox
Kenton Varda gets dozens of messages a day from Spanish-speakers around the world, all thanks to a Gmail address he registered 16 years ago.

Google Will Delete Your Data by Default—in 18 Months
Starting today, the search giant will make a previously opt-in auto-delete feature the norm.

Apple Pushes Back Against Ad Tracking in Safari and iOS 14
At WWDC, the company detailed a litany of privacy-friendly improvements to its software.

Anonymous Stole and Leaked a Megatrove of Police Documents
The so-called BlueLeaks collection includes internal memos, financial records, and more from over 200 state, local, and federal agencies.

What Is a Side Channel Attack?
Computers constantly give off more information than you might realize—which hackers can use to pry out their secrets.

How to Switch to Signal and Bring All your Texts With You
Thinking of boosting your SMS security by switching to Signal? These tips make sure your messages come with you—even to a new phone.

Sneaky Mac Malware Is Posing as Flash Downloads
Plus: OnlyFans pirates, a nasty Netgear bug, and more of the week's top security news.

A Report Blames ‘CIA Failures’ for the Agency's Worst Hack
A series of WikiLeaks disclosures that exposed a trove of the intelligence organization's secrets could have been avoided, a task force found.

Facebook and Twitter Want to Keep the Justice System Skewed Against Defendants
Their CEOs have pledged support for reform amid the George Floyd protests—while their lawyers are fighting to preserve law enforcement’s advantage in court.

Bot Mafias Have Wreaked Havoc in 'World of Warcraft Classic'
Blizzard has suspended or closed over 74,000 accounts in the last month, as bots have upended the game's economy.

Zoom Reverses Course and Promises End-to-End Encryption for All Users
The videoconferencing platform had previously said that only paid accounts would get the feature—a move privacy advocates roundly decried.

Body Cameras Haven't Stopped Police Brutality. Here's Why
Amid worldwide protests over racism and police violence, lawmakers are once again turning to the devices as a tool for reform.

The Russian Disinfo Operation You Never Heard About
The campaign known as Secondary Infektion appears to be a distinct effort from the meddling of the IRA and GRU—and it went undetected for years.

Ripple20 Bugs Put Hundreds of Millions of IoT Devices at Risk
The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more.

Source: US-Cert

AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor
Original release date: July 1, 2020


This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK framework. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks for referenced threat actor techniques.

This advisory—written by the Cybersecurity Security and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI)—highlights risks associated with Tor, along with technical details and recommendations for mitigation. Cyber threat actors can use Tor software and network infrastructure for anonymity and obfuscation purposes to clandestinely conduct malicious cyber operations.[1],[2],[3]

Tor (aka The Onion Router) is software that allows users to browse the web anonymously by encrypting and routing requests through multiple relay layers or nodes. This software is maintained by the Tor Project, a nonprofit organization that provides internet anonymity and anti-censorship tools. While Tor can be used to promote democracy and free, anonymous use of the internet, it also provides an avenue for malicious actors to conceal their activity because identity and point of origin cannot be determined for a Tor software user. Using the Onion Routing Protocol, Tor software obfuscates a user’s identity from anyone seeking to monitor online activity (e.g., nation states, surveillance organizations, information security tools). This is possible because the online activity of someone using Tor software appears to originate from the Internet Protocol (IP) address of a Tor exit node, as opposed to the IP address of the user’s computer.

CISA and the FBI recommend that organizations assess their individual risk of compromise via Tor and take appropriate mitigations to block or closely monitor inbound and outbound traffic from known Tor nodes.

Click here for a PDF version of this report.

Risk Evaluation

Malicious cyber actors use Tor to mask their identity when engaging in malicious cyber activity impacting the confidentiality, integrity, and availability of an organization’s information systems and data. Examples of this activity include performing reconnaissance, penetrating systems, exfiltrating and manipulating data, and taking services offline through denial-of-service attacks and delivery of ransomware payloads. Threat actors have relayed their command and control (C2) server communications—used to control systems infected with malware—through Tor, obscuring the identity (location and ownership) of those servers.

The use of Tor in this context allows threat actors to remain anonymous, making it difficult for network defenders and authorities to perform system recovery and respond to cyberattacks. Organizations that do not take steps to block or monitor Tor traffic are at heightened risk of being targeted and exploited by threat actors hiding their identity and intentions using Tor.

The risk of being the target of malicious activity routed through Tor is unique to each organization. An organization should determine its individual risk by assessing the likelihood that a threat actor will target its systems or data and the probability of the threat actor’s success given current mitigations and controls. This assessment should consider legitimate reasons that non-malicious users may prefer to, or need to, use Tor for accessing the network. Organizations should evaluate their mitigation decisions against threats to their organization from advanced persistent threats (APTs), moderately sophisticated attackers, and low-skilled individual hackers, all of whom have leveraged Tor to carry out reconnaissance and attacks in the past.

Technical Details

Tor obfuscates the source and destination of a web request. This allows users to conceal information about their activities on the web—such as their location and network usage—from the recipients of that traffic, as well as third parties who may conduct network surveillance or traffic analysis. Tor encrypts a user’s traffic and routes the traffic through at least three Tor nodes, or relays, so that the user’s starting IP address and request is masked from network and traffic observers during transit. Once the request reaches its intended destination, it exits Tor through a public Tor exit node. Anyone conducting monitoring or analysis will only see the traffic coming from the Tor exit node and will not be able to determine the original IP address of the request.


Figure 1: Malicious tactics and techniques aided by Tor, mapped to the MITRE ATT&CK framework

Malicious Tactics and Techniques Aided by Tor

Threat actors use Tor to create a layer of anonymity to conceal malicious activity at different stages of network compromise. Their tactics and techniques—illustrated in figure 1 above—include:


  • Target Selection [TA0014]
  • Technical Information Gathering [TA0015]
    • Conduct Active Scanning [T1254]
    • Conduct Passive Scanning [T1253]
    • Determine domain and IP address space [T1250]
    • Identify security defensive capabilities [T1263]
  • Technical Weakness Identification [TA0018]


Key Indicators of Malicious Activity via Tor

While Tor obfuscates a user from being identified through standard security tools, network defenders can leverage various network, endpoint, and security appliance logs to detect the use of Tor, including potentially malicious activity involving Tor, through indicator- or behavior-based analysis.

Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes. The list of Tor exit node IP addresses is actively maintained by the Tor Project’s Exit List Service, which offers both real-time query and bulk download interfaces (see Organizations preferring bulk download may consider automated data ingest solutions, given the highly dynamic nature of the Tor exit list, which is updated hourly. Network defenders should closely inspect evidence of substantial transactions with Tor exit nodes—revealed in netflow, packet capture (PCAP), and web server logs—to infer the context of the activity and to discern any malicious behavior that could represent reconnaissance, exploitation, C2, or data exfiltration.

Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports commonly affiliated with Tor include 9001, 9030, 9040, 9050, 9051, and 9150. Highly structured Domain Name Service (DNS) queries for domain names ending with the suffix is another behavior exhibited by hosts running Tor software. In addition, DNS queries for domains ending in .onion is a behavior exhibited by misconfigured Tor clients, which may be attempting to beacon to malicious Tor hidden services.

Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability.


Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor to carry out malicious activities. However, mitigation actions can also impact the access of legitimate users who leverage Tor to protect their privacy when visiting an organization’s internet-facing assets. Organizations should evaluate their probable risk, available resources, and impact to legitimate, non-malicious, Tor users before applying mitigation actions. 

  • Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes. Organizations that wish to take a conservative or less resource-intensive approach to reduce the risk posed by threat actors’ use of Tor should implement tools that restrict all traffic—malicious and legitimate—to and from Tor entry and exit nodes. Of note, blocking known Tor nodes does not completely eliminate the threat of malicious actors using Tor for anonymity, as additional Tor network access points, or bridges, are not all listed publicly. See table 1 for the most restrictive mitigation practices.

Table 1: Most restrictive mitigation practices

TypeLevel of EffortTechnical Implementation


Baseline ActivityLow/Medium

Require organization to maintain up-to-date lists of known Tor exit and entry node IP addresses.

Public lists are available on the internet, but frequency of updates and accuracy varies depending on the source. The Tor Project maintains an authoritative list

Up-to-date awareness of known Tor nodes to enable blocking
External PoliciesMedium

Set external policies to block incoming traffic from known Tor exit nodes to prevent malicious reconnaissance and exploit attempts.

Network security tools (e.g., next-generation firewalls, proxies) may have configuration settings to apply these policies.

Block inbound network traffic, both malicious and legitimate, from reaching the organization’s domain from known Tor exit nodes
Internal PoliciesMedium

Set internal policies to block outgoing traffic to Tor entry nodes to prevent data exfiltration and C2 traffic.

Network security tools (e.g., next-generation firewalls, proxies) may have configuration settings to apply these policies.

Block outbound network traffic, both malicious and legitimate, from leaving the organization’s domain into known Tor entry nodes


  • Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes. There are instances in which legitimate users may leverage Tor for internet browsing and other non-malicious purposes. For example, deployed military or other overseas voters may use Tor as part of the voting process to escape monitoring by foreign governments. Such users may use Tor when visiting elections-related websites, to check voter registration status, or to mark and then cast absentee ballots via email or web portal. Similarly, some users may use Tor to avoid tracking by advertisers when browsing the internet. Organizations that do not wish to block legitimate traffic to/from Tor entry/exit nodes should consider adopting practices that allow for network monitoring and traffic analysis for traffic from those nodes, and then consider appropriate blocking. This approach can be resource intensive but will allow greater flexibility and adaptation of defensive.

Table 2: Less restrictive mitigation practices

TypeLevel of EffortTechnical ImplementationImpact
Known Tor NodesLow/Medium

Require the organization to maintain up-to-date lists of known Tor exit and entry node IP addresses.

The Tor Project maintains an authoritative list

Up-to-date awareness of known Tor nodes to enable baselining/allow blocking
SIEM CorrelationLow/MediumIntegrate network security and SIEM tools that correlate logs.Enhanced understanding of legitimate/expected Tor use for inbound/outbound traffic

Analyze traffic to determine normal patterns of behavior; legitimate vs. anomalous uses of Tor.

Baseline existing Tor traffic to/from known entry/exit nodes over a period of months.

Inspect traffic to understand legitimate traffic; level-set the organization’s risk tolerance for blocking or allowing Tor traffic to/from specific services.

Baseline understanding of legitimate vs. potentially anomalous Tor uses.
Internal / External PoliciesMedium/High

Institute behavioral signatures/rules to block unexpected/potentially malicious activity and allow legitimate activity.

Examine activity between any ephemeral port and Tor IP—this could be malicious data exfiltration or C2 traffic (except where use of outbound Tor entry nodes is expected).

Monitor for use of TCP/UDP ports 9001, 9030, 9040, 9050, 9051, 9150, and TCP ports 443* and 8443.

Monitor and/or block inbound connections from Tor exit nodes to IP addresses and ports for which external connections are not expected (i.e., other than VPN gateways, mail ports, web ports).

Associated ports are applicable for client -> guard/relay traffic monitoring and analysis but not monitoring for exit node -> a network destination.

Monitor and examine any large dataflows between networks and Tor IP addresses, regardless of port, as this could be unauthorized data exfiltration.

*Since port 443 is the most common port for secure web traffic, generically monitoring 443 may produce a high volume of false positives; network traffic tools can be used to assist in this analysis.

Legitimate traffic via Tor entry/exit nodes is permitted and unexpected/potentially malicious activity via Tor entry/exit nodes is blocked


  • Blended approach: Block all Tor traffic to some resources, allow and monitor for others. Given the various licit and illicit uses of Tor, a blended approach may be an appropriate risk mitigation strategy for some organizations (i.e., intentionally allowing traffic to/from Tor only for specific websites and services where legitimate use may be expected and blocking all Tor traffic to/from non-excepted processes/services). This may require continuous re-evaluation as an entity considers its own risk tolerance associated with different applications. The level of effort to implement this approach is high.

Considerations for Blocking Use of Tor

Sophisticated threat actors may leverage additional anonymization technologies—such as virtual private networks (VPNs)—and configurable features within Tor—such as Tor bridges and pluggable transports—to circumvent detection and blocking. Blocking the use of known Tor nodes may not effectively mitigate all hazards but may protect against less sophisticated actors. For example, blocking outbound traffic to known Tor entry nodes could have an appreciable impact in blocking less sophisticated malware from successfully beaconing out to hidden C2 machines obfuscated by Tor. Ultimately, each entity must consider its own internal thresholds and risk tolerance when determining a risk mitigation approach associated with Tor.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at


This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see



  • July 1, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-182A: EINSTEIN Data Trends – 30-day Lookback
Original release date: June 30, 2020


Cybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS), known as EINSTEIN. This information is meant to give the reader a closer look into what analysts are seeing at the national level and provide technical details on some of the most active threats.

IDS is a network tool that uses sensors to monitor inbound and outbound traffic to search for any type of suspicious activity or known threats, alerting analysts when a specific traffic pattern matches with an associated threat. IDS allows users to deploy signatures on these boundary sensors to look for the specific pattern, or network indicator, associated with a known threat.

The EINSTEIN Program is an automated process for collecting, correlating, analyzing, and sharing computer security information across the federal civilian departments and agencies. By collecting information from participating federal departments and agencies, CISA builds and enhances our Nation’s cyber-related situational awareness.

The signatures CISA created have been included below for analysts across various organizations to use in enhancing their own network defenses. Note: CISA has created and tested these signatures in an environment that might not be the same for all organizations, so administrators may need to make changes or updates before using in the following signatures in their local environments.

Technical Details

Note: the below Snort signatures accounted for over 90 percent of what CISA analysts identified as potential threats using the IDS system for detection.

1. NetSupport Manager RAT


The NetSupport Manager Remote Access Tool (RAT) is a legitimate program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to steal information. Malicious RATs can be difficult to detect because they do not normally appear in lists of running programs, and they can mimic the behavior of legitimate applications.


In January 2020, Palo Alto researchers observed the abuse of NetSupport in targeted phishing email campaigns.[1] In November 2019, Zscaler researchers observed “software update-themed” campaigns tricking users into installing a malicious NetSupport Manager RAT.[2] The earliest malicious use of NetSupport was seen in a phishing email campaign—reported by FireEye researchers in April 2018.[3]

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"NetSupportManager:HTTP Client Header contains 'User-Agent|3a 20|NetSupport Manager/'"; flow:established,to_server; flowbits:isnotset,.tagged; content:"User-Agent|3a 20|NetSupport Manager/"; http_header; fast_pattern:only; content:"CMD="; nocase; http_client_body; depth:4; content:"POST"; nocase; http_method; flowbits:set,.; classtype:http-header; reference:url,; reference:url,; reference:url,;

2. Kovter


Kovter is a fileless Trojan with several variants. This malware started as ransomware that malicious actors used to trick victims into thinking that they need to pay their local police a fine. Cyber actors have also used Kovter to perform click-fraud operations to infect targets and send stolen information from the target machines to command and control servers. Kovter’s evolving features have allowed this malware to rank among the Center for Internet Security’s most prolific malware year after year.[4] See CISA’s Webinar on Combatting Ransomware for additional information on Kovter.

Snort Signature

alert tcp any any -> any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server";; flow:established,to_server; flowbits:isnotset,.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P"; pcre:"/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H";; classtype:nonstd-tcp;; reference:url,;

3. XMRig


XMRig is a type of cryptocurrency miner that uses the resources of an unsuspecting infected machine to mine Monero—a type of cryptocurrency. XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active.

Snort Signature

alert tcp any any -> any !25 (msg:"XMRIG:Non-Std TCP Client Traffic contains JSONRPC 2.0 Config Data";; flow:established,to_server; flowbits:isnotset; content:"|22|jsonrpc|22 3a 22|2.0|22|"; distance:0; content:"|22|method|22 3a 22|login|22|"; distance:0; content:"|22|agent|22 3a 22|XMRig"; nocase; distance:0; fast_pattern; content:"libuv/"; nocase; distance:0; content:!"|22|login|22 3a 22|x|22|"; flowbits:set,; classtype:nonstd-tcp;; reference:url,; reference:url,;


CISA recommends using the following best practices to strengthen the security posture of an organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Ensure systems have the latest security updates. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' permissions to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.
  • Sign up for CISA’s free vulnerability scanning and testing services to help organizations secure internet-facing systems from weak configuration and known vulnerabilities. Email to sign up. See for more information about vulnerability scanning and other CISA cybersecurity assessment services.




  • June 30, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-133A: Top 10 Routinely Exploited Vulnerabilities
Original release date: May 12, 2020


The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.

This alert provides details on vulnerabilities routinely exploited by foreign cyber actors—primarily Common Vulnerabilities and Exposures (CVEs)[1]—to help organizations reduce the risk of these foreign threats.

Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.

The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.

For indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.

Technical Details

Top 10 Most Exploited Vulnerabilities 2016–2019

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.

  • According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
  • Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft’s OLE technology.
  • As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[2] This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.
  • Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.
  • A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[3]  Four of the industry study’s top 10 most exploited flaws also appear on this Alert’s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.

Vulnerabilities Exploited in 2020

In addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:

  • Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
    • An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
    • An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  • March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  • Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020.


This Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.

Mitigations for the Top 10 Most Exploited Vulnerabilities 2016–2019

Note: The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. 







  • Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
  • Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:




  • Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  • Associated Malware: Toshliph, UWarrior
  • Mitigation: Update affected Microsoft products with the latest security patches
  • More Detail:
  • IOCs:


  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
  • More Detail:

Mitigations for Vulnerabilities Exploited in 2020



Oversights in Microsoft O365 Security Configurations

Organizational Cybersecurity Weaknesses

CISA’s Free Cybersecurity Services

Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.

Cyber Hygiene: Vulnerability Scanning helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you’ll begin receiving reports within two weeks.

Web Application Service checks your publicly accessible web sites for potential bugs and weak configurations. It provides a “snapshot” of your publicly accessible web applications and also checks functionality and performance in your application.
If your organization would like these services or want more information about other useful services, please email

CISA Online Resources

The Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.

CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations: recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.

CISA’s Cyber Essentials: a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Contact Information

If you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.

To request incident response resources or technical assistance related to these threats, contact CISA at




  • May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-126A: APT Groups Target Healthcare and Essential Services
Original release date: May 5, 2020


This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.

Technical Details

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL). The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.


CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website:


This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.



  • May 5, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-120A: Microsoft Office 365 Security Recommendations
Original release date: April 29, 2020


As organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services. Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.

This Alert is an update to the Cybersecurity and Infrastructure Security Agency's May 2019 Analysis Report, AR19-133A: Microsoft Office 365 Security Observations, and reiterates the recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.

Technical Details

Since October 2018, the Cybersecurity and Infrastructure Security Agency (CISA) has conducted several engagements with customers who have migrated to cloud-based collaboration solutions like O365. In recent weeks, organizations have been forced to change their collaboration methods to support a full “work from home” workforce.

O365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.


The following list contains recommended configurations when deploying O365:

Enable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. The new feature, called “Security Defaults,”[1] assists with enforcing administrators’ usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to O365.

Assign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators.[2] Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised.[3] Always assign administrators only the minimum permissions they need to do conduct their tasks.  

Enable Unified Audit Log (UAL): O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[4] An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.

Enable multi-factor authentication for all users: Though normal users in an O365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.

Disable legacy protocol authentication when appropriate: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will presumably not be disabled. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method. One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols and only grant access to those protocols for those select users. Using Azure AD Conditional Access policies can help limit the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce an organization’s attack surface.[5]

Enable alerts for suspicious activity: Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity.[6] At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.

Incorporate Microsoft Secure Score: Microsoft provides a built-in tool to measure an organization’s security posture with respect to its O365 services and offer enhancement recommendations.[7] These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

Integrate Logs with your existing SIEM tool: Even with robust logging enabled via the UAL, it is critical to integrate and correlate your O365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in O365.[8]

Solution Summary

CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services.[9] Specifically, CISA recommends that administrators implement the following mitigations and best practices:

  • Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
  • Protect Global Admins from compromise and use the principle of “Least Privilege.”
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable Alerting capabilities.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.




  • April 29, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
Original release date: April 16, 2020 | Last revised: June 30, 2020


Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques and mitigations.

This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[1] CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization’s credentials will still be able to access—and move laterally through—that organization’s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.

This Alert provides new detection methods for this activity, including a CISA-developed tool that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.

For a downloadable copy of IOCs, see STIX file.


CISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[2] CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.

Technical Details

CISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining Initial Access [TA0001] to a victim organization’s network via VPN appliances. Cyber threat actors used these Valid Accounts [T1078] in conjunction with:

  • External Remote Services [T1133] for access,
  • Remote Services [T1021] for Lateral Movement [TA0008] to move quickly throughout victim network environments, and
  • Data Encrypted for Impact [T1486 ] for impact, as well as
  • Exfiltration [TA0010] and sale of the data.

Initial Access

CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains dana/html5/acc.[3],[4] For example, a malicious cyber actor can obtain the contents of /etc/passwd [5] by requesting the following uniform resource identifier (URI):


Obtaining the contents of /etc/passwd gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on Github. An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[6],[7],[8]

Open-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[9] however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for Credential Dumping [T1003] plaintext passwords from the VPN appliance.

Test Environment

To confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)

Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials

CISA’s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.

CISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.

  • Local Pulse Secure Admin account
    • Username: admin; Password: pulse-local-password
  • Domain Administrator Account
    • Username: Administrator; Password: domain-admin-password1
  • CISA-test-user Account
    • Username: cisa-test-user; Password: Use_s3cure_passwords

After creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)

Figure 2: VPN appliance joined to the domain without caching the domain administrator password

CISA used a similar file inclusion to test the ability to Credential Dump [T1003] the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.

Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials

Next, CISA validated the ability to Credential Dump [T1003] a user password from the VPN appliance. To do this, CISA created a user realm (Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (Note: the path to stored credentials is publicly available.)[10]

Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials

This test confirmed CISA’s suspicion that threat actors had access to each of the various compromised environments.

Cyber Threat Actor Behavior in Victim Network Environments

CISA observed—once credentials were compromised—cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used Connection Proxies [T1090 ]—such as Tor infrastructure and virtual private servers (VPSs)—to minimize the chance of detection when they connected to victim VPN appliances.

Using traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim’s environment:

  • Creating persistence via scheduled tasks/remote access trojans
  • Amassing files for exfiltration
  • Executing ransomware on the victim’s network environment

By correlating these actions with the connection times and user accounts recorded in the victim’s Pulse Secure .access logs, CISA was able to identify unauthorized threat actor connections to the victim’s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.

In one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.

In other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim’s network environment if they lost their primary connection.

Initial Detection

Conventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. 

An intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer’s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.

Post-Compromise Detection and IOC Detection Tool

Given that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.

To detect past exploitation of CVE-2019-11510, network administrators should:

  1. Turn on unauthenticated log requests (see figure 5). (Note: there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.)

    Figure 5: Checkbox that enables logging exploit attacks
  2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as ../../../data (see figure 6).

    Figure 6: Strings for detection of lateral movement
  3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.
  4. Run CISA’s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit CISA’s GitHub page to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.

Indicators of Compromise

CISA observed IP addresses making unauthorized connections to customer infrastructure. (Note: these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.

CISA observed the following user agents with this activity:

  • Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
  • Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
  • Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36

CISA also observed:

  • A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.
  • A threat actor “living off the land” and utilizing C:\Python\ArcGIS to house malicious PE files, as well as using natively installed Python.
  • A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088
Table 1: Filenames and hashes of files used by a threat actor
FilenameMD5   (tied to scheduled task, python meterpreter reverse shell port 9090)5669b1fa6bd8082ffe306aa6e597d7f5 (tied to scheduled task, python meterpreter reverse shell port 8088)61eebf58e892038db22a4d7c2ee65579


For a downloadable copy of IOCs, see STIX file.



CISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If—after applying the detection measures in this alert—organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.

CISA also recommends organizations to:

  • Look for unauthorized applications and scheduled tasks in their environment.
  • Remove any remote access programs not approved by the organization.
  • Remove any remote access trojans.
  • Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.

If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at



  • April 16, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-106A: Guidance on the North Korean Cyber Threat
Original release date: April 15, 2020 | Last revised: June 23, 2020


The U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea – formally known as the Democratic People’s Republic of Korea (DPRK) – and provides recommended steps to mitigate the threat. In particular, Annex 1 lists U.S. government resources related to DPRK cyber threats and Annex 2 includes a link to the UN 1718 Sanctions Committee (DPRK) Panel of Experts reports.

The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs. In particular, the United States is deeply concerned about North Korea’s malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace. 

The United States works closely with like-minded countries to focus attention on and condemn the DPRK’s disruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017, Australia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0 ransomware attack to the DPRK and denounced the DPRK’s harmful and irresponsible cyber activity. Denmark and Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware attack, which affected hundreds of thousands of computers around the world in May 2017. 

It is vital for the international community, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea. 

Click here for an English PDF version of this report.

Click the following links for PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese, Spanish, and traditional Chinese, and Vietnamese.

Technical Details

DPRK’s Malicious Cyber Activities Targeting the Financial Sector

Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not limited to:

Cyber-Enabled Financial Theft and Money Laundering. The UN Security Council 1718 Committee Panel of Experts’ 2019 mid-term report (2019 POE mid-term report) states that the DPRK is increasingly able to generate revenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics. The 2019 POE mid-term report notes that, in some cases, these malicious cyber activities have also extended to laundering funds through multiple jurisdictions. The 2019 POE mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber activities. Allegations in a March 2020 Department of Justice forfeiture complaint are consistent with portions of the POE’s findings. Specifically, the forfeiture complaint alleged how North Korean cyber actors used North Korean infrastructure in furtherance of their conspiracy to hack digital currency exchanges, steal hundreds of millions of dollars in digital currency, and launder the funds.

Extortion Campaigns. DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity’s network and threatening to shut it down unless the entity pays a ransom. In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients.

Cryptojacking. The 2019 POE mid-term report states that the POE is also investigating the DPRK’s use of “cryptojacking,” a scheme to compromise a victim machine and steal its computing resources to mine digital currency. The POE has identified several incidents in which computers infected with cryptojacking malware sent the mined assets – much of it anonymity-enhanced digital currency (sometimes also referred to as “privacy coins”) – to servers located in the DPRK, including at Kim Il Sung University in Pyongyang.

These activities highlight the DPRK’s use of cyber-enabled means to generate revenue while mitigating the impact of sanctions and show that any country can be exposed to and exploited by the DPRK. According to the 2019 POE mid-term report, the POE is also investigating such activities as attempted violations of UN Security Council sanctions on the DPRK.

Cyber Operations Publicly Attributed to DPRK by U.S. Government

The DPRK has repeatedly targeted U.S. and other government and military networks, as well as networks related to private entities and critical infrastructure, to steal data and conduct disruptive and destructive cyber activities. To date, the U.S. government has publicly attributed the following cyber incidents to DPRK state-sponsored cyber actors and co-conspirators:

  • Sony Pictures. In November 2014, DPRK state-sponsored cyber actors allegedly launched a cyber attack on Sony Pictures Entertainment (SPE) in retaliation for the 2014 film “The Interview.” DPRK cyber actors hacked into SPE’s network to steal confidential data, threatened SPE executives and employees, and damaged thousands of computers. 
  • Bangladesh Bank Heist. In February 2016, DPRK state-sponsored cyber actors allegedly attempted to steal at least $1 billion from financial institutions across the world and allegedly stole $81 million from the Bangladesh Bank through unauthorized transactions on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. According to the complaint, DPRK cyber actors accessed the Bangladesh Bank’s computer terminals that interfaced with the SWIFT network after compromising the bank’s computer network via spear phishing emails targeting bank employees. DPRK cyber actors then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to transfer funds out of the Bangladesh Bank’s Federal Reserve account to accounts controlled by the conspirators.
  • WannaCry 2.0. DPRK state-sponsored cyber actors developed the ransomware known as WannaCry 2.0, as well as two prior versions of the ransomware. In May 2017, WannaCry 2.0 ransomware infected hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries.  WannaCry 2.0 ransomware encrypts an infected computer’s data and allows the cyber actors to demand ransom payments in the Bitcoin digital currency. The Department of the Treasury designated one North Korean computer programmer for his part in the WannaCry 2.0 conspiracy, as well as his role in the Sony Pictures cyber attack and Bangladesh Bank heist, and additionally designated the organization he worked for.
  • FASTCash Campaign. Since late 2016, DPRK state-sponsored cyber actors have employed a fraudulent ATM cash withdrawal scheme known as “FASTCash” to steal tens of millions of dollars from ATMs in Asia and Africa.  FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. In one incident in 2017, DPRK cyber actors enabled the withdrawal of cash simultaneously from ATMs located in more than 30 different countries. In another incident in 2018, DPRK cyber actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries. 
  • Digital Currency Exchange Hack. As detailed in allegations set forth in a Department of Justice complaint for forfeiture in rem, in April 2018, DPRK state-sponsored cyber actors hacked into a digital currency exchange and stole nearly $250 million worth of digital currency. The complaint further described how the stolen assets were laundered through hundreds of automated digital currency transactions, to obfuscate the origins of the funds, in an attempt to prevent law enforcement from tracing the assets. Two Chinese nationals are alleged in the complaint to have subsequently laundered the assets on behalf of the North Korean group, receiving approximately $91 million from DPRK-controlled accounts, as well as an additional $9.5 million from a hack of another exchange. In March 2020, the Department of the Treasury designated the two individuals under cyber and DPRK sanctions authorities, concurrent with a Department of Justice announcement that the individuals had been previously indicted on money laundering and unlicensed money transmitting charges and that 113 digital currency accounts were subject to forfeiture.


Measures to Counter the DPRK Cyber Threat

North Korea targets cyber-enabled infrastructure globally to generate revenue for its regime priorities, including its weapons of mass destruction programs. We strongly urge governments, industry, civil society, and individuals to take all relevant actions below to protect themselves from and counter the DPRK cyber threat:

  • Raise Awareness of the DPRK Cyber Threat. Highlighting the gravity, scope, and variety of malicious cyber activities carried out by the DPRK will raise general awareness across the public and private sectors of the threat and promote adoption and implementation of appropriate preventive and risk mitigation measures.
  • Share Technical Information of the DPRK Cyber Threat. Information sharing at both the national and international levels to detect and defend against the DPRK cyber threat will enable enhanced cybersecurity of networks and systems.  Best practices should be shared with governments and the private sector.  Under the provisions of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. §§ 1501–1510), non-federal entities may share cyber threat indicators and defensive measures related to HIDDEN COBRA with federal and non-federal entities.
  • Implement and Promote Cybersecurity Best Practices. Adopting measures – both technical and behavioral – to enhance cybersecurity will make U.S. and global cyber infrastructure more secure and resilient. Financial institutions, including money services businesses, should take independent steps to protect against malicious DPRK cyber activities. Such steps may include, but are not limited to, sharing threat information through government and/or industry channels, segmenting networks to minimize risks, maintaining regular backup copies of data, undertaking awareness training on common social engineering tactics, implementing policies governing information sharing and network access, and developing cyber incident response plans. The Department of Energy’s Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology’s Cybersecurity Framework provide guidance on developing and implementing robust cybersecurity practices. As shown in Annex I, the Cybersecurity and Infrastructure Security Agency (CISA) provides extensive resources, including technical alerts and malware analysis reports, to enable network defenders to identify and reduce exposure to malicious cyber activities.
  • Notify Law Enforcement. If an organization suspects that it has been the victim of malicious cyber activity, emanating from the DPRK or otherwise, it is critical to notify law enforcement in a timely fashion.  This not only can expedite the investigation, but also, in the event of a financial crime, can increase the chances of recovering any stolen assets.
    U.S. law enforcement has seized millions of dollars’ worth of digital currency stolen by North Korean cyber actors.  All types of financial institutions, including money services businesses, are encouraged to cooperate on the front end by complying with U.S. law enforcement requests for information regarding these cyber threats, and on the back end by identifying forfeitable assets upon receipt of a request from U.S. law enforcement or U.S. court orders, and by cooperating with U.S. law enforcement to support the seizure of such assets.
  • Strengthen Anti-Money Laundering (AML) / Countering the Financing of Terrorism (CFT) / Counter-Proliferation Financing (CPF) Compliance.  Countries should swiftly and effectively implement the Financial Action Task Force (FATF) standards on AML/CFT/CPF.  This includes ensuring financial institutions and other covered entities employ risk mitigation measures in line with the FATF standards and FATF public statements and guidance.  Specifically, the FATF has called for all countries to apply countermeasures to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing risks emanating from the DPRK.[1]  This includes advising all financial institutions and other covered entities to give special attention to business relationships and transactions with the DPRK, including DPRK companies, financial institutions, and those acting on their behalf.  In line with UN Security Council Resolution 2270 Operative Paragraph 33, Member States should close existing branches, subsidiaries, and representative offices of DPRK banks within their territories and terminate correspondent relationships with DPRK banks.
    Further, in June 2019, FATF amended its standards to require all countries regulate and supervise digital asset service providers, including digital currency exchanges, and mitigate against risks when engaging in digital currency transactions. Digital asset service providers should remain alert to changes in customers’ activities, as their business may be used to facilitate money laundering, terrorist financing, and proliferation financing. The United States is particularly concerned about platforms that provide anonymous payment and account service functionality without transaction monitoring, suspicious activity reporting, and customer due diligence, among other obligations.
    U.S. financial institutions, including foreign-located digital asset service providers doing business in whole or substantial part in the United States, and other covered businesses and persons should ensure that they comply with their regulatory obligations under the Bank Secrecy Act (as implemented through the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulations in 31 CFR Chapter X).  For financial institutions, these obligations include  developing and maintaining effective anti-money laundering programs that are reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities, as well as identifying and reporting suspicious transactions, including those conducted, affected, or facilitated by cyber events or illicit finance involving digital assets, in suspicious activity reporting to FinCEN.

International Cooperation

To counter the DPRK’s malicious cyber activities, the United States regularly engages with countries around the world to raise awareness of the DPRK cyber threat by sharing information and evidence via diplomatic, military, law enforcement and judicial, network defense, and other channels.  To hamper the DPRK’s efforts to steal funds through cyber means and to defend against the DPRK’s malicious cyber activities, the United States strongly urges countries to strengthen network defense, shutter DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in a manner consistent with applicable international law.  A 2017 UN Security Council resolution required all Member States to repatriate DPRK nationals earning income abroad, including IT workers, by December 22, 2019.  The United States also seeks to enhance the capacity of foreign governments and the private sector to understand, identify, defend against, investigate, prosecute, and respond to DPRK cyber threats and participate in international efforts to help ensure the stability of cyberspace. 

Consequences of Engaging in Prohibited or Sanctionable Conduct

Individuals and entities engaged in or supporting DPRK cyber-related activity, including processing related financial transactions, should be aware of the potential consequences of engaging in prohibited or sanctionable conduct.

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has the authority to impose sanctions on any person determined to have, among other things:

  • Engaged in significant activities undermining cybersecurity on behalf of the Government of North Korea or the Workers’ Party of Korea;
  • Operated in the information technology (IT) industry in North Korea;
  • Engaged in certain other malicious cyber-enabled activities; or
  • Engaged in at least one significant importation from or exportation to North Korea of any goods, services, or technology.

Additionally, if the Secretary of the Treasury, in consultation with the Secretary of State, determines that a foreign financial institution has knowingly conducted or facilitated significant trade with North Korea, or knowingly conducted or facilitated a significant transaction on behalf of a person designated under a North Korea-related Executive Order, or under Executive Order 13382 (Weapons of Mass Destruction Proliferators and Their Supporters) for North Korea-related activity, that institution may, among other potential restrictions, lose the ability to maintain a correspondent or payable-through account in the United States.

OFAC investigates apparent violations of its sanctions regulations and exercises enforcement authority, as outlined in the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, appendix A. Persons who violate the North Korea Sanctions Regulations, 31 C.F.R. part 510, may face civil monetary penalties of up to the greater of the applicable statutory maximum penalty or twice the value of the underlying transaction.

The 2019 POE mid-term report notes the DPRK’s use, and attempted use, of cyber-enabled means to steal funds from banks and digital currency exchanges could violate multiple UN Security Council resolutions (UNSCRs) (i.e., UNSCR 1718 operative paragraph (OP) 8(d); UNSCR 2094, OPs 8 and 11; and UNSCR 2270, OP 32). The DPRK-related UNSCRs also provide various mechanisms for encouraging compliance with DPRK-related sanctions imposed by the UN. For example, the UN Security Council 1718 Committee may impose targeted sanctions (i.e., an asset freeze and, for individuals, a travel ban) on any individual or entity who engages in a business transaction with UN-designated entities or sanctions evasion. 

The Department of Justice criminally prosecutes willful violations of applicable sanctions laws, such as the International Emergency Economic Powers Act, 50 U.S.C. §§ 1701 et seq.  Persons who willfully violate such laws may face up to 20 years of imprisonment, fines of up to $1 million or totaling twice the gross gain, whichever is greater, and forfeiture of all funds involved in such transactions. The Department of Justice also criminally prosecutes willful violations of the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5318 and 5322, which requires financial institutions to, among other things, maintain effective anti-money laundering programs and file certain reports with FinCEN. Persons violating the BSA may face up to 5 years imprisonment, a fine of up to $250,000, and potential forfeiture of property involved in the violations. Where appropriate, the Department of Justice will also criminally prosecute corporations and other entities that violate these statutes. The Department of Justice also works with foreign partners to share evidence in support of each other’s criminal investigations and prosecutions.

Pursuant to 31 U.S. Code § 5318(k), the Secretary of the Treasury or the Attorney General may subpoena a foreign financial institution that maintains a correspondent bank account in the United States for records stored overseas. Where the Secretary of the Treasury or Attorney General provides written notice to a U.S. financial institution that a foreign financial institutions has failed to comply with such a subpoena, the U.S. financial institution must terminate the correspondent banking relationship within ten business days. Failure to do so may subject the U.S. financial institutions to daily civil penalties.

DPRK Rewards for Justice

If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $5 million. For further details, please visit

ANNEX I: USG Public Information on and Resources to Counter the DPRK Cyber Threat

Office of the Director of National Intelligence Annual Worldwide Threat Assessments of the U.S. Intelligence Community.  In 2019, the U.S. Intelligence Community assessed that the DPRK poses a significant cyber threat to financial institutions, remains a cyber espionage threat, and retains the ability to conduct disruptive cyber attacks. The DPRK continues to use cyber capabilities to steal from financial institutions to generate revenue. Pyongyang’s cybercrime operations include attempts to steal more than $1.1 billion from financial institutions across the world – including a successful cyber heist of an estimated $81 million from Bangladesh Bank. The report can be found at

Cybersecurity and Infrastructure Security Agency (CISA) Technical Reports. The U.S. government refers to the malicious cyber activities by the DPRK as HIDDEN COBRA. HIDDEN COBRA reports provide technical details on the tools and infrastructure used by DPRK cyber actors. These reports enable network defenders to identify and reduce exposure to the DPRK’s malicious cyber activities. CISA’s website contains the latest updates on these persistent threats:

Additionally, CISA provides extensive cybersecurity and infrastructure security knowledge and practices to its stakeholders, shares that knowledge to enable better risk management, and puts it into practice to protect the nation’s critical functions. Below are the links to CISA’s resources:

FBI PIN and FLASH Reports.  FBI Private Industry Notifications (PIN) provide current information that will enhance the private sector’s awareness of a potential cyber threat. FBI Liaison Alert System (FLASH) reports contain critical information collected by the FBI for use by specific private sector partners. They are intended to provide recipients with actionable intelligence that help cybersecurity professionals and system administrators to guard against the persistent malicious actions of cyber criminals. If you identify any suspicious activity within your enterprise or have related information, please contact FBI CYWATCH immediately. For DPRK-related cyber threat PIN or FLASH reports, contact

FBI Legal Attaché Program: The FBI Legal Attaché’s core mission is to establish and maintain liaison with principal law enforcement and security services in designated foreign countries. 

U.S. Cyber Command Malware Information Release. The Department of Defense’s cyber forces actively seek out DPRK malicious cyber activities, including DPRK malware that exploits financial institutions, conducts espionage, and enables  malicious cyber activities against the U.S. and its partners. U.S. Cyber Command periodically releases malware information, identifying vulnerabilities for industry and government to defend their infrastructure and networks against DPRK illicit activities. Malware information to bolster cybersecurity can be found at the following Twitter accounts: @US_CYBERCOM and @CNMF_VirusAlert.

U.S. Department of the Treasury Sanctions Information and Illicit Finance Advisories. The Office of Foreign Assets Control’s (OFAC’s) online Resource Center provides a wealth of information regarding DPRK sanctions and sanctions with respect to malicious cyber-enabled activities, including sanctions advisories, relevant statutes, Executive Orders, rules, and regulations relating to DPRK and cyber-related sanctions. OFAC has also published several frequently asked questions (FAQs) relating to DPRK sanctions, cyber-related sanctions, and digital currency. For questions or concerns related to OFAC sanctions regulations and requirements, please contact OFAC’s Compliance Hotline at 1-800-540-6322 or

Financial Crimes Enforcement Network (FinCEN) has issued an advisory on North Korea’s use of the international financial system ( FinCEN also issued specific advisories to financial institutions with suspicious activity reporting obligations that provide guidance on when and how to report cybercrime and/or digital currency-related criminal activity:

Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. The assessment tool can be found at

ANNEX II: UN Panel of Experts Reports on the DPRK Cyber Threat

UN 1718 Sanctions Committee (DPRK) Panel of Experts Reports. The UN Security Council 1718 Sanctions Committee on the DPRK is supported by a Panel of Experts, who “gather, examine, and analyze information” from UN Member States, relevant UN bodies, and other parties on the implementation of the measures outlined in the UN Security Council Resolutions against North Korea. The Panel also makes recommendations on how to improve sanctions implementation by providing both a Midterm and a Final Report to the 1718 Committee. These reports can be found at



  • April 15, 2020: Initial Version
  • April 30, 2020: Added PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese, Spanish, and traditional Chinese.
  • June 16, 2020: Added PDF version of this report in Vietnamese.

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-099A: COVID-19 Exploited by Malicious Cyber Actors
Original release date: April 8, 2020


This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).

This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.

Both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.

APT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.

Note: this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.

Technical Details

Summary of Attacks

APT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and “hack-and-leak” operations.

Cybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.

Both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure,
  • Malware distribution, using coronavirus- or COVID-19- themed lures,
  • Registration of new domain names containing wording related to coronavirus or COVID-19, and
  • Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.

Malicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:

  • Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware.
    • For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install "CovidLock" ransomware on their device.[1]
  • Open a file (such as an email attachment) that contains malware.
    • For example, email subject lines contain COVID-19-related phrases such as “Coronavirus Update” or “2019-nCov: Coronavirus outbreak in your city (Emergency)”

To create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with “Dr.” in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization’s human resources (HR) department and advise the employee to open the attachment.

Malicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as “President discusses budget savings due to coronavirus with Cabinet.rtf.”

Note: a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.


CISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.

Examples of phishing email subject lines include:

  • 2020 Coronavirus Updates,
  • Coronavirus Updates,
  • 2019-nCov: New confirmed cases in your City, and
  • 2019-nCov: Coronavirus outbreak in your city (Emergency).

These emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.

SMS Phishing

Most phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).

Historically, SMS phishing has often used financial incentivesincluding government payments and rebates (such as a tax rebate)as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages—purporting to be from “COVID” and “UKGOV” (see figure 1)—include a link directly to the phishing site (see figure 2).

Figure 1: UK government-themed SMS phishing


Figure 2: UK government-themed phishing page

As this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.

Phishing for credential theft

A number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.

If the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including—but not limited to—email services provided by Google or Microsoft, or services accessed via government websites.

To further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport”). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.

If the victim enters their password on the spoofed page, the attackers will be able to access the victim’s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim’s address book.

Phishing for malware deployment

A number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim’s device.

For example, NCSC has observed various email messages that deploy the “Agent Tesla” keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.

In other campaigns, emails include a Microsoft Excel attachment (e.g., “8651 8-14-18.xls”) or contain URLs linking to a landing page that contains a button that—if clicked—redirects to download an Excel spreadsheet, such as "EMR Letter.xls”. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the “Get2 loader" malware. Get2 loader has been observed loading the “GraceWire” Trojan.

The "TrickBot" malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which—in turn—pulls down the TrickBot binary, executing it on the system.

Figure 3: Email containing malicious macro targeting Italian users[2]

In many cases, Trojans—such as Trickbot or GraceWire—will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[3] Spain,[4] and across Europe[5] have all been recently affected by ransomware incidents.

As always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[6],[7] and NCSC[8] provide guidance on mitigating malware and ransomware attacks.

Exploitation of new teleworking infrastructure

Many organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.

Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[9] and NCSC[10] provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability's exploitation.

Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[11] and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[12]

Malicious cyber actors are also seeking to exploit the increased use of popular communications platforms—such as Zoom or Microsoft Teams—by sending phishing emails that include malicious files with names such as “zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# representing various digits that have been reported online).[13] CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[14]

The surge in teleworking has also led to an increase in the use of Microsoft’s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[15] and recent analysis[16] has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems—without the right security measures in place—more vulnerable to attack.[17]

Indicators of compromise

CISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:

In addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:



Malicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)’s COVID-19 Situation Summary.

Following the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:

Phishing guidance for individuals

The NCSC’s suspicious email guidance explains what to do if you've already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC's top tips for spotting a phishing email:

  • Authority – Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.
  • Urgency – Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
  • Emotion – Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.
  • Scarcity – Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Phishing guidance for organizations and cybersecurity professionals

Organizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.

In addition to educating users on defending against these attacks, organizations should consider NCSC’s guidance that splits mitigations into four layers, on which to build defenses:

  1. Make it difficult for attackers to reach your users.
  2. Help users identify and report suspected phishing emails (see CISA Tips, Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams).
  3. Protect your organization from the effects of undetected phishing emails.
  4. Respond quickly to incidents.

CISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.

Communications platforms guidance for individuals and organizations

Due to COVID-19, an increasing number of individuals and organizations are turning to communications platforms—such as Zoom and Microsoft Teams— for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.

Tips for defending against online meeting hijacking (Source: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI press release, March 30, 2020):

  • Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. Change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications.
  • Ensure telework policies address requirements for physical and information security.


This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.



  • April 8, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-073A: Enterprise VPN Security
Original release date: March 13, 2020 | Last revised: April 15, 2020


As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity.

Technical Details

The following are cybersecurity considerations regarding telework.

  • As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
  • As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
  • Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
  • Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
  • Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.


CISA encourages organizations to review the following recommendations when considering alternate workplace options.



  • March 13, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

AA20-049A: Ransomware Impacting Pipeline Operations
Original release date: February 18, 2020 | Last revised: June 30, 2020


Note: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems (ICS) frameworks for all referenced threat actor techniques and mitigations.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied.

CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks.

Technical Details

Network and Assets

  • The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.
  • The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers.
  • Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.
  • The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process.
  • All OT assets directly impacted by the attack were limited to a single geographic facility.

Planning and Operations

  • At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
  • The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security.
  • Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days.
  • Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
  • The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.


Asset owner operators across all sectors are encouraged to consider the following mitigations using a risk-based assessment strategy.

Planning and Operational Mitigations

  • Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.
  • Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks.
  • Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks.
  • Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised.
  • Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities.
  • Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization’s safety training program.
  • Ensure the organization’s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors.

Technical and Architectural Mitigations

  • Implement and ensure robust Network Segmentation [M1030] between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.
  • Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic [M1037] and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.
  • Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources.
  • Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware.
  • Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training [M1017] program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users.
  • Filter Network Traffic [M1037] to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) deny lists and/or allow lists.
  • Update Software [M1051], including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.
  • Set Antivirus/Antimalware [M1049] programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.  
  • Implement Execution Prevention [M1038] by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
  • Implement Execution Prevention [M1038] via application allow listing, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  • Limit Access to Resources over Network [M1035], especially by restricting Remote Desktop Protocol (RDP). If after assessing risks RDP is deemed operationally necessary, restrict the originating sources and require Multi-Factor Authentication [M1032].



  • February 18, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.