cisa - X-Industry - Red Sky Alliance2024-03-29T05:05:49Zhttps://redskyalliance.org/xindustry/feed/tag/cisaCritical Infrastructure Threat – Volt Typhoonhttps://redskyalliance.org/xindustry/critical-infrastructure-threat-volt-typhoon2024-03-22T13:05:00.000Z2024-03-22T13:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12403148060,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12403148060,RESIZE_400x{{/staticFileLink}}" width="250" alt="12403148060?profile=RESIZE_400x" /></a>The attached US DHS CISA fact sheet provides an overview for executive leaders on the urgent risk posed by People’s Republic of China (PRC) state-sponsored cyber actors known as “Volt Typhoon.” CISA—along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and other US government and international partners1—released a major advisory on 7 February 2024, in which the U.S. authoring agencies warned cybersecurity defenders that Volt Typhoon has been pre-positioning themselves on US critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies. This is a critical business risk for every organization in the United States and allied countries.</p>
<p>The advisory provides detailed information related to the groups’ activity and describes how the group has successfully compromised US organizations, especially in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors. The authoring organizations urge critical infrastructure owners and operators to review the advisory for defensive actions against this threat and its potential impacts to national security.</p>
<p>CISA and partners are releasing this fact sheet to provide leaders of critical infrastructure entities with guidance to help prioritize the protection of critical infrastructure and functions. The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security.</p>
<p>Link to full report: <a href="{{#staticFileLink}}12403148077,original{{/staticFileLink}}">Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c_0.pdf</a></p>
<p><a href="https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c_0.pdf">https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c_0.pdf</a></p>
<p><em>This article is shared at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>Ivanti Issues Continuehttps://redskyalliance.org/xindustry/ivanti-issues-continue2024-02-19T13:00:00.000Z2024-02-19T13:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12382706263,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12382706263,RESIZE_400x{{/staticFileLink}}" width="250" alt="12382706263?profile=RESIZE_400x" /></a>DarkReading recently provided an editorial on the recent cyber security repose to Ivanti’s VPN issues. “Here's what's clear about the current cybersecurity state of Ivanti's VPN appliances, they have been widely vulnerable to cyberattack, and threat actors are onto the possibilities. It's up to enterprise cyber teams to decide what comes next.”</p>
<p>So far, Ivanti has disclosed five VPN flaws in 2024, most exploited as zero-days — with two of them publicly announced weeks before patches became available. Some critics, like an influential cybersecurity researcher, see the glut of Ivanti vulnerabilities, and the company's slow incident response, as an existential threat to the business. He blames Ivanti's current problems on years-long neglect of secure coding and security testing. To recover, Ivanti would have to both overcome that technical debt, while somehow building back trust with their customers. It's a task he's dubious Ivanti will be able to pull off. "I don't see how Ivanti survives as an enterprise firewall brand," the researcher said; which was repeated widely on social media.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/ivanti-connect-secure-not-so-secure">https://redskyalliance.org/xindustry/ivanti-connect-secure-not-so-secure</a></p>
<p>A more generous view of the recent spate of zero-day disclosures is that it's a positive sign Ivanti is taking a long, hard look at its cybersecurity. "Ivanti is digging deep into its own products in order to find, fix, and disclose vulnerabilities, and deserves some credit for that," said the vice president of Viakoo Labs. When asked for comment, Ivanti referred Dark Reading to its 8 February blog post regarding its most recent disclosure.</p>
<p>Ivanti's Woes Fall on Cyber Teams - Ultimately, enterprise teams will have to choose. Cyber teams can follow US DHS CISA's advice and disconnect Ivanti VPN appliances and update before they are reconnected. Or, while they are already offline for patching, they can replace Ivanti appliances altogether. They also have to explain the decision to higher-ups.</p>
<p>Patching is a reasonable response, but Ivanti's patching schedule was delayed for the aforementioned pair of zero-day vulnerabilities disclosed on 10 January (CVE-2024-21887 and CVE-2023-46805). These ended up being under active exploit without a patch for 20 days before receiving patches on 30 January. But they came with more bad news: The Ivanti update also included fixes for two additional previously undisclosed bugs (CVE-2024-21888 and CVE-2024-21893), the latter of which had also already been under active exploitation in the wild.</p>
<p>That was enough for CISA to issue a 1 February mandate for federal agencies to disconnect Ivanti products from their systems. CISA issued a clarification to the directive on 9 February that Ivanti VPN appliances may be reconnected to government networks once they are sufficiently patched, and in some cases, reset to factory settings.</p>
<p>A fifth Ivanti vulnerability was disclosed on 9 February, tracked as CVE-2024-22024. Eventually, Ivanti credited watchTowr with the find, though at first it claimed internal teams found the bug, sowing some confusion in bug-hunter ranks. Further undermining confidence in Ivanti security practices is the fact that the initial Jan. 10 bugs were originally due to get patches on 22 January, but Ivanti pushed the release date back to the 30th. "These devices need their software engineered with the same kind of seriousness that this threat requires," says the president at Bambenek Consulting. "When you publish zero-day patch schedules, you need to hit those targets, especially in a situation like this." Meanwhile Ivanti's persistent flaws have attracted crowds of cybercriminals, including Chinese state-sponsored threat actors. And the cyber researcher "Shadowserver" confirmed to Dark Reading that there are at least 47 IPs to date attempting to exploit the most recently disclosed Ivanti VPN bug.</p>
<p>There is some confusion here too: Ivanti issued the following statement to Dark Reading in response to the Shadowserver report: "We have no indication that CVE-2024-22024 has been exploited in the wild."</p>
<p>Viakoo Labs' gives Ivanti poor marks for its incident response so far. "Ivanti’s recovery will need to address both the technical aspects of these attacks, and the trust/reputational damage this has caused them," he says. "On both fronts they have stumbled badly."</p>
<p>Ivanti Vows to Fix Flaws, Customers Cautious - In a 8 February advisory about the most recent Connect Secure and Policy Secure Gateways bugs, Ivanti assured customers it is now doing a full audit of its code. "Our team has been working around the clock to aggressively review all code and is singularly focused on bringing full resolution to the issues affecting Ivanti Connect Secure (formerly Pulse Connect Secure), Ivanti Policy Secure and ZTA gateways," the company said.</p>
<p>As Ivanti's cybersecurity troubles mount, the lesson for cyber teams is that reactive patching alone of edge devices isn't sufficient, according to Keeper Security. "It is imperative that vendors prioritize identifying and resolving issues within their solutions," it said. "But organizations should regularly engage in pen-testing of their own products and services to proactively find vulnerabilities before someone else does."</p>
<p>Only time will tell if Ivanti will be able to woo its customers back who've already left, and reassure the ones who have stuck around. But in the meantime enterprise security teams remain cautious. "If I were a CISO, I'd take a pass on Ivanti for a few years until they’ve proven themselves again," was a recent advisory statement. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.darkreading.com/cloud-security/ivanti-poor-marks-cyber-incident-response">https://www.darkreading.com/cloud-security/ivanti-poor-marks-cyber-incident-response</a></p></div>RustedDoorhttps://redskyalliance.org/xindustry/rusteddoor2024-02-16T13:05:00.000Z2024-02-16T13:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12381762074,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12381762074,RESIZE_400x{{/staticFileLink}}" width="250" alt="12381762074?profile=RESIZE_400x" /></a>Bitdefender researchers have discovered a new backdoor targeting Mac OS users. This previously undocumented family of malware is written in Rust and includes several interesting features. While the investigation is ongoing, we’re sending out this alert to share indicators of compromise with the community. Bitdefender products identify this threat as Trojan.MAC.RustDoor.*.</p>
<p>Here’s what we know so far: <strong>Distribution - </strong>The backdoor seems to impersonate a Visual Studio update, and all identified files are distributed directly as FAT binaries with Mach-O files for both x86_64 Intel and ARM architectures. None of the files have any other parents (Application Bundles, Disk images). Some of the identified samples are under the following names:</p>
<ul>
<li>zshrc2</li>
<li>Previewers</li>
<li>VisualStudioUpdater</li>
<li>VisualStudioUpdater_Patch</li>
<li>VisualStudioUpdating</li>
<li>visualstudioupdate</li>
<li>DO_NOT_RUN_ChromeUpdates</li>
</ul>
<p>Analysts were able to trace the first samples back to early November 2023. The freshest sample was spotted on 2 Feburary2024, indicating the malware has been operating undetected for at least three months.<a href="#_ftn1">[1]</a></p>
<p><strong>Versions and capabilities - </strong>This backdoor seems to have multiple variants. While most of the samples share the same core functionalities (with minor variations), we split these samples into Variant 1, 2 and Zero, as documented below. The files’ source code is written in Rust, and analysis of the binaries reveals the names of the original source files. Rust's syntax and semantics differ from those of more common languages like C or Python, making it harder for security researchers to analyze and detect malicious code. This can give malware authors an advantage in evading detection and analysis.</p>
<p><em><a href="{{#staticFileLink}}12381762452,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381762452,RESIZE_400x{{/staticFileLink}}" width="340" alt="12381762452?profile=RESIZE_400x" /></a>Variant 1 source files</em></p>
<p><em><a href="{{#staticFileLink}}12381762263,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381762263,RESIZE_400x{{/staticFileLink}}" width="338" alt="12381762263?profile=RESIZE_400x" /></a>Variant 2 source files</em></p>
<p>All samples we analysed contain the backdoor functionality, with the following list of supported commands:</p>
<ul>
<li>ps</li>
<li>shell</li>
<li>cd</li>
<li>mkdir</li>
<li>rm</li>
<li>rmdir</li>
<li>sleep</li>
<li>upload</li>
<li>botkill</li>
<li>dialog</li>
<li>taskkill</li>
<li>download</li>
</ul>
<p>These commands allow the malware to gather and upload files, and gather information about the machine, as highlighted by the following arguments used in conjunction with the <strong>sysctl</strong><strong> </strong>command:</p>
<ul>
<li><strong>cpu.vendor</strong></li>
<li><strong>cpu.brand_string</strong></li>
<li><strong>osproductversion</strong></li>
<li>cpufrequency</li>
</ul>
<p>The information extracted with the sysctl command, as well as the output of two other commands (pwd and hostname) are then submitted to the Register endpoint of the C&C server to receive a Victim ID. This Victim ID will be then used in the rest of communication between the C&C and backdoor.</p>
<p>Communication with the C2 servers is performed using the following endpoints:</p>
<ul>
<li><strong>POST /gateway/register</strong>: called when the file is executed and has the purpose of receiving an ID from the C2. The payload sent to the server contains 3 fields: hostname, os_version(the macOS version, ex: 13.6.4) and pwd (the current directory)</li>
<li><strong>POST /gateway/report</strong>: called regularly at short timeintervals and the payload sent to the server containsonly one field, the idwith the value received as response from the /gateway/registercall</li>
<li><strong>/gateway/task</strong><strong>: </strong>used to exchange information about the tasks executed on the compromised machine</li>
<li><strong>/tasks/upload_file</strong><strong>:</strong>used to exfiltrate files</li>
</ul>
<p>Currently, the C2 servers are answering with {“detail”: “Not found”}</p>
<p><strong>Variant 1 - </strong>This variant, first seen on 22 November 2023, seems to be a testing version, as shown by the embedded plist file (which is copy-pasted <a href="https://book.hacktricks.xyz/macos-hardening/macos-auto-start-locations.">from a public write-up</a> describing persistence mechanisms and sandbox evasion techniques for macOS). Another possible clue is the name of the plist file (test.plist). Although this embedded plist is meant to ensure persistence using LaunchAgents, the configuration does not include a field for this persistence method (only for persistence using cronjobs or inserting the application in the Dock bar), as seen in the second variant.</p>
<p><a href="{{#staticFileLink}}12381762461,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381762461,RESIZE_584x{{/staticFileLink}}" width="500" alt="12381762461?profile=RESIZE_584x" /></a>The variant 1 samples also contain an embedded JSON configuration, which is described in deeper detail in the Persistence section.</p>
<p><strong>Variant 2 - </strong>The files belonging to this second Variant were first seen on 30 November 2023 and are slightly larger than their counterparts in version one, at around 4-5MB. This variant seems to be an upgraded version of the malware, that now contains a complex JSON configuration as well as an embedded Apple script used for exfiltration.</p>
<p><strong>The embedded Apple script – </strong>Analysts identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration</p>
<p>The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format at the following location: /Users/<user>/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite</p>
<p>Multiple strings containing the targeted extensions were also identified inside the binaries: <strong>txt</strong><strong>, </strong><strong>rtf</strong><strong>, </strong><strong>doc</strong><strong>, </strong><strong>xls</strong><strong>, </strong><strong>xlsx</strong><strong>, </strong><strong>png</strong><strong>, </strong><strong>pdf</strong><strong>, </strong><strong>pem</strong><strong>, </strong><strong>asc</strong><strong>, </strong><strong>ppk</strong><strong>, </strong><strong>rdp</strong><strong>, </strong><strong>zip</strong><strong>, </strong><strong>sql</strong><strong>, </strong><strong>ovpn</strong><strong>, </strong><strong>kdbx</strong><strong> , </strong><strong>conf</strong><strong>, </strong><strong>key</strong><strong>, </strong><strong>json</strong></p>
<p>After all files are copied to the destination hidden folder, they are compressed into a ZIP archive (which has the name <username>_home.zip) and sent to the C2 server</p>
<p><strong><a href="{{#staticFileLink}}12381762481,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381762481,RESIZE_584x{{/staticFileLink}}" width="457" alt="12381762481?profile=RESIZE_584x" /></a><a href="{{#staticFileLink}}12381762680,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381762680,RESIZE_584x{{/staticFileLink}}" width="457" alt="12381762680?profile=RESIZE_584x" /></a>The configuration options - </strong>The configuration options seem to include a list of applications to be impersonated, with the purpose of spoofing the administrator password using a dialog, customized with different messages:</p>
<p><a href="{{#staticFileLink}}12381763064,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381763064,RESIZE_584x{{/staticFileLink}}" width="500" alt="12381763064?profile=RESIZE_584x" /></a>Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to exclude:</p>
<p><a href="{{#staticFileLink}}12381763882,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381763882,RESIZE_400x{{/staticFileLink}}" width="338" alt="12381763882?profile=RESIZE_400x" /></a>The first part of the configuration suggests there are multiple ways to achieve persistence, as documented in the <strong>Persistence</strong> section.</p>
<p><strong>Variant Zero - </strong>Variant Zero seems to be the earliest one, and was first seen on 02.11.2023. Given the fact that it is presumably the original one, it is less complex than the other ones. While it has the backdoor functionality, the apple script and embedded configuration are absent.</p>
<p><strong>Persistence - </strong>As previously mentioned, the first two variants contain embedded JSON configurations that highlight multiple persistence mechanisms employed by this family, through fields like <strong>lock_in_cron</strong>, <strong>lock_in_launch</strong><strong>, </strong><strong>lock_in_dock</strong><strong> </strong>or <strong>lock_in_rc</strong>. <br /> If the first two methods are quite common in recent malware families, the last two are not so popular.</p>
<p>lock_in_cron - Persistence using cronjobs</p>
<p>lock_in_launch - Persistence using LaunchAgents, causing the binary to be executed every time the user logs in. The path of the LaunchAgent is passed as parameter to the launchctl load –w <path_to_plist_file> command, which loads and starts the job, which will also restart on future logins.</p>
<p><a href="{{#staticFileLink}}12381764055,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12381764055,RESIZE_584x{{/staticFileLink}}" width="500" alt="12381764055?profile=RESIZE_584x" /></a>.plist file created for persistence (</p>
<p>lock_in_rc - Persistence achieved by modifying the ~/.zshrc file, which is used to execute the binary every time a new ZSH session is opened.</p>
<p>lock_in_dock - Persistence achieved by adding the binary to the dock. This is done using the command defaults write com.apple.dock persistent-apps -array-add. which modifies the <strong>com.apple.dock</strong><strong> </strong>file (located in ~/Library/Preferences folder). After modifying the file, the command killall Dock is executed to restart the Dock and apply the changes.</p>
<p><strong>Possible link with notorious Windows ransomware groups - </strong>While the current information on Trojan.MAC.RustDoor is not enough to confidently attribute this campaign to a specific threat actor, artifacts and IoCs suggest a possible relationship with the BlackBasta and (ALPHV/BlackCat) ransomware operators. Specifically, three out of the four command and control servers <a href="https://twitter.com/TLP_R3D/status/1718290917247844474">have been previously associated</a> with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model.</p>
<p><strong>Indicators of Compromise - </strong>Currently known indicators of compromise can be found below. Bitdefender Threat Intelligence customers can access enriched, contextual insights about this attack. The <a href="https://intellizone.bitdefender.com/en/threat-search/threats/BDapx7qeon">ThreatID BDapx7qeon</a> in the Bitdefender IntelliZone portal includes additional TTPs and visualizations. For more information about Bitdefender Threat Intelligence solution <a href="https://www.bitdefender.com/business/products/advanced-threat-intelligence.html">visit our product page</a>.</p>
<p><strong>Binaries</strong></p>
<p>6dd3a3e4951d34446fe1a5c7cdf39754 (VisualStudioUpdater_Patch)</p>
<p>90a517c3dab8ceccf5f1a4c0f4932b1f (VisualStudioUpdater_Patch)</p>
<p>b67bba781e5cf006bd170a0850a9f2d0 (VisualStudioUpdating)</p>
<p>f5774aca722e0624daf67a2da5ec6967 (VisualStudioUpdater_Patch)</p>
<p>52a9d67745f153465fac434546007d3a (Previewers)</p>
<p>30b27b765878385161ca1ee71726a5c6 (DO_NOT_RUN_ChromeUpdates)</p>
<p>1dbc26447c1eaa9076e65285c92f7859 (visualstudioupdate)</p>
<p>05a8583f36599b5bc93fa3c349e89434 (VisualStudioUpdater)</p>
<p>5d0c62da036bbe375cb10659de1929e3 (VisualStudioUpdater)</p>
<p>68e0facbf541a2c014301346682ef9ca (VisualStudioUpdater)</p>
<p>b2bdd1d32983c35b3b1520d83d89d197 (zshrc2)</p>
<p>5fcc12eaba8185f9d0ddecafae8fd2d1 (zshrc2)</p>
<p>97cd4fc94c59121f903f2081df1c9981</p>
<p>28bdd46d8609512f95f1f1b93c79d277</p>
<p>3e23308d074d8bd4ffdb5e21e3aa8f22</p>
<p>088779125434ad77f846731af2ed6781</p>
<p>b67f6e534d5cca654813bd9e94a125b9</p>
<p>cf54cba05efee9e389e090b3fd63f89b</p>
<p>44fcf7253bcf0102811e50a4810c4e41</p>
<p>690a097b0eea384b02e013c1c0410189</p>
<p>186be45570f13f94b8de82c98eaa8f4f</p>
<p>3c780bcfb37a1dfae5b29a9e7784cbf5</p>
<p>925239817d59672f61b8332f690c6dd6</p>
<p>9c6b7f388abec945120d95d892314ea7</p>
<p>85cd1afbc026ffdfe4cd3eec038c3185</p>
<p>6aaba581bcef3ac97ea98ece724b9092</p>
<p>bcbbf7a5f7ccff1932922ae73f6c65b7</p>
<p>bde0e001229884404529773b68bb3da0</p>
<p>795f0c68528519ea292f3eb1bd8c632e</p>
<p>bc394c859fc379900f5648441b33e5fd</p>
<p>0fe0212fc5dc82bd7b9a8b5d5b338d22</p>
<p>835ebf367e769eeaaef78ac5743a47ca</p>
<p>bdd4972e570e069471a4721d76bb5efb</p>
<p><strong>Download domains – </strong></p>
<ul>
<li><a href="https://sarkerrentacars.com/zshrc">https://sarkerrentacars.com/zshrc</a></li>
<li><a href="https://turkishfurniture.blog/Previewers">https://turkishfurniture.blog/Previewers</a></li>
<li><a href="http://linksammosupply.com/zshrc2">http://linksammosupply.com/zshrc2</a></li>
<li><a href="http://linksammosupply.com/VisualStudioUpdaterLs2">http://linksammosupply.com/VisualStudioUpdaterLs2</a></li>
<li><a href="http://linksammosupply.com/VisualStudioUpdater">http://linksammosupply.com/VisualStudioUpdater</a></li>
</ul>
<p><strong>C&C URLs</strong></p>
<ul>
<li>com</li>
<li>29.13.167</li>
<li>214.26.22</li>
<li><a href="https://serviceicloud.com">https://serviceicloud.com</a></li>
</ul>
<p>Link to full report: <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/">https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/</a></p></div>PRC State-Sponsored Actors of Compromisehttps://redskyalliance.org/xindustry/prc-state-sponsored-actors-of-compromise2024-02-14T13:00:00.000Z2024-02-14T13:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12379021063,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12379021063,RESIZE_400x{{/staticFileLink}}" width="250" alt="12379021063?profile=RESIZE_400x" /></a>The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a significant crisis or conflict with the United States.<a href="#_ftn1">[1]</a></p>
<p>CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the US authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):</p>
<ul>
<li>US Department of Energy (DOE)</li>
<li>US Environmental Protection Agency (EPA)</li>
<li>US Transportation Security Administration (TSA)</li>
<li>Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)</li>
<li>Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)</li>
<li>United Kingdom National Cyber Security Centre (NCSC-UK)</li>
<li>New Zealand National Cyber Security Centre (NCSC-NZ)</li>
</ul>
<p>The US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector">Communications</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/energy-sector">Energy</a>, <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector">Transportation Systems</a>, and <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector">Water and Wastewater Systems</a> Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The US-authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to US infrastructure. However, should US infrastructure be disrupted, Canada would probably be affected as well due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure that could be vulnerable to similar activity from PRC state-sponsored actors.</p>
<p>As the authoring agencies have <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">previously highlighted</a>, using living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverages operational solid security, which allows for long-term undiscovered persistence. The US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.</p>
<p>The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance provided and the recommendations found in the joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques">Identifying and Mitigating Living Off the Land Techniques</a>. These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt the Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.</p>
<p>If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information section).</p>
<p>For additional information, see the joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a> and U.S. Department of Justice (DOJ) press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a>. For more information on PRC state-sponsored malicious cyber activity, see CISA’s <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/china">China Cyber Threat Overview and Advisories</a> webpage.</p>
<p>Download the PDF version of this report:</p>
<p><a href="https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-jcsa-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf">AA24-038A PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure</a>(PDF, 1.56 MB )</p>
<p>Read the accompanying Malware Analysis Report: <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a">MAR-10448362-1.v1 Volt Typhoon</a>.</p>
<p>For a downloadable copy of indicators of compromise (IOCs), see:</p>
<p><a href="https://www.cisa.gov/sites/default/files/2024-02/MAR-10448362.c1.v1.CLEAR_stix2.json">AR24-038A STIX JSON</a>(JSON, 59.40 KB )</p>
<p><strong>TECHNICAL DETAILS</strong></p>
<p><strong>Note:</strong> This advisory uses the <a href="https://attack.mitre.org/versions/v14/matrices/enterprise/">MITRE ATT&CK for Enterprise</a> framework, version 14. See <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a?utm_source=EA&utm_medium=stakeholder_note&utm_campaign=VT_020724#_Appendix_C:_MITRE">Appendix C: MITRE ATT&CK Tactics and Techniques</a> section for tables of the Volt Typhoon cyber threat actors’ activity mapped to MITRE ATT&CK<sup>®</sup> tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/">Decider Tool</a>.</p>
<p><strong>Overview of Activity - </strong>In May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to the typhoon (see joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a>). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam.</p>
<p>The US authoring agencies have primarily observed compromises linked to the Volt Typhoon in the IT networks of Communications, Energy, Transportation Systems, and Water and Wastewater Systems sector organizations. Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations.</p>
<p>Volt Typhoon actors tailor their TTPs to the victim environment; however, US authoring agencies have observed the actors following the same behavior pattern across identified intrusions. Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors (see Figure 1).</p>
<p><strong>Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols.</strong> This reconnaissance includes identifying network topologies, security measures, typical user behaviors, and critical network and IT staff. The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of regular working hours to avoid triggering security alerts on abnormal account activities.</p>
<p><strong>Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network </strong>appliances (e.g., routers, virtual private networks [VPNs], and firewalls). Then, it connects to the victim’s network via VPN for follow-on activities.</p>
<p><strong>Volt Typhoon aims to obtain administrator credentials within the network by exploiting privilege escalation vulnerabilities in the operating system or network services. </strong>In some cases, the Volt Typhoon has obtained insecurely stored credentials on a public-facing network appliance.</p>
<p><strong>Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices </strong>via remote access services such as Remote Desktop Protocol (RDP).</p>
<p><strong>Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth</strong>. A key tactic includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs into .dat files, allowing Volt Typhoon actors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic approach to cyber operations.</p>
<p><strong>Volt Typhoon achieves full domain compromise by extracting the Active Directory database (</strong>NTDS.dit<strong>) from the DC.</strong> Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as vssadmin to access NTDS.dit. The NTDS.dit file is a centralized repository that contains critical Active Directory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged for further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume hosting the NTDS.dit file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file-locking mechanisms inherent in a live Windows environment, which typically prevent direct access to the NTDS.dit file while the domain controller is operational.</p>
<p><strong>Volt Typhoon likely uses offline password-cracking techniques to decipher these hashes.</strong> This process involves extracting the hashes from the NTDS.dit file and then apply various password cracking methods, such as brute force attacks, dictionary attacks, or more sophisticated techniques like rainbow tables, to uncover the plaintext passwords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and further infiltrate and manipulate the network.</p>
<p><strong>Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. </strong>Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials. In certain instances, they can access OT systems whose credentials were compromised via NTDS.dit theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors could access camera surveillance systems at critical infrastructure facilities). In one confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to a second control system.</p>
<p><em><a href="{{#staticFileLink}}12379029461,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12379029461,RESIZE_584x{{/staticFileLink}}" width="430" alt="12379029461?profile=RESIZE_584x" /></a>Figure 1: Typical Volt Typhoon Activity</em></p>
<p>After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment (except discovery, as noted above), suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen when they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted NTDS.dit from three domain controllers in four years. In another compromise, Volt Typhoon actors extracted NTDS.dit two times from a victim in nine months.</p>
<p>Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment but do not exfiltrate data—is consistent with the US authoring agencies’ observations. This indicates they aim to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials regularly.</p>
<p>In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their intense focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment. See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises.</p>
<p><strong>Observed TTPs</strong></p>
<p><strong><em>Reconnaissance</em></strong></p>
<p>Volt Typhoon actors conduct extensive pre-compromise reconnaissance [<a href="https://attack.mitre.org/versions/v14/tactics/TA0043/">TA0043</a>] to learn about the target organization [<a href="https://attack.mitre.org/versions/v14/techniques/T1591/">T1591</a>], its network [<a href="https://attack.mitre.org/versions/v14/techniques/T1590/">T1590</a>], and its staff [<a href="https://attack.mitre.org/versions/v14/techniques/T1589/">T1589</a>]. This includes web searches [<a href="https://attack.mitre.org/versions/v14/techniques/T1593/">T1593</a>]—including victim-owned sites [<a href="https://attack.mitre.org/versions/v14/techniques/T1594/">T1594</a>]—for victim host [<a href="https://attack.mitre.org/versions/v14/techniques/T1592/">T1592</a>], identity, and network information, especially for information on key network and IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[<a href="https://fofa.info/">1</a>], Shodan, and Censys to query or search for exposed infrastructure. In some instances, the US authoring agencies have observed Volt Typhoon actors targeting the personal emails of crucial network and IT staff [<a href="https://attack.mitre.org/versions/v14/techniques/T1589/002/">T1589.002</a>] post-compromise.</p>
<p><strong><em>Resource Development</em></strong></p>
<p>Historically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/003/">T1090.003</a>]. The proxy is typically composed of virtual private servers (VPSs) [<a href="https://attack.mitre.org/versions/v14/techniques/T1583/005/">T1583.003</a>] or small office/home office (SOHO) routers. Recently, Volt Typhoon actors used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support their operations [<a href="https://attack.mitre.org/versions/v14/techniques/T1584/005/">T1584.005</a>]. (See DOJ press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a> for more information).</p>
<p><strong><em>Initial Access</em></strong></p>
<p>To obtain initial access [<a href="https://attack.mitre.org/versions/v14/tactics/TA0001/">TA0001</a>], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [<a href="https://attack.mitre.org/versions/v14/techniques/T1190/">T1190</a>]. They often use publicly available exploit code for known vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1588/005/">T1588.005</a>] but are also adept at discovering and exploiting zero-day vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1587/004/">T1587.004</a>].</p>
<p>In one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42475">CVE-2022-42475</a> in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs. Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [<a href="https://attack.mitre.org/versions/v14/tactics/TA0003/">TA0003</a>]. They often use VPN sessions to connect to victim environments securely [<a href="https://attack.mitre.org/versions/v14/techniques/T1133/">T1133</a>], enabling discreet follow-on intrusion activities. This tactic provides a stable foothold in the network and allows them to blend in with regular traffic, significantly reducing their chances of detection.</p>
<p><strong><em>Execution</em></strong></p>
<p>Volt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to target environments, they use hands-on-keyboard activity via the command line [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/">T1059</a>] and other native tools and processes on systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1218/">T1218</a>] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. According to industry reporting, some “commands appear exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.”[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">2</a>]</p>
<p>For more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL Activity.</p>
<p>Like LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded [<a href="https://attack.mitre.org/versions/v14/techniques/T1105/">T1105</a>] an obsolete version of comsvcs.dll on the DC in a non-standard folder. comsvcs.dll is a legitimate Microsoft Dynamic Link Library (DLL) file in the System32 folder. The actors used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/001/">T1003.001</a>] and obtain credentials (LSASS process memory space contains hashes for the current user’s operating system (OS) credentials).</p>
<p>The actors also use legitimate non-native network admin and forensic tools. For example, on domain controllers, Volt Typhoon actors have been observed using Magnet RAM Capture (MRC) version 1.20. MRC is a free imaging tool that captures a computer's physical memory. Volt Typhoon actors likely used it to analyze in-memory data for sensitive information (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been observed implanting Fast Reverse Proxy (FRP) for command and control.[<a href="https://github.com/fatedier/frp">3</a>] (See the Command and Control section).</p>
<p><strong><em>Persistence</em></strong></p>
<p>Volt Typhoon primarily relies on valid credentials for persistence [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/">T1078</a>].</p>
<p><strong><em>Defense Evasion</em></strong></p>
<p>Volt Typhoon has operational solid security. Their actors primarily use LOTL for defense evasion [<a href="https://attack.mitre.org/versions/v14/tactics/TA0005/">TA0005</a>], which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities. For more information, see the joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques">Identifying and Mitigating Living off the Land Techniques</a>.</p>
<p>Volt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX) [<a href="https://attack.mitre.org/versions/v14/techniques/T1027/002/">T1027.002</a>]. FRP client applications support encryption, compression, and easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP client applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over UDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a">(MAR)-10448362-1.v1</a> for more information.</p>
<p>In addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows Event Logs [<a href="https://attack.mitre.org/versions/v14/techniques/T1070/001/">T1070.001</a>], system logs, and other technical artifacts to remove evidence [<a href="https://attack.mitre.org/versions/v14/techniques/T1070/009/">T1070.009</a>] of their intrusion activity and masquerading file names [<a href="https://attack.mitre.org/versions/v14/techniques/T1036/005/">T1036.005</a>].</p>
<p><strong><em>Credential Access</em></strong></p>
<p>Volt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities [<a href="https://attack.mitre.org/versions/v14/techniques/T1068/">T1068</a>] in the operating system or network services.<strong> </strong>Sometimes, they have obtained insecurely stored credentials on the appliance [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/">T1552</a>]. In one instance, where Volt Typhoon likely exploited CVE-2022-42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on the device.</p>
<p>Volt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file (NTDS.dit)—sometimes multiple times from the same victim over long periods [<a href="https://attack.mitre.org/versions/v14/techniques/T1003/003/">T1003.003</a>]. NTDS.dit contains usernames, hashed passwords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes can be cracked offline. To obtain NTDS.dit, the US authoring agencies have observed Volt Typhoon:</p>
<ul>
<li>Move laterally [<a href="https://attack.mitre.org/versions/v14/tactics/TA0008/">TA0008</a>] to the domain controller via an interactive RDP session using a compromised account with domain administrator privileges [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/001/">001</a>];</li>
<li>Execute the Windows-native vssadmin[<a href="https://attack.mitre.org/versions/v14/techniques/T1006/">T1006</a>] command to create a volume shadow copy;</li>
<li>Use Windows Management Instrumentation Console (WMIC) commands [<a href="https://attack.mitre.org/versions/v14/techniques/T1047/">T1047</a>] to execute ntdsutil(a LOTL utility) to copy dit and SYSTEM registry hive from the volume shadow copy and</li>
<li>Exfiltrate [<a href="https://attack.mitre.org/versions/v14/tactics/TA0010/">TA0010</a>] distend SYSTEM registry hive to crack passwords offline) [<a href="https://attack.mitre.org/versions/v14/techniques/T1110/002/">T1110.002</a>]. (See Appendix A: Volt Typhoon LOTL Activity for more details, including specific commands.)<br /> <strong>Note:</strong> A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each volume shadow copy created on a DC includes its NTDS.dit and the SYSTEM registry hive, which provides keys to decrypt the NTDS.dit file.</li>
</ul>
<p>Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions [<a href="https://attack.mitre.org/versions/v14/techniques/T1012/">T1012</a>]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section). According to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for commands used).[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">2</a>]</p>
<p>The US authoring agencies have observed Volt Typhoon actors leveraging <a href="https://attack.mitre.org/versions/v14/software/S0002/">Mimikatz</a> to harvest credentials, and industry partners have observed Volt Typhoon leveraging <a href="https://attack.mitre.org/software/S0357/">Impacket</a><u>.</u>[<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">2</a>] Mimikatz is a credential dumping tool, and Volt Typhoon actors use it to obtain credentials. In one confirmed compromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised administrator account to deploy it. Impacket is an open-source Python toolkit for programmatically constructing and manipulating network protocols. It contains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, relay attacks, and remote service execution.</p>
<p><strong><em>Discovery</em></strong></p>
<p>Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information [<a href="http://attack.mitre.org/versions/v14/techniques/T1082/">T1082</a>], network service [<a href="https://attack.mitre.org/versions/v14/techniques/T1046/">T1046</a>], group [<a href="https://attack.mitre.org/versions/v14/techniques/T1069/">T1069</a>], and user [<a href="https://attack.mitre.org/versions/v14/techniques/T1033/">T1033</a>] discovery. Volt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and user discovery techniques:</p>
<table>
<tbody>
<tr>
<td>
<p>cmd</p>
<p>certutil</p>
<p>dnscmd</p>
<p>ldifde</p>
<p>makecab</p>
<p>net user/group/use</p>
<p>netsh</p>
</td>
<td>
<p>nltest</p>
<p>netstat</p>
<p>ntdsutil</p>
<p>ping</p>
<p>PowerShell</p>
<p>quser</p>
<p>reg query/reg save</p>
</td>
<td>
<p>systeminfo</p>
<p>tasklist</p>
<p>wevtutil</p>
<p>whoami</p>
<p>wmic</p>
<p>xcopy</p>
</td>
</tr>
</tbody>
</table>
<p>Some observed specific examples of discovery include:</p>
<p>Capturing successful logon events [<a href="https://attack.mitre.org/versions/v14/techniques/T1654/">T1654</a>]. Expressly, in one incident, analysis of the PowerShell console history of a domain controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File 'C:\users\public\documents\user.dat'. This indicates the group's specific interest in capturing successful logon events (event ID 4624) to analyze user authentication patterns within the network. Additionally, file system analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file, systeminfo.dat, created in C:\Users\Public\Documents but subsequently deleted [<a href="https://www.cisa.gov/attack.mitre.org/versions/v14/techniques/T1070/004/">T1070.004</a>]. These activities suggest a methodical approach by Volt Typhoon actors in collecting and possibly removing traces of sensitive log information from the compromised system.</p>
<p>Executing tasklist /v to gather a detailed process listing [<a href="https://attack.mitre.org/versions/v14/techniques/T1057/">T1057</a>], followed by executing taskkill /f /im rdpservice.exe (this executable's function is unknown).</p>
<p>Executing net user and user for user account information [<a href="https://attack.mitre.org/versions/v14/techniques/T1087/001/">T1087.001</a>].</p>
<p>Creating and accessing a file named rult3uil.log on a domain controller in C:\Windows\System32\. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information [<a href="https://attack.mitre.org/versions/v14/techniques/T1010/">T1010</a>] and focus shifts, key presses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.</p>
<p>Employing ping with various IP addresses to check network connectivity [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/001/">T1016.001</a>] and net start to list running services [<a href="https://attack.mitre.org/versions/v14/techniques/T1007/">T1007</a>].</p>
<p>See Appendix A for additional LOTL examples.</p>
<p>In one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for admin use, to scan the network.</p>
<p>Volt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both browsing history and stored credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1555/003/">T1555.003</a>]—to facilitate targeting of personal email addresses (see the Reconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s persistence within victim networks.</p>
<p>In one confirmed compromise:</p>
<p>Volt Typhoon actors obtained the history file from the User Data directory of a network administrator user’s Chrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s workstation where they initially attempted, and failed, to obtain the C$ File Name: users\{redacted}\appdata\local\Google\Chrome\UserData\default\History file, as evidenced by the accompanying 1016 (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP session to the workstation and accessed the file C:\Users\{redacted}\Downloads\History.zip. This file presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration [<a href="https://attack.mitre.org/versions/v14/techniques/T1074/">T1074</a>]. Shortly after accessing the history.zip file, the actors terminated RDP sessions.</p>
<p>About four months later, Volt Typhoon actors accessed the same user’s Chrome data C$ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Local State and $ File Name: Users\{redacted}\AppData\Local\Google\Chrome\User Data\Default\Login Data via SMB. The Local State file contains the Advanced Encryption Standard (AES) encryption key [<a href="https://attack.mitre.org/versions/v14/techniques/T1552/004/">T1552.004</a>] used to encrypt the passwords stored in the Chrome browser, enabling the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.</p>
<p>In another confirmed compromise, Volt Typhoon actors accessed multiple systems' directories containing Chrome and Edge user data. Directory interaction was observed over the network to paths such as C:\Users\{redacted}\AppData\Local\Google\Chrome\User Data\ and C:\Users\{redacted}\AppData\Local\Microsoft\Edge\User Data\. They also enumerated several directories, including vulnerability testing, cyber-related content, and facilities data, such as construction drawings [<a href="https://attack.mitre.org/versions/v14/techniques/T1083/">T1083</a>].</p>
<p><strong><em>Lateral Movement</em></strong></p>
<p>Volt Typhoon actors have been observed predominantly employing RDP with compromised valid administrator credentials for lateral movement. <strong>Note:</strong> With a full on-premises Microsoft Active Directory identity compromise (see the Credential Access section), the group may be capable of using other methods, such as Pass the Hash or Pass the Ticket for lateral movement [<a href="https://attack.mitre.org/versions/v14/techniques/T1550/">T1550</a>].</p>
<p>In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over nine months, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).</p>
<p>Volt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by enumerating existing stored sessions. With this information, Volt Typhoon could access a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices. This would enable them to access these critical systems [<a href="https://attack.mitre.org/versions/v14/techniques/T1563/">T1563</a>]. See Figure 2.</p>
<p><em><a href="{{#staticFileLink}}12379029657,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12379029657,RESIZE_584x{{/staticFileLink}}" width="421" alt="12379029657?profile=RESIZE_584x" /></a>Figure 2: Volt Typhoon Lateral Movement Path File Server, DC, and OT-Adjacent Assets</em></p>
<p>Additionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated acceptance of the end-user license agreement (EULA) through an administrative account, signified by the accepted command flag. Volt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network, but direct attribution to the Volt Typhoon group was inconclusive. During their known network presence, there were anomalous login attempts to an Azure tenant [<a href="https://attack.mitre.org/versions/v14/techniques/T1021/007/">T1021.007</a>] potentially using credentials [<a href="https://attack.mitre.org/versions/v14/techniques/T1078/004/">T1078.004</a>] previously compromised from theft of NTDS.dit. These attempts and misconfigured virtual machines with open RDP ports suggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes and multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses with no definitive link to the Volt Typhoon.</p>
<p><strong><em>Collection and Exfiltration</em></strong></p>
<p>The US-authoring agencies assessing Volt Typhoon primarily collect information that would facilitate follow-up actions with physical impacts. For example, in one confirmed compromise, they collected [<a href="https://attack.mitre.org/versions/v14/tactics/TA0009/">TA0009</a>] sensitive information obtained from a file server in multiple zipped files [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/">T1560</a>] and likely exfiltrated [<a href="https://attack.mitre.org/versions/v14/tactics/TA0010/">TA0010</a>] the files via Server Message Block (SMB) [<a href="https://attack.mitre.org/versions/v14/techniques/T1048/">T1048</a>] (see Figure 3). Collected information, including diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems.</p>
<p><em><a href="{{#staticFileLink}}12379029869,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12379029869,RESIZE_584x{{/staticFileLink}}" width="430" alt="12379029869?profile=RESIZE_584x" /></a>Figure 3: Volt Typhoon Attack Path for Exfiltration of Data from File Server</em></p>
<p>In another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories (C:\Users\Public\pro, C:\Windows\Temp\tmp, C:\Windows\Temp\tmp\Active Directory and C:\Windows\Temp\tmp\registry) to stage the extracted ntds.dit and SYSTEM registry hives from ntdsutil execution volume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the extracted ntds.dit and accompanying registry files by executing ronf.exe, which was likely a renamed version of the archive utility rar.exe) [<a href="https://attack.mitre.org/versions/v14/techniques/T1560/001/">T1560.001</a>].</p>
<p><strong>Command and Control</strong></p>
<p>Volt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy C2 traffic. For more information, see DOJ press release <a href="https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical">U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure</a>).</p>
<p>They have also been observed setting up FRP clients [<a href="https://attack.mitre.org/versions/v14/techniques/T1090/">T1090</a>] on a victim’s corporate infrastructure to establish covert communications channels [<a href="https://attack.mitre.org/versions/v14/techniques/T1573/">T1573</a>] for command and control. In one instance, Volt Typhoon actors implanted the FRP client with the filename SMSvcService.exe on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with the filename Brightmetricagent.exe on another server. When executed via PowerShell [T1059.001], these clients open reverse proxies between the compromised system and Volt Typhoon C2 servers. Brightmetricagent.exe has additional capabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation (NAT) [<a href="https://attack.mitre.org/versions/v14/techniques/T1016/">T1016</a>]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and includes a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh) [<a href="https://attack.mitre.org/versions/v14/techniques/T1059/004">T1059.004</a>]. See Appendix C and <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a">MAR-10448362-1.v1</a> for more information.</p>
<p>In the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary for their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a PortProxy registry modification [<a href="https://attack.mitre.org/versions/v14/techniques/T1112">T1112</a>] on the PRTG server [<a href="https://attack.mitre.org/techniques/T1090/001/">T1090.001</a>]. This key alteration redirected specific port traffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic [<a href="https://attack.mitre.org/versions/v14/techniques/T1584/004/">T1584.004</a>] (see Appendix B for details).</p>
<p><strong>DETECTION/HUNT RECOMMENDATIONS</strong></p>
<p><strong>Apply Living off the Land Detection Best Practices</strong></p>
<p><strong>Apply the prioritized detection and hardening best practice recommendations in the joint guide </strong><a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques"><strong>Identifying and Mitigating Living off the Land Techniques</strong></a>. Many organizations lack security and network management best practices (such as established baselines) that support detecting malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. Conventional IOCs associated with malicious activity are generally lacking, complicating network defenders’ efforts to identify, track, and categorize this malicious behavior. This advisory guides a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.</p>
<p>Review Application, Security, and System Event Logs</p>
<p><strong>Routinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine Technology (ESENT) Application Logs</strong>. Due to Volt Typhoon’s ability for long-term undetected persistence, network defenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because specific ESENT Application Log event IDs (216, 325, 326, and 327) may indicate actors copying NTDS.dit.</p>
<p>See Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may not always have exact matches listed in the Event Detail column due to event logging and TTPs variations.</p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong><em>Table 1: Key Log Indicators for Detecting Volt Typhoon Activity</em></strong></p>
</td>
</tr>
<tr>
<td width="17%">
<p><strong>Event ID (Log)</strong></p>
</td>
<td width="55%">
<p><strong>Event Detail</strong></p>
</td>
<td width="26%">
<p><strong>Description</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="17%">
<p>216 (Windows ESENT Application Log)</p>
</td>
<td width="55%">
<p>A database location change was detected from 'C:\Windows\NTDS\ntds.dit' to '\\?\GLOBALROOT\Device\{redacted}VolumeShadowCopy1\Windows\NTDS\ntds.dit'</p>
</td>
<td width="26%">
<p>A change in the NTDS.dit database location is detected. This could suggest an initial step in NTDS credential dumping where the database is being prepared for extraction.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>325 (Windows ESENT Application Log)</p>
</td>
<td width="55%">
<p>The engine created a new database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit).</p>
</td>
<td width="26%">
<p>Indicates the creation of a new NTDS.dit file in a non-standard directory. Often, it is a sign of data staging for exfiltration. Monitor for unusual database operations in temp directories.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>637 (Windows ESENT Application Log)</p>
</td>
<td width="55%">
<p>C:\Windows\Temp\tmp\Active Directory\ntds.jfm-++- (0) New flush map file “C:\Windows\Temp\tmp\Active Directory\ntds.jfm” will be created to enable persisted lost flush detection.</p>
</td>
<td width="26%">
<p>A new flush map file is being created for NTDS.dit. This may suggest ongoing operations related to NTDS credential dumping, potentially capturing uncommitted changes to the NTDS.dit file.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>326 (Windows ESENT Application Log)</p>
</td>
<td width="55%">
<p>NTDS-++-12460,D,100-++--++-1-++-</p>
<p>C:\$SNAP_{redacted}_VOLUMEC$\Windows\NTDS\ntds.dit-++-0-++- [1] The database engine attached a database. Began mounting of C:\Windows\NTDS\ntds.dit file created from volume shadow copy process</p>
</td>
<td width="26%">
<p>Represents the mounting of an NTDS.dit file from a volume shadow copy. This is a critical step in NTDS credential dumping, indicating active manipulation of a domain controller’s data.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>327 (Windows ESENT Application Log)</p>
</td>
<td width="55%">
<p>C:\Windows\Temp\tmp\Active Directory\ntds.dit-++-1-++- [1] The database engine detached a database (2, C:\Windows\Temp\tmp\Active Directory\ntds.dit). Completion of mounting of ntds.dit file to C:\Windows\Temp\tmp\Active Director</p>
</td>
<td width="26%">
<p>The detachment of a database, particularly in a temp directory, could indicate the completion of a credential dumping process, potentially as part of exfiltration preparations.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>21 (Windows Terminal Services Local Session Manager Operational Log)</p>
</td>
<td width="55%">
<p>Remote Desktop Services: Session logon succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</p>
</td>
<td width="26%">
<p>Successful authentication to a Remote Desktop Services session.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>22 (Windows Terminal Services Local Session Manager Operational Log)</p>
</td>
<td width="55%">
<p>Remote Desktop Services: Shell start notification received: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</p>
</td>
<td width="26%">
<p>Successful start of a new Remote Desktop session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>23 (Windows Terminal Services Local Session Manager Operational Log)</p>
</td>
<td width="55%">
<p>Remote Desktop Services: Session logoff succeeded: User: {redacted}\{redacted} Session ID: {redacted}</p>
</td>
<td width="26%">
<p>Successful logoff of Remote Desktop session.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>24 (Windows Terminal Services Local Session Manager Operational Log)</p>
</td>
<td width="55%">
<p>Remote Desktop Services: Session has been disconnected: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</p>
</td>
<td width="26%">
<p>Remote Desktop session disconnected by the user or due to network connectivity issues.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>25 (Windows Terminal Services Local Session Manager Operational Log)</p>
</td>
<td width="55%">
<p>Remote Desktop Services: Session reconnection succeeded: User: {redacted}\{redacted} Session ID: {redacted} Source Network Address: {redacted}</p>
</td>
<td width="26%">
<p>Successful reconnection to a Remote Desktop Services session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>1017 (Windows System Log)</p>
</td>
<td width="55%">
<p>Handle scavenged.</p>
<p>Share Name: C$</p>
<p>File Name:</p>
<p>users\{redacted}\downloads\History.zip Durable: 1 Resilient or Persistent: 0 Guidance: The server closed a handle that was previously reserved for a client after 60 seconds.</p>
</td>
<td width="26%">
<p>This indicates that the server closed a handle for a client. At the same time, common in network operations, unusual patterns or locations (like History.zip in a user’s downloads) may suggest data collection from a local system.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>1102 (Windows Security Log)</p>
</td>
<td width="55%">
<p>All</p>
</td>
<td width="26%">
<p>All Event ID 1102 entries should be investigated as logs are generally not cleared, and this is a known Volt Typhoon tactic to cover their tracks.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Monitor and Review OT System Logs</strong></p>
<ul>
<li>Review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols.</li>
<li>Measure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess traffic anomalies for malicious activity.</li>
<li>Configure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations.</li>
<li>Track and monitor audit trails on critical areas of ICS.</li>
<li>Set up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs across the ICS network to identify intrusion attempts.</li>
<li>Review CISA’s <a href="https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf">Recommended Cybersecurity Practices for Industrial Control </a>Systems and the joint advisory, <a href="https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF">NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems</a>, for further OT system detection and mitigation guidance.</li>
</ul>
<p><strong>Use gait to Detect Possible Network Proxy Activities.</strong></p>
<p><strong>Use gait[</strong><a href="https://github.com/sandialabs/gait"><strong>4</strong></a><strong>] to detect network proxy activities</strong>. Sandia National Labs developed gait as a publicly available Zeek[<a href="https://zeek.org/">5</a>] extension. The <a href="https://github.com/sandialabs/gait">gait </a>extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata. Precisely, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries.</p>
<p>While the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not explicitly designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly detection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can help identify tactics similar to those used by the Volt Typhoon, such as proxy networks and FRP clients for C2 communication, not all proxying activities detected by this additional metadata necessarily indicate the Volt Typhoon presence. It serves as a valuable augmentation to current security stacks for a broader spectrum of threat detection.</p>
<p>For more information, see Sandia National Lab’s gait GitHub page <a href="https://github.com/sandialabs/gait">sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies</a>.</p>
<p><strong>Review Logins for Impossible Travel</strong></p>
<p><strong>Examine VPN or other account login times, frequency, duration, and locations.</strong> Logons from two geographically distant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of unusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged sessions for data extraction.</p>
<p><strong>Review Standard Directories for Unusual Files</strong></p>
<p><strong>Review directories, such as </strong><strong>C:\windows\temp\</strong><strong> and</strong> <strong>C:\users\public\</strong><strong>, for unexpected or unusual files</strong>. Monitor these temporary file storage directories for files typically in standard system paths, such as the System32 directory. For example, Volt Typhoon has been observed downloading comsvcs.dll to a non-standard folder (this file is usually found in the System32 folder).</p>
<p><strong>INCIDENT RESPONSE</strong></p>
<p>If compromise, or potential compromise, is detected, <strong>organizations should assume full domain compromise</strong> because of Volt Typhoon’s known behavioral pattern of extracting the NTDS.dit from the DCs. Organizations should immediately implement the following immediate, defensive countermeasures:</p>
<p><strong>Sever the enterprise network from the Internet. Note that this step requires the agency to understand its internal and external connections. </strong>When deciding to sever internet access, knowledge of connections must be combined with care to avoid disrupting critical functions.</p>
<p>If you cannot disconnect from the internet, shut down<strong> all non-essential traffic between the affected enterprise network and the internet</strong>.</p>
<p><strong>Reset privileged and non-privileged accounts' credentials within each compromised account's trust boundary</strong>.</p>
<p>Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and kbrtgt. The kbrtgt account handles Kerberos ticket requests and encrypts and signs them. The kbrtgt account should be reset twice because the account has a two-password history. The first account reset for the kbrtgt needs to be allowed to replicate before the second reset to avoid any issues. See CISA’s <a href="https://www.cisa.gov/news-events/analysis-reports/ar21-134a">Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> for more information. Although tailored to FCEB agencies compromised in the <a href="https://www.cisa.gov/news-events/alerts/2021/01/07/supply-chain-compromise">2020 SolarWinds Orion supply chain compromise</a>, the steps apply to organizations with Windows AD compromise.</p>
<p>Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary not to alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.</p>
<p>If the investigation finds that the threat actor’s access is limited to non-elevated permissions, reset the relevant account credentials or access keys.</p>
<p>Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.</p>
<p><strong>Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes</strong>. Organizations should audit the current network device running configuration and any local configurations that could be loaded at boot time. If configuration changes are identified:</p>
<p>Change all credentials being used to manage network devices to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).</p>
<p>Update all firmware and software to the latest version.</p>
<p><strong>Report the compromise to an authoring agency </strong>(see the Contact Information section).</p>
<p>For organizations with cloud or hybrid environments, <strong>apply best practices for identity and credential access management.</strong></p>
<ul>
<li>Verify that all accounts with privileged role assignments are cloud-native, not synced from Active Directory.</li>
<li>Audit conditional access policies to ensure Global Administrators and other highly privileged service principals and accounts are not exempted.</li>
<li>Audit privileged role assignments to ensure adherence to the principle of least privilege when assigning privileged roles.</li>
<li>Leverage just-in-time and just enough access mechanisms when administrators must elevate to a privileged role.</li>
<li>In hybrid environments, ensure federated systems (such as AD FS) are configured and monitored correctly.</li>
<li>Audit Enterprise Applications for recently added applications and examine the API permissions assigned to each.</li>
</ul>
<p><strong>Reconnect to the internet.</strong> <strong>Note:</strong> The decision to reconnect to the internet depends on senior leadership’s confidence in the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks.</p>
<p><strong>Apply best practices from the joint Guide to Securing Remote Access Software and joint Cybersecurity Information Sheet: Keeping PowerShell: Security Measures to Use and Embrace to minimize and control the use of remote access tools and protocols.</strong></p>
<p><strong>Consider sharing technical information with an authoring agency and/or a sector-specific information sharing and analysis center.</strong></p>
<p>For more information on incident response and remediation, see:</p>
<ul>
<li>Joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a><u>. </u>This advisory provides incident response best practices.</li>
<li>CISA’s <a href="https://www.cisa.gov/resources-tools/resources/federal-government-cybersecurity-incident-and-vulnerability-response-playbooks">Federal Government Cybersecurity Incident and Vulnerability Response Playbooks</a>. Although tailored to U.S. Federal Civilian Executive Branch (FCEB) agencies, the playbooks apply to all organizations. The incident response playbook provides procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents.</li>
<li>Joint <a href="https://www.cisa.gov/resources-tools/resources/water-and-wastewater-sector-incident-response-guide-0">Water and Wastewater Sector - Incident Response Guide</a>. This joint guide provides incident response best practices and information on federal resources for organizations in the Water and Wastewater Systems Sector.</li>
</ul>
<p><strong>MITIGATIONS</strong></p>
<p>These mitigations<strong> </strong>are intended for IT administrators in critical infrastructure organizations. The authoring agencies recommend that software manufacturers incorporate security by design and default principles and tactics into their software development practices to strengthen the security posture for their customers.</p>
<p>For information on secure-by-design practices that may protect customers against standard Volt Typhoon techniques, see the joint guide Identifying and Mitigating Living off the Land Techniques and joint Secure by Design Alert Security Design Improvements for SOHO Device Manufacturers.</p>
<p>For more information on Secure by Design, see CISA’s Secure by Design webpage and joint guide.</p>
<p>The authoring agencies recommend organizations implement the mitigations below to improve their cybersecurity posture based on Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide minimum practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
<p><strong>IT Network Administrators and Defenders</strong></p>
<p><strong><em>Harden the Attack Surface</em></strong></p>
<ul>
<li><strong>Apply patches for internet-facing systems within a risk-informed period </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MitigatingKnownVulnerabilities1E">CPG 1E</a>]. Prioritize patching critical assets, <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities</a>, and vulnerabilities in appliances frequently exploited by the Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices).</li>
<li><strong>Apply vendor-provided or industry-standard hardening guidance to</strong> strengthen software and system configurations. <strong>Note:</strong> As part of CISA’s <a href="https://www.cisa.gov/securebydesign">Secure by Design campaign</a>, CISA urges software manufacturers to prioritize secure by default configurations to eliminate the need for customer implementation of hardening guidelines.</li>
<li><strong>Maintain and regularly update an inventory of all organizational IT assets</strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#AssetInventory1A">CPG 1A</a>].</li>
<li><strong>Use third-party assessments to validate current system and network security compliance via security architecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or tabletop exercises (both announced and unannounced) [CPG 1F].</strong></li>
<li><strong>Limit internet exposure of systems when not necessary</strong>. An organization’s primary attack surface is the combination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or management interfaces to the internet when unnecessary.</li>
</ul>
<p><strong><em> </em></strong></p>
<p><strong><em>Secure Credentials</em></strong></p>
<ul>
<li><strong>Do not store credentials on edge appliances/devices. </strong>Ensure edge devices do not contain accounts that could provide domain admin access.</li>
<li><strong>Do not store plaintext credentials on any system</strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L">CPG 2L</a>]. Credentials should be stored securely—such as with a credential/password manager or vault, or other privileged account management solutions—so they can only be accessed by authenticated and authorized users.</li>
<li><strong>Change default passwords </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A">CPG 2A</a>] and ensure they meet the policy requirements for complexity.</li>
<li>Implement and enforce an organizational system-enforced policy that:</li>
<li><strong>Requires passwords for all IT password-protected assets to be at least 15 characters;</strong></li>
<li><strong>Does not allow users to reuse passwords for accounts, applications, services</strong>, etc., [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#UniqueCredentials2C">CPG 2C</a>]; and</li>
<li><strong>It does not allow service accounts/machine accounts to reuse passwords from member user accounts.</strong></li>
<li><strong>Configure Group Policy settings to prevent web browsers from saving passwords and</strong> disable autofill functions.</li>
<li><strong>Disable the storage of clear text passwords in LSASS memory</strong>.</li>
</ul>
<p><strong><em>Secure Accounts</em></strong></p>
<ul>
<li><strong>Implement </strong><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf"><strong>phishing-resistant </strong></a><strong>MFA for</strong> access to assets [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#PhishingResistantMultifactorAuthenticationMFA2H">CPG 2H</a>].</li>
<li><strong>Separate user and privileged accounts</strong>.</li>
<li>User accounts should never have administrator or super-user privileges [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SeparatingUserandPrivilegedAccounts2E">CPG 2E</a>].</li>
<li>Administrators should never use administrator accounts for actions and activities unrelated to the administrator role (e.g., checking email and web browsing).</li>
<li><strong>Enforce the principle of least privilege</strong>.</li>
<li><strong>Ensure administrator accounts only have the minimum permissions necessary</strong> to complete their tasks.</li>
<li><strong>Review account permissions for default/accounts for edge appliances/devices and remove domain administrator privileges, </strong>if identified.</li>
<li><strong>Significantly limit the number of users with elevated privileges</strong>. Implement continuous monitoring for changes in group membership, especially in privileged groups, to detect and respond to unauthorized modifications.</li>
<li><strong>Remove accounts from high-privilege groups like Enterprise Admins and Schema Admins</strong>. Temporarily reinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse.</li>
<li><strong>Transition to Group Managed Service Accounts (gMSAs) </strong>where suitable for enhanced management and security of service account credentials. gMSAs provide automated password management and simplified Service Principal Name (SPN) management, enhancing security over traditional service accounts. See Microsoft’s <a href="https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">Group Managed Service Accounts Overview</a><u>.</u></li>
<li><strong>Enforce strict policies via Group Policy and User Rights Assignment to</strong> limit high-privilege service accounts.</li>
<li><strong>Consider using a privileged access management (PAM) solution to</strong> manage access to privileged accounts and resources [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureSensitiveData2L">CPG 2L</a>]. PAM solutions can also log and alert usage to detect any unusual activity.</li>
<li><strong>Complement the PAM solution with role-based access control (RBAC)</strong>for tailored access based on job requirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing the opportunity for abuse or exploitation of privileged credentials.</li>
<li><strong>Implement an Active Directory tiering model to segregate administrative accounts based</strong> on their access level and associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s <a href="https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges">PAM environment tier model</a>.</li>
<li><strong>Harden administrative workstations to permit only administrative activities from workstations appropriately hardened based on the administrative tier. See Microsoft’s Why are privileged access devices important?</strong><a href="https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices"> Privileged access</a>.</li>
<li><strong>Disable all user accounts and access to organizational resources of employees on the day of their departure</strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#RevokingCredentialsforDepartingEmployees2D">CPG 2G</a>]</li>
<li><strong>Audit all user, admin, and service accounts regularly and remove or disable unused or unneeded accounts as needed</strong>.</li>
<li><strong>Regularly roll NTLM hashes of accounts that support token-based authentication.</strong></li>
<li>Improve management of hybrid (cloud and on-premises) identity federation by:</li>
<li><strong>Using cloud-only administrators that are asynchronous with on-premises environments and ensuring on-premises administrators are asynchronous to the cloud.</strong></li>
<li><strong>Using CISA’s </strong><a href="https://github.com/cisagov/ScubaGear"><strong>SCuBAGear </strong></a>tool to<strong> discover cloud misconfigurations in Microsoft cloud tenants</strong>. Scuba gear is an automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which guides FCEB agencies, securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. For more information on SCuBAGear, see CISA’s <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project">Secure Cloud Business Applications (SCuBA) Project</a>.</li>
<li><strong>Using endpoint detection and response capabilities to defend on-premises federation servers actively</strong>.</li>
</ul>
<p><strong><em>Secure Remote Access Services</em></strong></p>
<ul>
<li><strong>Limit the use of RDP and other remote desktop services</strong>. If RDP is necessary, apply best practices, including auditing the network for RDP systems, closing unused RDP ports, and logging RDP login attempts.</li>
<li><strong>Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) </strong>after mitigating existing dependencies (on existing systems or applications), as they may break when disabled.</li>
<li><strong>Implement the guidance in the joint #StopRansomware Guide (see page 8 of the guide) to harden SMBv3.</strong></li>
<li><strong>Apply mitigations from the joint </strong><a href="https://www.cisa.gov/sites/default/files/2023-06/Guide%20to%20Securing%20Remote%20Access%20Software_clean%20Final_508c.pdf"><strong>Guide to Securing Remote Access Software</strong></a>.</li>
</ul>
<p><strong><em>Secure Sensitive Data</em></strong></p>
<ul>
<li><strong>Securely store sensitive data</strong>(including operational technology documentation, network diagrams, etc.), ensuring only authenticated and authorized users can access the data.</li>
</ul>
<p><strong><em>Implement Network Segmentation</em></strong></p>
<ul>
<li><strong>Ensure that sensitive accounts use their administrator credentials only on hardened, secure computers</strong>. This practice can reduce lateral movement exposure within networks.</li>
<li><strong>Conduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls to</strong> prevent unauthorized cross-forest/domain traversal.</li>
<li><strong>Enabling Secure Identifier (SID) Filtering and Selective Authentication on AD trust relationships will harden federated authentication and</strong> further restrict unauthorized access across domain boundaries.</li>
<li><strong>Implement network segmentation to isolate federation servers from other systems and limit allowed traffic to systems and protocols that require access</strong> in accordance with Zero Trust principles.</li>
</ul>
<p><strong><em>Secure Cloud Assets</em></strong></p>
<ul>
<li><strong>Harden cloud assets in</strong> accordance with vendor-provided or industry-standard hardening guidance.</li>
<li>For organizations with Microsoft cloud infrastructure, see CISA’s <a href="https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project#:~:text=Microsoft%20365%20%26%20Google%20Workspace%20Baselines">Microsoft 365 Security Configuration Baseline Guides</a>, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365, Azure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. See the Australian Signals Directorate’s Blueprint for Secure Cloud for additional guidance.</li>
<li>For organizations with Google Cloud infrastructure, see CISA’s Google Workspace Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Groups for Business, GMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and Docs, Google Meet, and Google Sites.</li>
<li><strong>Revoke unnecessary public access to a cloud environment. </strong>This involves reviewing and restricting public endpoints and ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy protocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering them susceptible to compromises. Instead, enforce modern authentication protocols that support more robust security features like MFA, token-based authentication, and adaptive authentication measures.</li>
<li><strong>Enforce this practice through the use of Conditional Access Policies</strong>. These policies can initially be run in report-only mode to identify potential impacts and plan mitigations before fully enforcing them. This approach allows organizations to systematically control access to their cloud resources, significantly reducing the risk of unauthorized access and potential compromise.</li>
<li><strong>Monitor and audit privileged cloud-based accounts, including service accounts, regularly. These accounts</strong> are frequently abused to enable broad cloud resource access and persistence.</li>
</ul>
<p><strong><em>Be Prepared</em></strong></p>
<ul>
<li><strong>Ensure logging is turned on for application, access, and security logs </strong>(e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and VPNs) [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#LogCollection2T">CPG 2T</a>]. Given Volt Typhoon’s use of LOTL techniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt Typhoon activity because these logs typically remain on endpoints for relatively long periods.</li>
<li>For OT assets where logs are non-standard or unavailable, <strong>collect network traffic and communications between those assets and other assets</strong>.</li>
<li>Implement file integrity monitoring (FIM) tools to detect unauthorized changes.</li>
<li><strong>Store logs in a central system</strong>, such as a security information and event management (SIEM) tool or central database.</li>
<li><strong>Ensure the logs can only be accessed or modified by authorized and authenticated users </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#SecureLogStorage2U">CPG 2U</a>].</li>
<li><strong>Store logs for a period informed by risk or pertinent regulatory guidelines</strong>.</li>
<li><strong>Tune log alerting to reduce noise while ensuring there are alerts for high-risk activities</strong>. (For information on alert tuning, see joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques">Identifying and Mitigating Living Off the Land Techniques</a>.)</li>
<li><strong>Establish a baseline of installed tools and software, account behavior, and network traffic</strong>. This way, network defenders can identify potential outliers that may indicate malicious activity. Note: For information on establishing a baseline, see the joint guide <a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques">Identifying and Mitigating Living off the Land Techniques</a>.</li>
<li><strong>Document a list of threats and cyber actor TTPs relevant to your organization</strong>(e.g., based on industry or sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those critical threats [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DetectingRelevantThreatsandTTPs3A">CPG 3A</a>].</li>
<li><strong>Implement periodic training for all employees and contractors that covers essential security concepts</strong>(such as phishing, business email compromise, basic operational security, password security, etc.) and foster an internal culture of security and cyber awareness [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#BasicCybersecurityTraining2I">CPG 2I</a>].</li>
<li><strong>Tailor the training to network IT personnel/administrators and other key staff based on relevant organizational cyber threats and TTPs</strong>, such as Volt Typhoon. For example, communicate that Volt Typhoon actors are known to target IT staff's personal email accounts and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA.</li>
<li>In addition to basic cybersecurity training, <strong>ensure personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training annually</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#OTCybersecurityTraining2J">CPG 2J</a>].</li>
<li><strong>Educate users about the risks associated with storing unprotected passwords</strong>.</li>
</ul>
<p><strong>OT Administrators and Defenders</strong></p>
<ul>
<li><strong>Change default passwords </strong>[<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#ChangingDefaultPasswords2A">CPG 2A</a>] and ensure they meet the policy requirements for complexity. If the asset’s password cannot be changed, implement compensating controls for the device; for example, segment the device into separate enclaves and implement increased monitoring and logging.</li>
<li><strong>When technically feasible, passwords for all OT password-protected assets must be at least 15 characters</strong>. In instances where minimum password lengths are not technically feasible (for example, assets in remote locations), apply compensating controls, record the controls, and log all login attempts. [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#MinimumPasswordStrength2B">CPG 2B</a>].</li>
<li><strong>Enforce strict access policies for accessing OT networks</strong>. Develop strict operating procedures for OT operators that detail secure configuration and usage.</li>
<li><strong>Segment OT assets from IT environments by</strong> [<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#NetworkSegmentation2F">CPG 2F</a>]:</li>
<li><strong>Denying all connections to the OT network by default </strong>unless explicitly allowed (e.g., by IP address and port) for specific system functionality.</li>
<li><strong>Requiring necessary communications paths between IT and OT networks to pass through an intermediary</strong>, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets.</li>
<li><strong>Closely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols</strong>.</li>
<li><strong>Monitor for unauthorized controller change attempts</strong>. Implement integrity checks of controller process logic against a known-good baseline. If possible, prevent process controllers from remaining in remote program mode while in operation.</li>
<li><strong>Lock or limit set points in control processes to reduce the consequences of unauthorized controller access</strong>.</li>
</ul>
<p><strong>Be prepared </strong>by:</p>
<ul>
<li><strong>Determining your critical operational processes’ reliance on key IT infrastructure</strong>:</li>
<li>Maintain and regularly update an inventory of all organizational OT assets.</li>
<li>Understand and evaluate cyber risk on “as-operated” OT assets.</li>
<li>Create an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies.</li>
<li><strong>Identifying a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment</strong>.</li>
<li>Plan how to continue operations if a control system malfunctions, is inoperative, or actively interferes with the safe and reliable operation of the process.</li>
<li>Develop workarounds or manual controls to ensure ICS networks can be isolated if their connection to a compromised IT environment threatens the safe and reliable operation of OT processes.</li>
<li><strong>Create and regularly exercise an incident response plan</strong>.</li>
<li>Regularly test manual controls to keep critical functions running if OT networks need to be taken offline.</li>
<li><strong>Implement regular data backup procedures on</strong> OT networks.</li>
<li>Regularly test backup procedures.</li>
<li><strong>Follow risk-informed guidance in the joint advisory NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems and</strong> the NSA advisory <a href="https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF">Stop Malicious Cyber Activity Against Connected Operational Technology</a>.</li>
</ul>
<p><strong>CONTACT INFORMATION</strong></p>
<p><strong>US organizations:</strong> To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact:</p>
<ul>
<li>CISA’s 24/7 Operations Center at <a href="mailto:report@cisa.gov">Report@cisa.gov</a>or (888) 282-0870 or your<a href="https://www.fbi.gov/contact-us/field-offices"> local FBI field office</a>. When available, please include the following information regarding the incident: date, time, and location; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.</li>
<li>For NSA client requirements or general cybersecurity inquiries, contact <a href="mailto:Cybersecurity_Requests@nsa.gov">Cybersecurity_Requests@nsa.gov</a>.</li>
<li>Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at watercyberta@epa.gov to provide situational awareness voluntarily.</li>
<li>Entities required to report incidents to DOE should follow established reporting requirements as appropriate. For other energy sector inquiries, contact <a href="mailto:EnergySRMA@hq.doe.gov">EnergySRMA@hq.doe.gov</a>.</li>
<li>For transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in applicable Security Directives, Security Programs, or TSA Order.</li>
<li><strong>Australian organizations: </strong>Visit <a href="https://www.cyber.gov.au/">gov.au</a> or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.</li>
<li><strong>Canadian organizations: </strong>Report incidents by emailing CCCS at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</li>
<li><strong>New Zealand organizations: </strong>Report cyber security incidents to <a href="mailto:incidents@ncsc.govt.nz">incidents@ncsc.govt.nz</a> or call 04 498 7654.</li>
<li><strong>United Kingdom organizations</strong>: Report a significant cyber security incident: <a href="https://www.ncsc.gov.uk/section/about-this-website/contact-us">gov.uk/report-an-incident</a>(monitored 24 hours) or, for urgent assistance, call 03000 200 973.</li>
</ul>
<p><strong>VALIDATE SECURITY CONTROLS</strong></p>
<p>In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess their performance against the ATT&CK techniques described in this advisory.</p>
<p>To get started:</p>
<ul>
<li>Select an ATT&CK technique described in this advisory (see Table 5 through Table 17).</li>
<li>Align your security technologies against the technique.</li>
<li>Test your technologies against the technique.</li>
<li>Analyze the performance of your detection and prevention technologies.</li>
<li>Repeat the process for all security technologies to obtain comprehensive performance data.</li>
<li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
<li>The authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</li>
</ul>
<p><strong>REFERENCES</strong></p>
<p>[1] <a href="https://fofa.info/">fofa</a><br /> [2] <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques</a><br /> [3] <a href="https://github.com/fatedier/frp">GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet</a><br /> [4] <a href="https://github.com/sandialabs/gait">GitHub - sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies</a><br /> [5] <a href="https://zeek.org/">The Zeek Network Security Monitor</a></p>
<p><strong>RESOURCES</strong></p>
<p>Microsoft: <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">Volt Typhoon targets US critical infrastructure with living-off-the-land techniques</a><br /> Secureworks: <a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations">Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations</a></p>
<p><strong>DISCLAIMER</strong></p>
<p>The information in this report (CISA) is provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.</p>
<p><strong>ACKNOWLEDGEMENTS</strong></p>
<p>Fortinet and Microsoft contributed to this advisory.</p>
<p><strong>VERSION HISTORY</strong></p>
<p>February 7, 2024: Initial Version.</p>
<p><strong>APPENDIX A: VOLT TYPHOON OBSERVED COMMANDS / LOTL ACTIVITY, <a href="{{#staticFileLink}}12379023656,original{{/staticFileLink}}">INCLUDED IN PDF</a></strong></p>
<p>See Table 2 and Table 3 for Volt Typhoon commands and PowerShell scripts observed by the U.S. authoring agencies during incident response activities. For additional commands from the Volt Typhoon, see the joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection</a>.</p>
<p><strong>APPENDIX B: INDICATORS OF COMPROMISE <a href="{{#staticFileLink}}12379023656,original{{/staticFileLink}}">INCLUDED IN PDF</a></strong></p>
<p>See Table 4 for Volt Typhoon IOCs obtained by the U.S. authoring agencies during incident response activities.</p>
<p>Note: See <a href="https://www.cisa.gov/news-events/analysis-reports/ar24-038a">MAR-10448362-1.v1</a> for more information on this malware.</p>
<p><strong>APPENDIX C: MITRE ATT&CK TACTICS AND TECHNIQUES<a href="{{#staticFileLink}}12379023656,original{{/staticFileLink}}"> IN PDF</a></strong></p>
<p>See Tables 5 through 17 for all referenced threat actor tactics and techniques in this advisory.</p>
<p><strong> <a href="{{#staticFileLink}}12379023656,original{{/staticFileLink}}">IR-24-039-001_BadPanda-1.pdf</a></strong></p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a?utm_source=EA&utm_medium=stakeholder_note&utm_campaign=VT_020724">https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a?utm_source=EA&utm_medium=stakeholder_note&utm_campaign=VT_020724</a></p></div>FortiOS SSL VPN Warninghttps://redskyalliance.org/xindustry/fortios-ssl-vpn-warning2024-02-14T12:20:00.000Z2024-02-14T12:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12378965473,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12378965473,RESIZE_400x{{/staticFileLink}}" width="250" alt="12378965473?profile=RESIZE_400x" /></a>Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. "An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests," the company said in a bulletin released last week.</p>
<p>It further acknowledged that the issue is "potentially being exploited in the wild," without giving additional specifics about how it's being weaponized and by whom.<a href="#_ftn1">[1]</a></p>
<p>Cybersecurity - The following versions are impacted by this vulnerability. It is worth noting that FortiOS 7.6 is not affected.</p>
<ul>
<li>FortiOS 7.4 (versions 7.4.0 through 7.4.2) - Upgrade to 7.4.3 or above</li>
<li>FortiOS 7.2 (versions 7.2.0 through 7.2.6) - Upgrade to 7.2.7 or above</li>
<li>FortiOS 7.0 (versions 7.0.0 through 7.0.13) - Upgrade to 7.0.14 or above</li>
<li>FortiOS 6.4 (versions 6.4.0 through 6.4.14) - Upgrade to 6.4.15 or above</li>
<li>FortiOS 6.2 (versions 6.2.0 through 6.2.15) - Upgrade to 6.2.16 or above</li>
<li>FortiOS 6.0 (versions 6.0 all versions) - Migrate to a fixed release</li>
</ul>
<p>The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.</p>
<p>Earlier this week, the Netherlands government revealed a computer network used by the armed forces was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER. The company, in a report published this week, divulged that N-day security vulnerabilities in its software, such as CVE-2022-42475 and CVE-2023-27997, are being exploited by multiple activity clusters to target governments, service providers, consultancies, manufacturing, and large critical infrastructure organizations.</p>
<p>Previously, Chinese threat actors have been linked to the zero-day exploitation of security flaws in Fortinet appliances to deliver a wide range of implants, such as BOLDMOVE, THINCRUST, and CASTLETAP. It also follows an advisory from the US government about a Chinese nation-state group dubbed Volt Typhoon, which has targeted critical infrastructure in the country for long-term undiscovered persistence by taking advantage of known and zero-day flaws in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.</p>
<p>Cybersecurity - China, which has denied the allegations, accused the US of conducting its own cyber-attacks. If anything, the campaigns waged by China and Russia underscore the growing threat faced by internet-facing edge devices in recent years owing to the fact that such technologies lack endpoint detection and response (EDR) support, making them ripe for abuse. "These attacks demonstrate the use of already resolved N-day vulnerabilities and subsequent [living-off-the-land] techniques, which are highly indicative of the behavior employed by the cyber actor or group of actors known as Volt Typhoon, which has been using these methods to target critical infrastructure and potentially other adjacent actors," Fortinet said.</p>
<p>CISA Confirms Exploitation of CVE-2024-21762# - The US Cybersecurity and Infrastructure Security Agency (CISA) on February 9, 2024, added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.</p>
<p>Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the fixes by 16 February 2024, to secure their networks against potential threats.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2024/02/fortinet-warns-of-critical-fortios-ssl.html">https://thehackernews.com/2024/02/fortinet-warns-of-critical-fortios-ssl.html</a></p></div>Hackers Look to Score at the Super Bowlhttps://redskyalliance.org/xindustry/hackers-look-to-score-at-the-super-bowl2024-02-11T20:29:34.000Z2024-02-11T20:29:34.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12378415093,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12378415093,RESIZE_400x{{/staticFileLink}}" width="250" alt="12378415093?profile=RESIZE_400x" /></a>As more than 65,000 football fans descend on Allegiant Stadium in Las Vegas, Nevada, for Super Bowl LVIII, attractive targets for cybercriminals and hackers. The major sporting events like the Super Bowl face elevated cyber risks due to the proliferation of connected networks and devices used by venues, teams, vendors, media, and attendees. This year, the US Department of Homeland Security (DHS) is working closely with partners to assess and strengthen cyber protections. "There are no known, credible, specific threats to the Super Bowl or to Las Vegas at this time, but we are vigilant, and we are prepared," said DHS Secretary Alejandro Mayorkas, who recently avoided impeachment by only one (1) vote.<a href="#_ftn1">[1]</a></p>
<p>Large venues increasingly utilize sophisticated networks to conduct commerce, manage operations, engage fans, and gather data. The Super Bowl stadium and its vendors will connect everything from digital ticketing and payments to lighting, scoreboards, and surveillance cameras exponentially expanding the attack surface. Fans will overwhelm cellular networks while simultaneously connecting to insecure public Wi-Fi networks at hotels, airports, and fan events.</p>
<p>The addition of huge crowds with a massive digital infrastructure creates an enticing target for adversaries ranging from criminal hackers to cyber terrorists. Potential risks span from malware infections to denial-of-service attacks to theft of sensitive data. DHS cyber experts have conducted extensive vulnerability probes, penetration tests, and emergency planning to harden defenses at the big game.</p>
<p>The NFL announced on 08 February 2024 that it is joining the "Secure Our World" cybersecurity awareness campaign led by the US Cybersecurity and Infrastructure Security Agency (CISA). The initiative will promote best practices to teams and fans on strong authentication, malware prevention, phishing identification, and software updates. Cyber safety tips will be seen by fans at the NFL Experience during Super Bowl Week and during the game on 11 February 2024.</p>
<p>With cyber adversaries constantly evolving new tactics, major events require heightened collaboration between public and private sector infrastructure owners to identify gaps, train stakeholders, and implement multi-layered security measures. The operational coordination and cybersecurity preparations underway for Super Bowl LVIII and its success may provide a model for securing our nation's most high-profile venues and events.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.secureworld.io/industry-news/hackers-super-bowl-cyber-defense">https://www.secureworld.io/industry-news/hackers-super-bowl-cyber-defense</a></p></div>Inside 5 Yearshttps://redskyalliance.org/xindustry/inside-5-years2024-02-09T12:30:00.000Z2024-02-09T12:30:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12375354497,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12375354497,RESIZE_400x{{/staticFileLink}}" width="250" alt="12375354497?profile=RESIZE_400x" /></a>Hackers from the People's Republic of China spent up to five years in US networks as part of a cyber operation that targeted US critical infrastructure, law enforcement and international agencies said earlier this week. "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People's Republic of China (PRC) state sponsored cyber actors are seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States," an alert released by the agencies earlier this week said.<a href="#_ftn1">[1]</a></p>
<p>The yearslong operation by the state-sponsored cyber actor, called Volt Typhoon by US authorities, was a way for China to position themselves for an attack on U.S. critical infrastructure using malware, officials said on a call with reporters.</p>
<p>CISA Assistant Director Eric Goldstein said the hackers were in US systems for "up to five years. CISA and its US Government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories," a release about the incident said.</p>
<p>The Chinese cyber actors aimed to "launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States," the release said. Last week, the FBI used a court order to disrupt Volt Typhoon actors from their hacking operation.</p>
<p>The advisory builds upon CISA Director Jenn Easterly and FBI Director Christopher Wray's testimony last week, in which they warned that Chinese hackers could disrupt Americans' way of life. "The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, water sectors steps, China was taking in other words to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," Wray told a House panel last week. "And let's be clear, cyber threats to our critical infrastructure represent real world threats to our physical safety."</p>
<p>The agencies wrote in an alert that they are "concerned" about the implications of the cyber operation. "The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts," an alert released by the agencies said. "The US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions."</p>
<p>Last week, Easterly warned that the Colonial Pipeline hack in 2021, which briefly shut off pipeline access for part of the country and caused panic, is something that could happen on a much wider scale, if China had their way. "We know that what we have found is the tip of the iceberg," Goldstein said.</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://abc7.com/us-china-chinese-hacker-news/14400012/">https://abc7.com/us-china-chinese-hacker-news/14400012/</a></p></div>Vote Early and Oftenhttps://redskyalliance.org/xindustry/vote-early-and-often2024-01-29T13:00:00.000Z2024-01-29T13:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12368087481,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12368087481,RESIZE_400x{{/staticFileLink}}" width="200" alt="12368087481?profile=RESIZE_400x" /></a>“Vote early and often.” In his book Capone, author John Kobler attributes the phrase to the gangster Al Capone. In the United States, Republicans accused their opponents of inviting such corruption with their support of the National Voter Registration Act of 1993, the "Motor Voter Law."</p>
<p>See: <a href="https://redskyalliance.org/xindustry/election-day-concerns">https://redskyalliance.org/xindustry/election-day-concerns</a></p>
<p>Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), stated in an interview on 19 January 2024 that "the American people should have confidence in the election process" in 2024 and beyond, despite concerns over AI capabilities. "I enjoyed talking with Andrea Mitchell on MSNBC yesterday about the intersection of elections and AI, and importantly, why the American people should have confidence in our elections processes due to the tireless efforts of state and local elections officials of both parties, charged with the responsibility to administer, manage, and secure our election infrastructure. These officials ran secure elections in 2018, 2020, and 2022, with no evidence that malicious actors changed, altered, or deleted any votes that impacted the outcome of those elections. Concerning the 2020 Presidential election in particular, all states where the outcome was close had paper ballots, which allowed recounts and audits to verify election results. That election's outcome was repeatedly validated, including in multiple court challenges."</p>
<p>Easterly weighed in on the threat AI poses to election security following a recent column in Foreign Affairs Magazine (gated content) that she co-authored with Scott Schwab, Secretary of State of Kansas and the state's Chief Election Official, and Cait Conley, Senior Election Security Adviser at CISA at the US Department of Homeland Security. From the Foreign Affairs article: "Although the technology won't introduce fundamentally new risks in the 2024 election, bad actors have used cyber threats and disinformation for years to try to undermine the American electoral process it will intensify existing risks. Generative AI in the hands of adversaries could threaten each part of the electoral process, including the registration of voters, the casting of votes, and the reporting of results. Largely, responsibility for meeting this threat will fall to the country's state and local election officials. For nearly 250 years, these officials have protected the electoral process from foreign adversaries, wars, natural disasters, pandemics, and disruptive technologies."</p>
<p>"Election officials have defended election infrastructure from cyber threats, from physical threats, from threats of foreign influence and disinformation, and have done it in a way where there is security and integrity in the elections process," said Easterly. "I have confidence. And Andrea, the American people should have confidence in the election process. Since I took this job in 2021, I've had the privilege of spending time with state and local elections nationwide, serving on the front lines of our democracy, and seeing firsthand how hard they work to ensure the security and resilience of our election processes. But as the article in Foreign Affairs on 'AI's Threat to Democracy' notes, these officials need support, mainly because of the intense pressure they have faced since the 2020 election and the baseless allegations of voter fraud that followed it.</p>
<p>Suppose anyone is unsure about the security of our election infrastructure. In that case, I urge you to serve as a poll worker or as an election observer and witness firsthand the multiple layers of technological, physical, and procedural controls put in place to ensure that votes are counted as cast. Moreover, if you have any questions about elections, please talk to your state or local election officials; they are the true subject matter experts in this area. 'TrustedInfo2024' on the website of the National Association of Secretaries of State (NASS) is a great reference.</p>
<p>Finally, if you read the recently declassified Intelligence Community report on the 2022 midterm elections, you saw that the aggregate scope and scale of foreign activity targeting the 2022 midterms exceeded what was detected in 2018, with a diverse and growing group of foreign actors engaging in operations to interfere with our elections, including Russia, China, and Iran. We cannot allow foreign adversaries to sow partisan discord and undermine confidence in our election processes. Elections are the golden thread that runs through the fabric of our democracy; it is up to all of us to keep that fabric strong."</p>
<p>"The involvement of more foreign actors probably reflects shifting geopolitical risk calculus, perceptions that election influence activity has been normalized, [and] the low cost but potentially high reward of such activities. So, although these threats are not new, today's generative AI capabilities will make these activities cheaper and more effective. Specifically, AI-enabled translation services, account creation tools, and data aggregation will allow bad actors to automate their processes and target individuals and organizations more precisely and at scale."</p>
<p>Election security will be a topic on several SecureWorld conference agendas in 2024, including at SecureWorld Charlotte on 10 April 2024. Torry Crass, State Chief Risk Officer for the State of North Carolina, said the keynote panel will address the question, "How is AI going to be used responsibly?" The state's chief privacy officer is building out the framework for how the state and the elections division handle AI.</p>
<p>The biggest worry about AI is that it could be used to generate fake images, audio, and video to create disinformation and misinformation to harm competing candidates. "It can be hard for voters to know what to trust or not," Crass said.</p>
<p>All of the technology used to protect the voting process cannot solve the age-old election strategies of allowing nonregistered voters to vote, miss-counting of ballots, and ballot box stuffing.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>Water Sector Guidancehttps://redskyalliance.org/xindustry/water-sector-guidance2024-01-24T15:04:32.000Z2024-01-24T15:04:32.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12365719674,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12365719674,RESIZE_400x{{/staticFileLink}}" width="250" alt="12365719674?profile=RESIZE_400x" /></a>Several US federal agencies published a guide of cybersecurity best practices for the water and sanitation sector following criticism from a US government watchdog about the government’s work with the industry. This past week, the US Environmental Protection Agency (EPA) partnered with the FBI and Cybersecurity and Infrastructure Security Agency (CISA) to release a manual providing the water industry with more information on cyber incident response as well as the roles, resources and responsibilities for each federal agency involved in cybersecurity.</p>
<p>On 9 January, the Office of the Inspector General (OIG) said CISA needed to do more “external collaboration and internal coordination within the Water and Wastewater Sector.” CISA agreed with all three recommendations and provided a detailed timeline for when and how they would foster deeper ties with the water industry, which has faced a bevy of threats since the onset of the Israel-Hamas war. “The Water and Wastewater Systems [WWS] sector is under constant threat from malicious cyber actors.<a href="#_ftn1">[1]</a> This timely and actionable guidance reflects an outstanding partnership between industry, nonprofit, and government partners that came together with EPA, FBI and CISA to support this essential sector,” said CISA Executive Assistant Director for Cybersecurity.<a href="#_ftn2">[2]</a></p>
<p>The guide was developed alongside dozens of cybersecurity companies, industry organizations, state governments and federal agencies, according to CISA. It includes four major pillars that cover how organizations can prepare for cyberattacks, including how to detect and analyze incidents; how to contain, eradicate and recover from attacks; and what to do after an incident.</p>
<p>Water utilities should have an incident response plan and structures in place that allow for easy communication with industry cybersecurity experts, the plan outlines. The guide offers detailed information on which federal partners organizations should coordinate with, how evidence should be preserved and more.</p>
<p>An assistant director of the FBI’s Cyber Division, said a key part of their cyber strategy is “building strong partnerships and sharing threat information with the owners and operators of critical infrastructure before they are hit with an attack.” The EPA Assistant Administrator for Water added that cyber threats affecting the water sector are a “real and urgent risk to safe drinking water and wastewater services that our nation relies on.”</p>
<p>‘Cyber-poor’ - The federal government’s efforts to help the water industry deal with cybersecurity threats have been fraught since companies balked at new regulations handed down by the EPA last March. Republican attorneys general and industry groups launched a successful lawsuit against the new EPA rules, which sought to add cybersecurity assessments to annual state-led Sanitary Survey Programs that evaluate water systems across the US.</p>
<p>The EPA rescinded the rule in October, and weeks later multiple water utilities were attacked by hackers allegedly connected to Iran’s Islamic Revolutionary Guard Corps (IRGC). The FBI and EPA said in December that they were tracking a handful of incidents involving water utilities. Since then, CISA and the EPA have sought to be more proactive about helping the water industry deal with threats, reaching out to utility operators using devices from Israeli company Unitronics and notifying those organizations if they are at risk of cyberattack.</p>
<p>In addition to the nation-state threats, US law enforcement agencies have previously said ransomware gangs hit five US water and wastewater treatment facilities from 2019 to 2021 and those figures did not include three other widely reported cyberattacks on water utilities. Despite the threats, the OIG report said CISA “did not consistently collaborate” with the EPA and the water industry to “leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.”</p>
<p>CISA and the EPA had not figured out the roles, responsibilities, and collaboration mechanisms for approaching the industry and CISA did not coordinate enough internally on the sharing of critical information, according to the report.</p>
<p>In a response to the report, the CISA Director acknowledged the issues but noted that it covered 2019 to 2022 and missed much of the agency’s current work addressing the issues. She said the agency is already tackling many of the problems raised and plans to fix most in 2024 and 2025.</p>
<p>In its 2023 review, CISA said it conducted more than 1,700 engagements for the water and wastewater sector and notified six entities in the industry as part of its pre-ransomware notification initiative. Dozens of water utilities were also added to Protective Domain Name System service, which blocked 900 million malicious connections targeting federal agencies last year. The service is designed to disrupt attempted attacks. “In the new year, CISA will continue to focus on taking every action possible to support ‘target-rich, cyber-poor’ entities like WWS utilities by providing actionable resources and encouraging all organizations to report cyber incidents,” the director said last week. “Our regional team members across the country will continue to engage with WWS partners to provide access to CISA’s voluntary services, such as enrollment in our Vulnerability Scanning, and serve as a resource for continued improvement.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisa.gov/news-events/news/cisa-fbi-and-epa-release-incident-response-guide-water-and-wastewater-systems-sector">https://www.cisa.gov/news-events/news/cisa-fbi-and-epa-release-incident-response-guide-water-and-wastewater-systems-sector</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://therecord.media/federal-agencies-release-cyber-guidance-water/">https://therecord.media/federal-agencies-release-cyber-guidance-water/</a></p></div>Star Blizzard - Successful Spear-Phishing Attackhttps://redskyalliance.org/xindustry/star-blizzard-successful-spear-phishing-attack2024-01-08T17:00:00.000Z2024-01-08T17:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12347854862,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12347854862,RESIZE_400x{{/staticFileLink}}" alt="12347854862?profile=RESIZE_400x" width="250" /></a>The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in numerous global geographical areas of interest for information-gathering activity.</p>
<p>The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost undoubtedly subordinate to the Russian Federal Security Service (FSB) Centre 18.<a href="#_ftn1">[1]</a></p>
<p>The industry has previously published details of Star Blizzard. This advisory draws on <a href="https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/">that body of information</a>.</p>
<p>This advisory raises awareness of Star Blizzard's spear-phishing techniques to target individuals and organizations. This activity will continue through 2023/24.</p>
<p><strong>Targeting profile</strong></p>
<ul>
<li>Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.</li>
<li>Targets in the UK and US appear to have been most affected by Star Blizzard activity, however, activity has also been observed against targets in other NATO countries and countries neighboring Russia.</li>
<li>During 2022, Star Blizzard's activity expanded further to include defence-industrial targets and US Department of Energy facilities.</li>
</ul>
<p><strong>Outline of the attacks </strong>- The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.</p>
<p>Research and preparation - Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts. [<a href="https://attack.mitre.org/techniques/T1589/">T1589</a>; <a href="https://attack.mitre.org/techniques/T1593/">T1593</a>]</p>
<p>Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [<a href="https://attack.mitre.org/techniques/T1585/001/">T1585.001</a>] and have used supposed conference or event invitations as lures. </p>
<p>Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo, and Proton mail, in their initial approach [<a href="https://attack.mitre.org/techniques/T1585/002/">T1585.002</a>], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.</p>
<p>To appear authentic, the actor also creates malicious domains resembling legitimate organizations [<a href="https://attack.mitre.org/techniques/T1583/001/">T1583.001</a>].</p>
<p>Microsoft Threat Intelligence Center (MSTIC) provides a <a href="https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/">list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog</a>, but this is not exhaustive.</p>
<p>Preference for personal email addresses - Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.</p>
<p>Building a rapport - Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now started to build trust. They often establish benign contact on a topic they hope will engage their targets. There is often some correspondence between the attacker and the target, sometimes over an extended period, as the attacker builds rapport.</p>
<p>Delivery of malicious link - Once trust is established, the attacker uses typical phishing tradecraft and shares a link [<a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a>], apparently, to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.</p>
<p>The malicious link may be a URL in an email message, or the actor may embed a link in a document [<a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a>] on <a href="https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/">OneDrive, Google Drive, or other file-sharing platforms</a>.</p>
<p>Star Blizzard uses the open-source framework EvilGinx in their spear-phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [<a href="https://attack.mitre.org/techniques/T1539/">T1539</a>; <a href="https://attack.mitre.org/techniques/T1550/004/">T1550.004</a>].</p>
<p>Exploitation and further activity - Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.</p>
<p>Star Blizzard then uses the stolen credentials to log in to a target’s email account [<a href="https://attack.mitre.org/techniques/T1078/">T1078</a>], where they are known to access and steal emails and attachments from the victim’s inbox [<a href="https://attack.mitre.org/techniques/T1114/002/">T1114.002</a>]. They have also set up mail-forwarding rules, giving them ongoing visibility of victim correspondence [<a href="https://attack.mitre.org/techniques/T1114/003/">T1114.003</a>].</p>
<p>The actor has also used their access to a victim's email account to access mailing-list data and a victim’s contacts list, which they then use for follow-on targeting. They have also used compromised email accounts for further phishing activity [<a href="https://attack.mitre.org/techniques/T1586/002/">T1586.002</a>].</p>
<p><strong>Conclusion </strong>- Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success. Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.<a href="#_ftn2">[2]</a></p>
<p><a href="https://report.ncsc.gov.uk/">In the UK you can report related suspicious activity to the NCSC.</a></p>
<p>Information on effective defense against spear-phishing is included in the '<a href="https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns#section_6">Mitigation’ section</a> below.</p>
<p><strong>MITRE ATT&CK ®</strong></p>
<table width="100%">
<thead>
<tr>
<td width="15%">
<p><strong>Tactic</strong></p>
</td>
<td width="23%">
<p><strong>Technique</strong></p>
</td>
<td width="10%">
<p><strong>ID</strong></p>
</td>
<td width="50%">
<p><strong>Procedure</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="15%">
<p>Reconnaissance</p>
</td>
<td width="23%">
<p>Search Open Websites/Domains</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1593/">T1593</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Reconnaissance</p>
</td>
<td width="23%">
<p>Gather Victim Identity Information</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1589/">T1589</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses online data sets and open-source resources to gather information about their targets.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Establish Accounts: Social Media Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1585/001/">T1585.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Establish Accounts: Email Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1585/002/">T1585.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Acquire Infrastructure: Domains</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1583/001/">T1583.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard registers domains to host their phishing framework.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Resource Development</p>
</td>
<td width="23%">
<p>Compromise Accounts: Email Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1586/002/">T1586.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Valid Accounts</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1078/">T1078</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses compromised credentials, captured from fake log-in pages, to log in to valid victim user accounts. </p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Phishing: Spear-phishing Attachment</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses malicious links embedded inemail attachments to direct victims to their credential-stealing sites.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Initial Access</p>
</td>
<td width="23%">
<p>Phishing: Spear-phishing Link</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1566/002/">T1566.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file- sharing site, which then direct victims to credential-stealing sites.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Defense Evasion</p>
</td>
<td width="23%">
<p>Use Alternate Authentication Material: Web Session Cookie</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1550/004/">T1550.004</a></p>
</td>
<td width="50%">
<p>Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Credential Access</p>
</td>
<td width="23%">
<p>Steal Web Session Cookie</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1539/">T1539</a></p>
</td>
<td width="50%">
<p>Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Collection</p>
</td>
<td width="23%">
<p>Email Collection: Remote Email Collection</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1114/002/">T1114.002</a></p>
</td>
<td width="50%">
<p>Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Collection</p>
</td>
<td width="23%">
<p>Email Collection: Email Forwarding Rule</p>
</td>
<td width="10%">
<p><a href="https://attack.mitre.org/techniques/T1114/003/">T1114.003</a></p>
</td>
<td width="50%">
<p>Star Blizzard abuse email-forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim's emails, even after compromised credentials are reset.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Mitigation</strong></p>
<p>A number of mitigations will be useful in defending against the activity described in this advisory.</p>
<ul>
<li><strong>Use strong passwords</strong> - Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email">Top tips for staying secure online: Use a strong and separate password for your email</a></li>
<li><strong>Use multi-factor authentication (MFA) to reduce the impact of password compromises </strong>- Also known as 2-factor authentication (2FA), 2 step verification (2SV) or two-step authentication. See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services">Multi-factor authentication for online services</a> and <a href="https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv">Setting up 2-Step Verification (2SV)</a></li>
<li><strong>Protect your devices and networks by keeping them up to date</strong> - Use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC guidance: <a href="https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software">Device Security Guidance: Antivirus and other security software</a></li>
<li><strong>Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion</strong> - You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address, rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: <a href="https://www.ncsc.gov.uk/guidance/phishing">Phishing attacks: defending your organisation</a> and the FBI Internet Crime Complaint Center (IC3): <a href="https://www.ic3.gov/Home/IndustryAlerts">Current Industry Alerts</a></li>
<li><strong>Enable your email providers’ automated email scanning features</strong> - These are turned on by default for consumer mail providers. See NCSC blog post: <a href="https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working">Telling users to 'avoid clicking bad links' still isn't working</a></li>
<li><strong>Disable mail-forwarding </strong>- Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.</li>
</ul>
<p><em> </em></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns">https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.msn.com/en-us/news/world/who-are-star-blizzard-russian-hacking-unit-accused-of-targeting-the-government/ar-AA1lcJAV">https://www.msn.com/en-us/news/world/who-are-star-blizzard-russian-hacking-unit-accused-of-targeting-the-government/ar-AA1lcJAV</a></p></div>No more Ketchup?https://redskyalliance.org/xindustry/no-more-ketchup2023-12-22T17:00:00.000Z2023-12-22T17:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12331840098,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12331840098,RESIZE_180x180{{/staticFileLink}}" alt="12331840098?profile=RESIZE_180x180" width="75" /></a>A known ransomware group claims to have breached the systems of Kraft Heinz, but the food company says it cannot verify the cybercriminals’ allegations. The ransomware group named Snatch publicly named Kraft Heinz on its website on 14 December 2023, but the post appears to have been created on 16 August 2023, which indicates that the attack occurred months ago.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/snatch-ransomware">https://redskyalliance.org/xindustry/snatch-ransomware</a></p>
<p>Snatch ransomware first appeared in 2018 and was formerly called Team Truniger. Snatch employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware payloads to other threat actors for a fee. Snatch also uses double extortion tactics by exfiltrating their victims' sensitive data. Unless the demanded ransom is paid, Snatch threatens to release the stolen data to the public, pressuring their victims into paying the ransom.<a href="#_ftn1">[1]</a></p>
<p>Snatch ransomware operators use brute-automated brute-force attacks against vulnerable remote desktop services for initial access. Adversaries also acquire compromised credentials from Initial Access Brokers (IABs). As a critical characteristic, Snatch ransomware forces the infected host to reboot into Safe Mode before encrypting the victim's file. This defense evasion tactic allows Snatch ransomware to infect its victims without worrying about antivirus or endpoint protection because Windows does not often run endpoint protection mechanisms in Safe Mode.</p>
<p>As an active ransomware group, Snatch continues to add new techniques and tools into its arsenal, and organizations should ensure that their operations are safe against Snatch ransomware attacks. CISA recommends organizations validate their security controls against the Snatch ransomware group's threat behaviors mapped to the MITRE ATT&CK framework.</p>
<p>In a recent statement, Kraft Heinz said it is investigating claims of a cyberattack that occurred several months ago. The company said the target appeared to be a decommissioned marketing site hosted on an external platform, but it’s currently unable to verify the hackers’ claims. “Our internal systems are operating normally, and we currently see no evidence of a broader attack,” Kraft Heinz said. The cybercriminals have yet to publish any files as proof of their claims.</p>
<p>Kraft Heinz is one of the world’s biggest food and beverage companies, with roughly 37,000 employees worldwide. The company owns over 20 brands, including Kraft, Heinz, Boca Burger, Gevalia, Grey Poupon, Oscar Mayer, Philadelphia Cream Cheese, Primal Kitchen, and Wattie’s.</p>
<p>The US government stated in a recent report that the individuals behind the operation may have been active since at least 2018, with evidence pointing to links to other well-known ransomware operations. The group typically encrypts files on the targeted organization’s systems and steals data it threatens to leak to increase the chances of getting paid. Its leak website currently names more than 120 alleged victims. It was discovered a few months ago that Snatch’s site had been leaking data related to its internal operations, as well as the IPs of visitors.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></p>
<p>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p><strong>REDSHORTS - Weekly Cyber Intelligence Briefings</strong></p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/food-giant-kraft-heinz-targeted-by-ransomware-group/">https://www.securityweek.com/food-giant-kraft-heinz-targeted-by-ransomware-group/</a></p></div>#StopRansomware Guide, Version 3https://redskyalliance.org/xindustry/stopransomware-guide-version-32023-10-20T16:15:00.000Z2023-10-20T16:15:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="https://www.cisa.gov/sites/default/files/2023-10/StopRansomware-Guide-508C-v3_0.pdf" target="_blank"><img class="align-left" src="{{#staticFileLink}}12260185500,RESIZE_400x{{/staticFileLink}}" width="250" alt="12260185500?profile=RESIZE_400x" /></a>CYBERSECURITY BEST PRACTICES, MALWARE, PHISHING, AND RANSOMWARE, CYBER THREATS AND ADVISORIES</p>
<p>The link below provides is document is a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. This publication was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to ensure unity of effort in combating the growing threat of ransomware attacks.<a href="#_ftn1">[1]</a></p>
<p>Link to report: <a href="https://www.cisa.gov/sites/default/files/2023-10/StopRansomware-Guide-508C-v3_0.pdf">https://www.cisa.gov/sites/default/files/2023-10/StopRansomware-Guide-508C-v3_0.pdf</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide">https://www.cisa.gov/resources-tools/resources/stopransomware-guide</a></p></div>Cyber Friday the 13thhttps://redskyalliance.org/xindustry/cyber-friday-the-13th2023-10-18T12:10:00.000Z2023-10-18T12:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12258758265,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12258758265,RESIZE_400x{{/staticFileLink}}" width="250" alt="12258758265?profile=RESIZE_400x" /></a>Colonial Pipeline said there has been no disruption to pipeline operations or their systems after a ransomware gang made several threats last Friday; yes Friday the 13<sup>th</sup>. The company, which runs the largest pipeline system for refined oil products in the US, addressed claims made by the Ransomed.vc gang that data had been stolen from their systems.</p>
<p>“Colonial Pipeline is aware of unsubstantiated claims posted to an online forum that its system has been compromised by an unknown party. After working with our security and technology teams, as well as our partners at CISA, we can confirm that there has been no disruption to pipeline operations and our system is secure at this time,” a spokesperson for the company said. “Files that were posted online initially appear to be part of a third-party data breach unrelated to Colonial Pipeline.”<a href="#_ftn1">[1]</a></p>
<p>When asked further questions about what third party was attacked, whether that incident involved ransomware and if the situation had been contained, a spokesperson directed inquiries to CISA, which did not respond.</p>
<p>The gang runs a Telegram channel where they boast of attacks and claimed on Friday the 13th, in the afternoon, that they attempted to extort Colonial Pipeline unsuccessfully. They shared a zip file with stolen documents that security researchers said had documents related to Colonial Pipeline.</p>
<p>The post also includes a photo of Rob Lee, CEO of incident response firm Dragos. Lee was closely involved in the response to a 2021 ransomware attack on Colonial Pipeline. The company did not respond to requests for comment, but on Twitter Lee said the claims of data theft were fictitious.</p>
<p>“When we wouldn’t pay their extortion attempt, they’ve been pretty ticked off since. Have drug my name and the firm every chance they get,” he said.</p>
<p>The 2021 ransomware attack on Colonial Pipeline is largely considered one of the most consequential ransomware attacks in history, shutting down their operations for five days and paralyzing gas stations throughout the East Coast.</p>
<p>The company operates about 5,500 miles of pipeline that delivers gasoline, diesel, jet fuel, home heating oil, and other refined oil products throughout the Southern and Eastern US Colonial Pipeline ended up paying a $5 million ransom.</p>
<p>The attack made ransomware a household topic and kickstarted a push at all levels of government to address the attacks and the groups behind them. Several new cybersecurity regulations governing pipelines were instituted following the attack.</p>
<p>In June of this year, the US government confirmed that it used controversial digital surveillance powers to identify the individual behind the crippling ransomware attack and to claw back a majority of the millions of dollars in bitcoin the company paid to restore its systems.</p>
<p>Russia arrested one of the people behind the attack in 2022 but it is unclear whether the person was ever convicted of a crime.</p>
<p>Ransomed.vc recently made waves after threatening victims with the prospect of European data breach fines if ransoms for stolen data are not paid. It defaced a Hawaii state government website last month, and two weeks ago Japanese manufacturing giant Sony told Recorded Future News that it was investigating data theft claims by the group. But the group’s legitimacy has been questioned, considering none of the victims added to the group’s leak site since it emerged on 15 August have reported incidents. It is still unclear if the group uses ransomware.</p>
<p>The group claimed to have attacked US credit agency TransUnion, which denied its systems were ever breached but noted that the data being offered for sale may have “come from a third party.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach">https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach</a></p></div>Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networkshttps://redskyalliance.org/xindustry/threat-actors-exploit-atlassian-confluence-cve-2023-22515-for-ini2023-10-18T12:00:00.000Z2023-10-18T12:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12258816689,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12258816689,RESIZE_400x{{/staticFileLink}}" alt="12258816689?profile=RESIZE_400x" width="250" /></a>The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.</p>
<p>CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations. For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[<a href="https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html">1</a>] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.</p>
<p>Download the PDF version of this report:</p>
<p><a href="https://www.cisa.gov/sites/default/files/2023-10/aa23-289a-threat-actors-exploit-atlassian-confluence-cve-2023-22515-for-initial-access_0.pdf">AA23-289A Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks</a>(PDF, 476.56 KB )</p>
<p>For a downloadable copy of IOCs, see:</p>
<p><a href="https://www.cisa.gov/sites/default/files/2023-10/AA23-289A.stix_.xml">AA23-289A STIX XML</a>(XML, 12.45 KB )</p>
<p><a href="https://www.cisa.gov/sites/default/files/2023-10/AA23-289A%20Threat%20Actors%20Exploit%20CVE-2023-22515%20for%20Initial%20Access%20to%20Networks.stix_.json">AA23-289A STIX JSON</a>(JSON, 9.03 KB )</p>
<p>Overview - <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22515">CVE-2023-22515</a> is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server. Note: Atlassian Cloud sites (sites accessed by an atlassian.net domain), including Confluence Data Center and Server versions before 8.0.0, are not affected by this vulnerability.</p>
<table>
<tbody>
<tr>
<td>
<p>8.0.0</p>
<p>8.0.1</p>
<p>8.0.2</p>
<p>8.0.3</p>
<p>8.0.4</p>
<p>8.1.0</p>
<p>8.1.1</p>
</td>
<td>
<p>8.1.3</p>
<p>8.1.4</p>
<p>8.2.0</p>
<p>8.2.1</p>
<p>8.2.2</p>
<p>8.2.3</p>
<p>8.3.0</p>
</td>
<td>
<p>8.3.1</p>
<p>8.3.2</p>
<p>8.4.0</p>
<p>8.4.1</p>
<p>8.4.2</p>
<p>8.5.0</p>
<p>8.5.1</p>
</td>
</tr>
</tbody>
</table>
<p>Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. More specifically, threat actors can change the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a request on the unauthenticated /server-info.action endpoint.</p>
<p>Considering the root cause of the vulnerability allows threat actors to modify critical configuration settings, CISA, FBI, and MS-ISAC assess that the threat actors may not be limited to creating new administrator accounts. Open source further indicates an Open Web Application Security Project (OWASP) classification of injection (i.e., <a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a>) is an appropriate description.[<a href="https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis?referrer=search">2</a>] Atlassian released a patch on 4 October 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day—a previously unidentified vulnerability.[<a href="https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html">1</a>]</p>
<p>On 5 October 2023, CISA added this vulnerability to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a> based on evidence of active exploitation. Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks.</p>
<p>Post-Exploitation: Exfiltration of Data - Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server. An additional data exfiltration technique observed includes use of Rclone [<a href="https://attack.mitre.org/versions/v13/software/S1040/">S1040</a>]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. Note: This does not preclude the effectiveness of alternate methods, but highlights methods observed to date. Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point:</p>
<table>
<tbody>
<tr>
<td>
<p>[s3]<br /> type =<br /> env_auth =<br /> access_key_id =<br /> secret_access_key =<br /> region = <br /> endpoint = <br /> location_constraint =<br /> acl =<br /> server_side_encryption =<br /> storage_class =</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table>
<tbody>
<tr>
<td>
<p>[minio]<br /> type =<br /> provider =<br /> env_auth =<br /> access_key_id =<br /> secret_access_key =<br /> endpoint =<br /> acl =</p>
</td>
</tr>
</tbody>
</table>
<p>The following User-Agent strings were observed in request headers. Note: As additional threat actors begin to use this CVE due to the availability of publicly posted proof-of-concept code, an increasing variation in User-Agent strings is expected:</p>
<p>Python-requests/2.27.1</p>
<p>curl/7.88.1</p>
<p>Indicators of Compromise:</p>
<p>Disclaimer: Organizations are recommended to investigate or vet these IP addresses prior to taking action, such as blocking. The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration:</p>
<p>170.106.106[.]16</p>
<p>43.130.1[.]222</p>
<p>152.32.207[.]23</p>
<p>199.19.110[.]14</p>
<p>95.217.6[.]16 (Note: This is the official rclone.org website)</p>
<p>Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[<a href="https://twitter.com/MsftSecIntel/status/1711871733932671336">3</a>]</p>
<p>Detection Methods - Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. See Ruleset Update Summary - 2023/10/12 - v10438.[<a href="https://community.emergingthreats.net/c/ruleset-updates/9">4</a>] Network defenders are also encouraged to aggregate application and server-level logging from Confluence servers to a logically separated log search and alerting system, as well as configure alerts for signs of exploitation (as detailed in Atlassian’s security advisory).</p>
<p>Incident Response - Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian.[<a href="https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html">1</a>] If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions—these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins.</p>
<p>If a potential compromise is detected, organizations should:</p>
<p>Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections. Note: Upgrading to fixed versions, as well as removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.</p>
<p>Search and audit logs from Confluence servers for attempted exploitation.[<a href="https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis?referrer=search">2</a>]</p>
<ul>
<li>Quarantine and take offline potentially affected hosts.</li>
<li>Provision new account credentials.</li>
<li>Reimage compromised hosts.</li>
</ul>
<p>Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).</p>
<p>Mitigations - These mitigations apply to all organizations using non-cloud Atlassian Confluence Data Center and Server software. CISA, FBI, and MS-ISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities, thus strengthening the secure posture for their customers. For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign">Secure by Design and Default</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default">joint guide</a>.</p>
<p>As of 10 October 2023, proof-of-concept exploits for CVE-2023-22515 have been observed in open source publications.[<a href="https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2023-22515">5</a>] While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development.</p>
<p>CISA, FBI, and MS-ISAC recommend taking immediate action to address the potential associated risks and encourage organizations to:</p>
<p>Immediately upgrade to fixed versions. See Atlassian’s upgrading instructions[<a href="https://confluence.atlassian.com/doc/upgrading-confluence-4578.html">6</a>] for more information. If unable to immediately apply upgrades, restrict untrusted network access until feasible. Malicious cyber threat actors who exploit the affected instance can escalate to administrative privileges. Follow best cybersecurity practices in your production and enterprise environments. While not observed in this instance of exploitation, mandating <a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf">phishing-resistant multifactor authentication (MFA)</a> for all staff and services can make it more difficult for threat actors to gain access to networks and information systems. For additional best practices, see:</p>
<p>CISA’s <a href="https://www.cisa.gov/cpg">Cross-Sector Cybersecurity Performance Goals</a> (CPGs). The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of IT and OT security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common tactics, techniques, and procedures (TTPs). Because the CPGs are a subset of best practices, CISA recommends software manufacturers implement a comprehensive information security program based on a recognized framework, such as the NIST Cybersecurity Framework (CSF).</p>
<p>Center for Internet Security’s (CIS) <a href="https://www.cisecurity.org/controls">Critical Security Controls</a>. The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that organizations can use to strengthen cybersecurity posture and protect against cyber incidents.</p>
<p>Resources:</p>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-22515">NIST: CVE-2023-22515</a></p>
<p><a href="https://cwe.mitre.org/data/definitions/20.html">MITRE: CWE-20 - Improper Input Validation</a></p>
<p><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA: Known Exploited Vulnerabilities Catalog</a></p>
<p><a href="https://attack.mitre.org/versions/v13/software/S1040/">MITRE Software: Rclone</a></p>
<p><a href="https://www.cisa.gov/securebydesign">CISA: Secure by Design and Default</a></p>
<p><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf">CISA: Phishing-Resistant MFA</a></p>
<p><a href="https://www.cisa.gov/cpg">CISA: Cross-Sector Cybersecurity Performance Goals</a></p>
<p><a href="https://www.cisecurity.org/controls">CIS: Critical Security Controls</a></p>
<p>REFERENCES</p>
<p>[1] <a href="https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html">Atlassian: CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server</a><br /> [2] <a href="https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis?referrer=search">Rapid7: CVE-2023-22515 Analysis</a><br /> [3] <a href="https://twitter.com/MsftSecIntel/status/1711871733932671336">Microsoft: CVE-2023-22515 Exploit IP Addresses</a><br /> [4] <a href="https://community.emergingthreats.net/c/ruleset-updates/9">Proofpoint: Emerging Threats Rulesets</a><br /> [5] <a href="https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2023-22515">Confluence CVE-2023-22515 Proof of Concept - vulhub</a><br /> [6] <a href="https://confluence.atlassian.com/doc/upgrading-confluence-4578.html"> Atlassian Support: Upgrading Confluence</a></p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>AvosLocker UpDatehttps://redskyalliance.org/xindustry/avoslocker-update2023-10-13T12:35:00.000Z2023-10-13T12:35:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12254133253,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12254133253,RESIZE_400x{{/staticFileLink}}" alt="12254133253?profile=RESIZE_400x" width="250" /></a>US Authorities have shared a joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.</p>
<p>This joint CSA shares known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the US, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.</p>
<p>This joint advisory updates a 17 March 2022, AvosLocker ransomware joint CSA, Indicators of Compromise associated with AvosLocker ransomware. This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.</p>
<p>Link to full report: <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p></div>OCT - Cyber Security Monthhttps://redskyalliance.org/xindustry/oct-cyber-security-month2023-10-08T16:10:00.000Z2023-10-08T16:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12239558474,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12239558474,RESIZE_400x{{/staticFileLink}}" width="250" alt="12239558474?profile=RESIZE_400x" /></a>To celebrate the 20th Cybersecurity Awareness Month, CISA has launched a new program, meant to promote four critical actions that businesses and individuals can take to improve cybersecurity. Since 2004, October has been dedicated to raising awareness on the importance of cybersecurity for both private and public sectors, as part of a collaborative effort between government and industry. This year, CISA is introducing Secure Our World, an initiative to deliver an “enduring message” to be integrated across CISA’s awareness campaigns and programs, encouraging both businesses and individuals to take action to protect their devices.<a href="#_ftn1">[1]</a></p>
<p>“Secure Our World is the theme for this year’s Cybersecurity Awareness Month and will remain the enduring theme for future awareness month campaigns,” CISA announced. As part of this awareness-raising initiative, CISA is encouraging small to medium-sized businesses (SMBs), individuals, and families to use strong passwords, to turn on multi-factor authentication, to be wary of unsolicited messages and report them, and to always keep their software updated.</p>
<p>Businesses, CISA says, should educate their employees on identifying and reporting phishing attempts and on avoiding unsolicited links and attachments, which typically lead to network compromise. “Your business is digitally connected—to employees, vendors, and customers. Your systems store sensitive information. Sensitive business information and customers’ and employees’ personal data could be at risk from online threats. No business is too small to be a target for online crime—the fact is, small businesses are much more likely to be targeted by cybercriminals than larger companies,” CISA tells businesses.</p>
<p>In addition to introducing the new Secure Our World program, CISA has partnered with the National Cybersecurity Alliance (NCA) to provide businesses and individuals with resources and messaging about staying safe online, including guides, infographics, templates, and graphic resources. “We can all collaborate to build a safer, more trusted digital world! By learning the four simple steps we can take to stay safe online at home, work, and school, and sharing these tips with our community, we can all become significantly safer online,” CISA notes.</p>
<p>In addition to celebrating this month, this is what Red Sky Alliance recommend for every month of the year:</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance, <a href="https://www.redskyalliance.com/cysurance">https://www.redskyalliance.com/cysurance</a> .</li>
</ul>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/cisa-kicks-off-cybersecurity-awareness-month-with-new-program/">https://www.securityweek.com/cisa-kicks-off-cybersecurity-awareness-month-with-new-program/</a></p></div>Govt Shutdown May Affect 85% of CISAhttps://redskyalliance.org/xindustry/govt-shutdown-may-affect-85-of-cisa2023-09-29T14:00:00.000Z2023-09-29T14:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12234694483,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12234694483,RESIZE_400x{{/staticFileLink}}" alt="12234694483?profile=RESIZE_400x" width="250" /></a>A US government shutdown affects about 800,000 federal employees out of 1.8 million full-time civil servants. About 380,000 are furloughed, meaning they cannot work or get paid. The rest are working without pay. A government shutdown can cause financial hardship for many federal employees, who may have to use their savings to survive while furloughed.</p>
<p>Nearly 85% of US cybersecurity agency CISA staff may be sent home at the end of the week as a government shutdown looms. The US government will partially shut down on Sunday unless lawmakers reach a deal on a funding bill. A shutdown will result in the furlough of hundreds of thousands of <u>non-essential</u> federal employees and the suspension of many services.</p>
<p>The US Department of Homeland Security (DHS) has announced the number of employees that would stay on during a shutdown for each agency. In the case of CISA, which had 3,117 employees as of 17 June 2023, only 571 would remain during a lapse in appropriations. This means that more than 80% of its workers would be furloughed.<a href="#_ftn1">[1]</a> “Following notification of the lapse in appropriations, the non-exempt CISA staff will need four business hours to complete an orderly cessation of all other activities,” the DHS said.</p>
<p>A US government shutdown can significantly impact cybersecurity, including increasing criminal activity, failure to renew digital certificates, failure to deploy security patches, and denting the government’s ability to recruit talent. In CISA’s case, the agency is important in protecting the government and the private sector against cyber threats.</p>
<p>This includes issuing warnings over actively exploited vulnerabilities, helping investigate high-impact cyberattacks, creating guidance, aiding critical infrastructure organizations to beef up their security, conducting cyber exercises, and assisting with incident response. “The silver lining for cybersecurity in any government shutdown is that most government personnel involved with cybersecurity operations will likely be classified as essential and exempt from furlough. These would include roles like security monitoring and incident response, but generally not roles like security governance,” commented Jake Williams, veteran cybersecurity expert and faculty at IANS Research.</p>
<p>“The dark cloud is that in many government agencies, large percentages of the tactical security operations work is performed by contractors, who have historically not had the same exemptions to remain in place. In any shutdown scenario, there will be fewer staff available for security monitoring and response,” Williams added.</p>
<p>In the case of CISA, Williams stated, “I think it’s important to distinguish tactical network security operations (monitoring and incident response) from strategic program development and governance. The latter, which makes up most of CISA’s mission, will almost certainly be furloughed. The former will still see staff furloughed, but I’m trying to communicate that we shouldn’t think furloughs mean that security ops centers stop functioning because everyone goes home. That did not happen in the last shutdown, and it won’t happen here either.”</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com </p>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<ul>
<li>Reporting: https://www. redskyalliance.org/</li>
<li>Website: https://www. redskyalliance.com/</li>
<li>LinkedIn: https://www. linkedin.com/company/64265941</li>
</ul>
<p><strong>Weekly Cyber Intelligence Briefings:</strong></p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/">https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/</a></p></div>Snatch Ransomwarehttps://redskyalliance.org/xindustry/snatch-ransomware2023-09-23T13:05:00.000Z2023-09-23T13:05:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12229304882,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12229304882,RESIZE_400x{{/staticFileLink}}" width="250" alt="12229304882?profile=RESIZE_400x" /></a>The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant. </p>
<p>Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.<a href="#_ftn1">[1]</a></p>
<p><strong>TECHNICAL DETAILS</strong> - <strong><em>Note:</em></strong><em> This CISA advisory uses the <a href="https://attack.mitre.org/versions/v13/matrices/enterprise/">MITRE ATT&CK for Enterprise</a> framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s <a href="https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping">Best Practices for MITRE ATT&CK Mapping</a> and CISA’s <a href="https://github.com/cisagov/Decider/">Decider Tool</a>.</em></p>
<p>First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first US-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [<a href="https://attack.mitre.org/versions/v13/techniques/T1562/009/">T1562.009</a>], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.</p>
<p>Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.</p>
<p><strong>Initial Access and Persistence </strong>- Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [<a href="https://attack.mitre.org/versions/v13/techniques/T1133/">T1133</a>] for brute-forcing and gaining administrator credentials to victims’ networks [<a href="https://attack.mitre.org/versions/v13/techniques/T1110/001/">T1110.001</a>]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [<a href="https://attack.mitre.org/versions/v13/techniques/T1078/">T1078</a>].</p>
<p>Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [<a href="https://attack.mitre.org/versions/v13/techniques/T1078/002/">T1078.002</a>] and establishing connections over port 443 [<a href="https://attack.mitre.org/versions/v13/techniques/T1071/001/">T1071.001</a>] to a command and control (C2) server located on a Russian bulletproof hosting service [<a href="https://attack.mitre.org/versions/v13/techniques/T1583/003/">T1583.003</a>]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [<a href="https://attack.mitre.org/versions/v13/techniques/T1133/">T1133</a>].</p>
<p><strong>Data Discovery and Lateral Movement </strong>- Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [<a href="https://attack.mitre.org/versions/v13/software/S0154/">S0154</a>].</p>
<p>Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [<a href="https://attack.mitre.org/versions/v13/techniques/T1590/">T1590</a>], moving laterally across the victim’s network with RDP [<a href="https://attack.mitre.org/versions/v13/techniques/T1021/001/">T1021.001</a>] for the largest possible deployment of ransomware and searching for files and folders [<a href="https://attack.mitre.org/versions/v13/techniques/T1005/">T1005</a>] for data exfiltration [<a href="https://attack.mitre.org/versions/v13/tactics/TA0010/">TA0010</a>] followed by file encryption [<a href="https://attack.mitre.org/versions/v13/techniques/T1486/">T1486</a>].</p>
<p><strong>Defense Evasion and Execution </strong>- During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection. Upon initiation, the Snatch ransomware payload queries and modifies registry keys, uses various native Windows tools to enumerate the system, finds processes and creates benign processes to execute Windows batch (.bat) files. In some instances, the program attempts to remove all the volume shadow copies from a system. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem.</p>
<p>The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.</p>
<p><strong>Indicators of Compromise (IOCs) </strong>- The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.</p>
<p><strong>Email Domains and Addresses </strong>- Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:</p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Table 1: Malicious Email Domains Observed in Use by Snatch Threat Actors</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Email Domains</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>sezname[.]cz</p>
</td>
</tr>
<tr>
<td width="100%">
<p>cock[.]li</p>
</td>
</tr>
<tr>
<td width="100%">
<p>airmail[.]cc</p>
</td>
</tr>
</tbody>
</table>
<p>Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.</p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Table 2: Legitimate Email Domains Observed in Use by Snatch Threat Actors</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Email Domains</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>tutanota[.]com / tutamail[.]com / tuta[.]io</p>
</td>
</tr>
<tr>
<td width="100%">
<p>mail[.]fr</p>
</td>
</tr>
<tr>
<td width="100%">
<p>keemail[.]me</p>
</td>
</tr>
<tr>
<td width="100%">
<p>protonmail[.]com / proton[.]me</p>
</td>
</tr>
<tr>
<td width="100%">
<p>swisscows[.]email</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>The email addresses listed in Table 3 were reported by recent victims.</p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Table 3: Snatch’s Email Addresses Reported by Recent Victims</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Email Addresses</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p><a href="mailto:sn.tchnews.top@protonmail%5B.%5Dme">sn.tchnews.top@protonmail[.]me</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:funny385@swisscows%5B.%5Demail">funny385@swisscows[.]email</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:funny385@proton%5B.%5Dme">funny385@proton[.]me</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:russellrspeck@seznam%5B.%5Dcz">russellrspeck@seznam[.]cz</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:russellrspeck@protonmail%5B.%5Dcom">russellrspeck@protonmail[.]com</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:Mailz13MoraleS@proton%5B.%5Dme">Mailz13MoraleS@proton[.]me</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:datasto100@tutanota%5B.%5Dcom">datasto100@tutanota[.]com</a></p>
</td>
</tr>
<tr>
<td width="100%">
<p><a href="mailto:snatch.vip@protonmail%5B.%5Dcom">snatch.vip@protonmail[.]com</a></p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>TOX Messaging IDs</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>TOX Messaging IDs</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F</p>
</td>
</tr>
<tr>
<td width="100%">
<p>7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418</p>
</td>
</tr>
<tr>
<td width="100%">
<p>83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97</p>
</td>
</tr>
<tr>
<td width="100%">
<p>0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58</p>
<p><strong><em>NOTE:</em></strong><em> According to ransom notes, this is a “Customer service” TOX to reach out to if the original TOX ID does not respond.</em></p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Folder Creation</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Folder Creation</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>C:\$SysReset</p>
</td>
</tr>
<tr>
<td width="100%">
<p> </p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="2" width="100%">
<p><strong>Filenames with Associated SHA-256 Hashes</strong></p>
</td>
</tr>
<tr>
<td width="32%">
<p><strong>Filenames</strong></p>
</td>
<td width="67%">
<p><strong>SHA-256</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="32%">
<p>qesbdksdvnotrjnexutx.bat</p>
</td>
<td width="67%">
<p>0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f</p>
</td>
</tr>
<tr>
<td width="32%">
<p>eqbglqcngblqnl.bat</p>
</td>
<td width="67%">
<p>1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d</p>
</td>
</tr>
<tr>
<td width="32%">
<p>safe.exe</p>
</td>
<td width="67%">
<p>5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd</p>
</td>
</tr>
<tr>
<td width="32%">
<p>safe.exe</p>
</td>
<td width="67%">
<p>7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3</p>
</td>
</tr>
<tr>
<td width="32%">
<p>safe.exe</p>
</td>
<td width="67%">
<p>28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c</p>
</td>
</tr>
<tr>
<td width="32%">
<p>safe.exe</p>
</td>
<td width="67%">
<p>fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066</p>
</td>
</tr>
<tr>
<td width="32%">
<p>DefenderControl.exe</p>
</td>
<td width="67%">
<p>a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae</p>
</td>
</tr>
<tr>
<td width="32%">
<p>PRETTYOCEANApplicationdrs.bi</p>
</td>
<td width="67%">
<p>6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0</p>
</td>
</tr>
<tr>
<td width="32%">
<p>Setup.exe</p>
</td>
<td width="67%">
<p>510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1</p>
</td>
</tr>
<tr>
<td width="32%">
<p>WRSA.exe</p>
</td>
<td width="67%">
<p>ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d</p>
</td>
</tr>
<tr>
<td width="32%">
<p>ghnhfglwaplf.bat</p>
</td>
<td width="67%">
<p>2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57</p>
</td>
</tr>
<tr>
<td width="32%">
<p>nllraq.bat</p>
</td>
<td width="67%">
<p>251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d</p>
</td>
</tr>
<tr>
<td width="32%">
<p>ygariiwfenmqteiwcr.bat</p>
</td>
<td width="67%">
<p>3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924</p>
</td>
</tr>
<tr>
<td width="32%">
<p>bsfyqgqeauegwyfvtp.bat</p>
</td>
<td width="67%">
<p>6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7</p>
</td>
</tr>
<tr>
<td width="32%">
<p>rgibdcghzwpk.bat</p>
</td>
<td width="67%">
<p>84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5</p>
</td>
</tr>
<tr>
<td width="32%">
<p>pxyicmajjlqrtgcnhi.bat</p>
</td>
<td width="67%">
<p>a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84</p>
</td>
</tr>
<tr>
<td width="32%">
<p>evhgpp.bat</p>
</td>
<td width="67%">
<p>b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40</p>
</td>
</tr>
<tr>
<td width="32%">
<p>eqbglqcngblqnl.bat</p>
</td>
<td width="67%">
<p>1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d</p>
</td>
</tr>
<tr>
<td width="32%">
<p>qesbdksdvnotrjnexutx.bat</p>
</td>
<td width="67%">
<p>0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f</p>
</td>
</tr>
<tr>
<td width="32%">
<p>HOW TO RESTORE YOUR FILES.TXT</p>
</td>
<td width="67%">
<p> </p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="2" width="100%">
<p><strong>Filenames with Associated SHA-1 Hashes</strong></p>
</td>
</tr>
<tr>
<td width="21%">
<p><strong>Filenames</strong></p>
</td>
<td width="78%">
<p><strong>SHA-1</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="21%">
<p>safe.exe</p>
</td>
<td width="78%">
<p>c8a0060290715f266c89a21480fed08133ea2614</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Commands Used by Snatch Threat Actors</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Commands</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>wmiadap.exe /F /T /R</p>
</td>
</tr>
<tr>
<td width="100%">
<p>%windir%\System32\svchost.eve –k WerSvcGroup</p>
</td>
</tr>
<tr>
<td width="100%">
<p>conhost.exe 0xFFFFFFFF -ForceV1</p>
</td>
</tr>
<tr>
<td width="100%">
<p>vssadmin delete shadows /all /quiet</p>
</td>
</tr>
<tr>
<td width="100%">
<p>bcdedit.exe /set {current} safeboot minimal</p>
</td>
</tr>
<tr>
<td width="100%">
<p>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service</p>
</td>
</tr>
<tr>
<td width="100%">
<p>REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D Service</p>
</td>
</tr>
<tr>
<td width="100%">
<p>REG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions</p>
</td>
</tr>
<tr>
<td width="100%">
<p>%CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320</p>
</td>
</tr>
<tr>
<td width="100%">
<p>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --no-startup-window /prefetch:5</p>
</td>
</tr>
<tr>
<td width="100%">
<p>cmd /d /c cmd /d /c cmd /d /c start " " C:\Users\grade1\AppData\Local\PRETTYOCEANluvApplication\PRETTYOCEANApplicationidf.bi.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Registry Keys</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Registry Keys</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\D8B548F0-E306-4B2B-BD82-25DAC3208786\FriendlyName</p>
</td>
</tr>
<tr>
<td width="100%">
<p>HKU\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ED50FC29-B964-<br /> 48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="2" width="100%">
<p><strong>System Log Changes</strong></p>
</td>
</tr>
<tr>
<td width="36%">
<p><strong>Source</strong></p>
</td>
<td width="64%">
<p><strong>Message</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="36%">
<p>TerminalServices-RemoteConnectionManager</p>
</td>
<td width="64%">
<p>Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.</p>
</td>
</tr>
<tr>
<td width="36%">
<p>Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall</p>
</td>
<td width="64%">
<p>A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow” and rule name included “File and Printer Sharing”</p>
</td>
</tr>
<tr>
<td width="36%">
<p>Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall</p>
</td>
<td width="64%">
<p>A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall” and value of “no”.</p>
</td>
</tr>
<tr>
<td width="36%">
<p>Microsoft-Windows-TaskScheduler%4Operational</p>
</td>
<td width="64%">
<p>Instance of process C:\Windows\svchost.exe. (Incorrect file location, should be C:\Windows\System32\svchost.exe)</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td width="100%">
<p><strong>Mutexes Created</strong></p>
</td>
</tr>
<tr>
<td width="100%">
<p><strong>Mutexes Created</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="100%">
<p>\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key</p>
</td>
</tr>
<tr>
<td width="100%">
<p>\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once</p>
</td>
</tr>
<tr>
<td width="100%">
<p>\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key</p>
</td>
</tr>
<tr>
<td width="100%">
<p>gcc-shmem-tdm2-fc_key</p>
</td>
</tr>
<tr>
<td width="100%">
<p>gcc-hmem-tdm2-sjlj_once</p>
</td>
</tr>
<tr>
<td width="100%">
<p>gcc-shmem-tdm2-use_fc_key</p>
</td>
</tr>
</tbody>
</table>
<p><strong>MITRE ATT&CK TACTICS AND TECHNIQUES</strong></p>
<p>See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.</p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 4: Snatch Threat Actors ATT&CK Techniques for Enterprise – Reconnaissance</strong></p>
</td>
</tr>
<tr>
<td width="25%">
<p><strong>Technique Title</strong></p>
</td>
<td width="7%">
<p><strong>ID</strong></p>
</td>
<td width="66%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="25%">
<p>Gather Victim Network Information</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1590/">T1590</a></p>
</td>
<td width="66%">
<p>Snatch threat actors may gather information about the victim's networks that can be used during targeting.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 5: Snatch Threat Actors ATT&CK Techniques for Enterprise – Resource Development</strong></p>
</td>
</tr>
<tr>
<td width="20%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="67%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="20%">
<p>Acquire Infrastructure: Virtual Private Server</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1583/003/">T1583.003</a></p>
</td>
<td width="67%">
<p>Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 6: Snatch Threat Actors ATT&CK Techniques for Enterprise – Initial Access</strong></p>
</td>
</tr>
<tr>
<td width="17%">
<p><strong>Technique Title</strong></p>
</td>
<td width="7%">
<p><strong>ID</strong></p>
</td>
<td width="74%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="17%">
<p>Valid Accounts</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1078/">T1078</a></p>
</td>
<td width="74%">
<p>Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network.</p>
</td>
</tr>
<tr>
<td width="17%">
<p>External Remote Services</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1133/">T1133</a></p>
</td>
<td width="74%">
<p>Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network.</p>
<p>Snatch threat actors use VPN services to connect to a victim’s network.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 7: Snatch Threat Actors ATT&CK Techniques for Enterprise – Execution</strong></p>
</td>
</tr>
<tr>
<td width="30%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="57%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="30%">
<p>Command and Scripting Interpreter: Windows Command Shell</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1059/003/">T1059.003</a></p>
</td>
<td width="57%">
<p>Snatch threat actors may use batch files (.bat) during ransomware execution and data discovery.</p>
</td>
</tr>
<tr>
<td width="30%">
<p>System Services: Service Execution</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1569/002/">T1569.002</a></p>
</td>
<td width="57%">
<p>Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used sc.exe.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 8: Snatch Threat Actors ATT&CK Techniques for Enterprise – Persistence</strong></p>
</td>
</tr>
<tr>
<td width="25%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="63%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="25%">
<p>Valid Accounts: Domain Accounts</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1078/002/">T1078.002</a></p>
</td>
<td width="63%">
<p>Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 9: Snatch Threat Actors ATT&CK Techniques for Enterprise – Defense Evasion</strong></p>
</td>
</tr>
<tr>
<td width="23%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="64%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="23%">
<p>Masquerading</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1036/">T1036</a></p>
</td>
<td width="64%">
<p>Snatch threat actors have the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection.</p>
</td>
</tr>
<tr>
<td width="23%">
<p>Indicator Removal: File Deletion</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1070/004/">T1070.004</a></p>
</td>
<td width="64%">
<p>Snatch threat actors delete batch files from a victim’s filesystem once execution is complete.</p>
</td>
</tr>
<tr>
<td width="23%">
<p>Modify Registry</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1112/">T1112</a></p>
</td>
<td width="64%">
<p>Snatch threat actors modify Windows Registry keys to aid in persistence and execution.</p>
</td>
</tr>
<tr>
<td width="23%">
<p>Impair Defenses: Disable or Modify Tools</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1562/001/">T1562.001</a></p>
</td>
<td width="64%">
<p>Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution.</p>
</td>
</tr>
<tr>
<td width="23%">
<p>Impair Defenses: Safe Mode Boot</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1562/009/">T1562.009</a></p>
</td>
<td width="64%">
<p>Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 10: Snatch Threat Actors ATT&CK Techniques for Enterprise – Credential Access</strong></p>
</td>
</tr>
<tr>
<td width="24%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="63%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="24%">
<p>Brute Force: Password Guessing</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1110/001/">T1110.001</a></p>
</td>
<td width="63%">
<p>Snatch threat actors use brute force to obtain administrator credentials for a victim’s network.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery</strong></p>
</td>
</tr>
<tr>
<td width="15%">
<p><strong>Technique Title</strong></p>
</td>
<td width="7%">
<p><strong>ID</strong></p>
</td>
<td width="76%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="15%">
<p>Query Registry</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1012/">T1012</a></p>
</td>
<td width="76%">
<p>Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software.</p>
</td>
</tr>
<tr>
<td width="15%">
<p>Process Discovery</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1057/">T1057</a></p>
</td>
<td width="76%">
<p>Snatch threat actors search for information about running processes on a system.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 12: Snatch Threat Actors ATT&CK Techniques for Enterprise – Lateral Movement</strong></p>
</td>
</tr>
<tr>
<td width="28%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="59%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="28%">
<p>Remote Services: Remote Desktop Protocol</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1021/001/">T1021.001</a></p>
</td>
<td width="59%">
<p>Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 13: Snatch Threat Actors ATT&CK Techniques for Enterprise – Collection</strong></p>
</td>
</tr>
<tr>
<td width="21%">
<p><strong>Technique Title</strong></p>
</td>
<td width="7%">
<p><strong>ID</strong></p>
</td>
<td width="70%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="21%">
<p>Data from Local System</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1005/">T1005</a></p>
</td>
<td width="70%">
<p>Snatch threat actors search systems to find files and folders of interest prior to exfiltration.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 14: Snatch Threat Actors ATT&CK Techniques for Enterprise – Command and Control</strong></p>
</td>
</tr>
<tr>
<td width="28%">
<p><strong>Technique Title</strong></p>
</td>
<td width="11%">
<p><strong>ID</strong></p>
</td>
<td width="59%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="28%">
<p>Application Layer Protocols: Web Protocols</p>
</td>
<td width="11%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1071/001/">T1071.001</a></p>
</td>
<td width="59%">
<p>Snatch threat actors establish connections over port 443 to blend C2 traffic in with other web traffic.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 15: Snatch Threat Actors ATT&CK Techniques for Enterprise – Exfiltration</strong></p>
</td>
</tr>
<tr>
<td width="16%">
<p><strong>Technique Title</strong></p>
</td>
<td width="8%">
<p><strong>ID</strong></p>
</td>
<td width="74%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="16%">
<p>Exfiltration</p>
</td>
<td width="8%">
<p><a href="https://attack.mitre.org/versions/v13/tactics/TA0010/">TA0010</a></p>
</td>
<td width="74%">
<p>Snatch threat actors use exfiltration techniques to steal data from a victim’s network.</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<table width="100%">
<thead>
<tr>
<td colspan="3" width="100%">
<p><strong>Table 16: Snatch Threat Actors ATT&CK Techniques for Enterprise – Impact</strong></p>
</td>
</tr>
<tr>
<td width="18%">
<p><strong>Technique Title</strong></p>
</td>
<td width="7%">
<p><strong>ID</strong></p>
</td>
<td width="73%">
<p><strong>Use</strong></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="18%">
<p>Data Encrypted for Impact</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1486/">T1486</a></p>
</td>
<td width="73%">
<p>Snatch threat actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.</p>
</td>
</tr>
<tr>
<td width="18%">
<p>Inhibit System Recovery</p>
</td>
<td width="7%">
<p><a href="https://attack.mitre.org/versions/v13/techniques/T1490/">T1490</a></p>
</td>
<td width="73%">
<p>Snatch threat actors delete all volume shadow copies from a victim’s filesystem to inhibit system recovery.</p>
</td>
</tr>
</tbody>
</table>
<p><strong>MITIGATIONS</strong></p>
<table>
<tbody>
<tr>
<td>
<p>These mitigations apply to all stakeholders. The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers. For more information on secure by design, see CISA’s <a href="https://www.cisa.gov/securebydesign">Secure by Design and Default</a> webpage and <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default">joint guide</a>.</p>
</td>
</tr>
</tbody>
</table>
<p>The FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Snatch threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s <a href="https://www.cisa.gov/cpg">Cross-Sector Cybersecurity Performance Goals</a> for more information on the CPGs, including additional recommended baseline protections.</p>
<p><strong>Reduce threat of malicious actors </strong>using remote access tools by:</p>
<ul>
<li><strong>Auditing remote access tools</strong>on your network to identify currently used and/or authorized software.</li>
<li><strong>Reviewing logs for execution of remote access software</strong>to detect abnormal use of programs running as a portable executable [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.T</a>].</li>
<li><strong>Using security software</strong>to detect instances of remote access software being loaded only in memory.</li>
<li><strong>Requiring authorized remote access solutions</strong>to be used only from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).</li>
<li><strong>Blocking both inbound and outbound connections</strong>on common remote access software ports and protocols at the network perimeter.</li>
<li><strong>Implement application controls </strong>to manage and control execution of software, including allowlisting remote access programs.</li>
</ul>
<p> </p>
<p>Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.</p>
<p><strong>Strictly limit the use of RDP and other remote desktop services</strong>. If RDP is necessary, rigorously apply best practices, for example [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.W</a>]:</p>
<ul>
<li>Audit the network for systems using RDP.</li>
<li>Close unused RDP ports.</li>
<li>Enforce account lockouts after a specified number of attempts.</li>
<li><a href="https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf">Apply phishing-resistant multifactor authentication (MFA)</a>.</li>
<li>Log RDP login attempts.</li>
<li><strong>Disable command-line and scripting</strong>activities and permissions [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.N</a>].</li>
<li><strong>Review domain controllers, servers, workstations, and active directories</strong>for new and/or unrecognized accounts [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 4.C]</a>.</li>
<li><strong>Audit user accounts with administrative privileges</strong>and configure access controls according to the principle of least privilege (PoLP) [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.E</a>].</li>
<li><strong>Reduce the threat of credential compromise</strong>via the following:</li>
<li><strong>Place domain admin accounts in the protected users’ group</strong>to prevent caching of password hashes locally.</li>
<li>Refrain from storing plaintext credentials in scripts.</li>
<li><strong>Implement time-based access for accounts</strong>set at the admin level and higher [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.A, 2.E</a>].</li>
<li>In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors:</li>
<li><strong>Implement a recovery plan</strong>to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).</li>
<li><strong>Maintain offline backups of data </strong>and regularly maintain backup and restoration (daily or weekly at minimum). By instituting this practice, an organization limits the severity of disruption to its business practices [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.R</a>].</li>
<li><strong>Require all accounts</strong>with password logins (e.g., service account, admin accounts, and domain admin accounts) <strong>to comply</strong> with <a href="https://pages.nist.gov/800-63-3/">NIST's standards</a> for developing and managing password policies.</li>
<li>Use longer passwords consisting of at least eight characters and no more than 64 characters in length [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.B</a>].</li>
<li>Store passwords in hashed format using industry-recognized password managers.</li>
<li>Add password user “salts” to shared login credentials.</li>
<li>Avoid reusing passwords [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.C</a>].</li>
<li>Implement multiple failed login attempt account lockouts [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.G</a>].</li>
<li>Disable password “hints.”</li>
<li>Refrain from requiring password changes more frequently than once per year.<br /> <strong>Note:</strong>NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.</li>
<li>Require administrator credentials to install software.</li>
<li><strong>Require phishing-resistant multifactor authentication (MFA)</strong>for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.H</a>].</li>
<li><strong>Keep all operating systems, software, and firmware up to date.</strong>Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities</a> in internet-facing systems [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 1.E</a>].</li>
<li><strong>Segment networks</strong>to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.F</a>].</li>
<li><strong>Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.</strong>To aid in detecting the ransomware, implement a tool that logs and reports all network traffic and activity, including lateral movement, on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 3.A</a>].</li>
<li><strong>Install, regularly update, and enable real time detection for antivirus software</strong>on all hosts.</li>
<li><strong>Disable unused</strong><strong>ports and protocols</strong> [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.V</a>].</li>
<li><strong>Consider adding an email banner to emails</strong>received from outside your organization [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.M</a>].</li>
<li><strong>Disable hyperlinks</strong>in received emails.</li>
<li><strong>Ensure all backup data is encrypted, immutable </strong>(i.e., ensure backup data cannot be altered or deleted), and covers the entire organization’s data infrastructure [<a href="https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf">CPG 2.K, 2.L, 2.R</a>].</li>
</ul>
<p><strong> </strong></p>
<p><strong>VALIDATE SECURITY CONTROLS</strong></p>
<p>In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.</p>
<p>To get started:</p>
<ul>
<li>Select an ATT&CK technique described in this advisory (see Tables 4-16).</li>
<li>Align your security technologies against the technique.</li>
<li>Test your technologies against the technique.</li>
<li>Analyze your detection and prevention technologies’ performance.</li>
<li>Repeat the process for all security technologies to obtain a set of comprehensive performance data.</li>
<li>Tune your security program, including people, processes, and technologies, based on the data generated by this process.</li>
<li>FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.</li>
</ul>
<p><strong> </strong><strong>RESOURCES</strong>:</p>
<ul>
<li><a href="https://www.stopransomware.gov/">gov</a>is a whole-of-government approach that gives one central location for ransomware resources and alerts.</li>
<li>Resource to mitigate a ransomware attack: <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide">#StopRansomware Guide</a>.</li>
<li>No-cost cyber hygiene services: <a href="https://www.cisa.gov/cyber-hygiene-services">Cyber Hygiene Services</a>and <a href="https://github.com/cisagov/cset/releases/tag/v10.3.0.0">Ransomware Readiness Assessment</a>.</li>
</ul>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a">https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a</a></p></div>Single Cyber Incident Reporting Portalhttps://redskyalliance.org/xindustry/single-cyber-incident-reporting-portal2023-09-22T12:25:00.000Z2023-09-22T12:25:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12229283293,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12229283293,RESIZE_400x{{/staticFileLink}}" width="250" alt="12229283293?profile=RESIZE_400x" /></a>After years of spouting the need in an ease of reporting suspicious activity, I see the US Department of Homeland Security (DHS) now floating several new ideas for how to make federal cyber incident reporting rules ‘simpler’ for victim organizations — including the concept of a single reporting web portal. Not a new concept, but a wise one. </p>
<p>There are currently 52 in-effect or proposed federal cyber incident reporting requirements. As part of the cyber incident reporting bill that was signed into law last March, the Cybersecurity and Infrastructure Security Agency (CISA) was tasked with examining and streamlining the regulations.<a href="#_ftn1">[1]</a></p>
<p>The effort is being coordinated in advance of the release of CISA’s own rules that will make up the Cyber Incident Reporting for Critical Infrastructure Act — which CISA officials refer to by its acronym CIRCIA.</p>
<p>On 19 September, DHS Undersecretary for Policy Robert Silvers delivered a 107-page report to Congress outlining its work with 33 federal agencies to harmonize cyber incident reporting. In addition to DHS, the Treasury, Defense, Justice, Agriculture and Commerce departments were involved in the effort alongside several regulatory agencies like the Securities and Exchange Commission, the Federal Trade Commission and the Federal Communications Commission. “To develop these recommendations, the Cyber Incident Reporting Council analyzed over 50 different federal cyber incident reporting requirements and engaged with numerous industry and private sector stakeholders,” Silvers said. “It is imperative that we streamline these requirements. Federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers.”</p>
<p>The DHS recommendations say: </p>
<ul>
<li>The federal government should clarify definitions, timelines and triggers of a reportable cyber incident so that organizations understand if and when they need to report something.</li>
<li>Agencies with requirements for covered entities to provide notifications to affected individuals or the public should consider whether a delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation.</li>
<li>The Federal Government should adopt a model reporting form for cyber incident reports and agencies should evaluate the feasibility of leveraging the form for cyber incident reporting or incorporate the data elements identified therein into reporting forms, web portals, or other submission mechanisms.</li>
<li>Agencies and the federal government should consider the potential creation of a single portal as a way to streamline the receipt and sharing of cyber incident reports and cyber incident information.</li>
<li>Federal cyber incident reporting requirements should allow for updates and supplemental reports.</li>
</ul>
<p>Other recommendations include adopting common incident terminology and improving inter-agency coordination. “In the critical period immediately following a cyberattack, our private sector partners need clear, consistent information-sharing guidelines to help us quickly mitigate the adverse impacts,” said Secretary of Homeland Security Alejandro Mayorkas. “The recommendations that DHS is issuing today provide needed clarity for our partners. They streamline and harmonize reporting requirements for critical infrastructure, including by clearly defining a reportable cyber incident, establishing the timeline for reporting, and adopting a model incident reporting form.”</p>
<p>Mayorkas added that the recommendations can “improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks.”</p>
<p>The DHS report outlines steps CISA plans to take to harmonize all of the rules and also provides three tasks to Congress that would help the process, including the removal of legal or statutory barriers to harmonization as well as authority and funding for the efforts. The report also asks the US Congress to exempt the incident reports from Freedom of Information Act requests that would make the reports public.</p>
<p>In a statement, CISA Director Jen Easterly reiterated her hope that mandated incident reporting will help defenders spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims. “We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible,” she said. “As the Cybersecurity and Critical Infrastructure Agency (CISA) implements reporting requirements as part of the Cyber Incident Reporting for Critical Infrastructure Act, these recommendations – along with the extensive input from stakeholders submitted as part of our rulemaking process – will help inform our proposed rule.”</p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. redskyalliance. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://therecord.media/dhs-floats-single-cyber-incident-reporting-portal/">https://therecord.media/dhs-floats-single-cyber-incident-reporting-portal/</a></p></div>Zoho & Fortinet Vulnerabilities Lead to New Attackshttps://redskyalliance.org/xindustry/zoho-fortinet-vulnerabilities-lead-to-new-attacks2023-09-18T16:00:00.000Z2023-09-18T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12227229689,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12227229689,RESIZE_400x{{/staticFileLink}}" alt="12227229689?profile=RESIZE_400x" width="250" /></a>Advanced Persistent Threat (APT) actors have exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to hack an organization in the aeronautical sector, according to a joint report from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command’s Cyber National Mission Force (CNMF). Impacting more than 20 on-premises Zoho ManageEngine products, the first bug, tracked as CVE-2022-47966 (CVSS score of 9.8), allows remote attackers to execute arbitrary code on affected systems.</p>
<p>The critical severity issue was patched in November 2022. Still, the first signs of exploitation were observed in January 2023, shortly before a Proof-of-Concept (PoC) exploit targeting the flaw was published. At the time, security firms identified thousands of exposed ManagedEngine instances. The second vulnerability, CVE-2022-42475 (CVSS score of 9.8), impacted multiple FortiOS SSL-VPN and FortiProxy SSL-VPN versions and was addressed with emergency patches in December 2022.<a href="#_ftn1">[1]</a></p>
<p>In January 2023, Mandiant warned that Chinese hackers had exploited the vulnerability as a zero-day before the patches were released in attacks aimed at a European government organization and a managed service provider in Africa. After investigating between February and April 2023, CISA, FBI, and CNMF discovered that multiple APTs exploited the two flaws starting in January this year to establish persistence on an aeronautical organization’s network.</p>
<p>CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors the three agencies note in an advisory (PDF) <a href="https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_0.pdf">https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_0.pdf</a></p>
<p>By exploiting CVE-2022-47966, the attackers gained root-level access to the web server hosting Zoho ManageEngine ServiceDesk Plus, created a local user account with administrative privileges, performed reconnaissance, deployed malware, harvested credentials, and moved laterally into the network.</p>
<p>CISA could not determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage, the advisory reads. Another APT, the advisory reveals, exploited CVE-2022-42475 to compromise the organization’s firewall device and establish multiple VPN connections during the first half of February 2023. The attackers disabled admin credentials and deleted logs, preventing the detection of follow-up activities.</p>
<p>It was identified that APT actors compromised and used disabled, legitimate administrative account credentials from a previously hired contractor, of which the organization confirmed the user had been disabled before the observed activity, the advisory explains. The attackers established multiple TLS-encrypted sessions to transfer data from the compromised firewall and moved laterally to a web server, where they deployed web shells.</p>
<p>The investigation revealed that the threat actors used multiple readily available tools during their attacks, including Mimikatz (credential dumping), Ngrok (creates private connection tunnel), ProcDump (process dumper), Metasploit, anydesk.exe (remote access), and others.</p>
<p>See: <a href="https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-07-26-2023">https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-07-26-2023</a></p>
<p>In their advisory, CISA, FBI, and CNMF provide information on these tools, a detailed timeline of the observed activity, Indicators of Compromise (IoCs) associated with the attacks, and recommended mitigations to prevent similar attacks.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/us-aeronautical-organization-hacked-via-zoho-fortinet-vulnerabilities/">https://www.securityweek.com/us-aeronautical-organization-hacked-via-zoho-fortinet-vulnerabilities/</a></p></div>OSS & Cybersecurity Issueshttps://redskyalliance.org/xindustry/oss-cybersecurity-issues2023-08-25T16:00:00.000Z2023-08-25T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12201646682,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12201646682,RESIZE_400x{{/staticFileLink}}" width="250" alt="12201646682?profile=RESIZE_400x" /></a>The Internet runs on open-source software (OSS). It is probably fair to say that open source is everywhere. The Linux kernel, one of the building blocks of open source, is embedded in everything from most supercomputers, cloud computing, billions of phones, and most operating systems. “Open Source” software, as its name suggests, is available to anyone, and it poses a particular challenge in tracking what is happening at all times. This, in turn, leads to the potential for unique and serious cybersecurity vulnerabilities.<a href="#_ftn1">[1]</a></p>
<p>While proprietary code (not freely available on the internet) is not inherently more secure than open-source code (which is freely available), open-source poses some familiar cybersecurity challenges. As the name suggests, it is open, allowing hackers or other bad actors to infiltrate. Some reports suggest up to 70%-90% of any “software stack” consists of third-party code. The SolarWinds breach is an example that once bad actors implant malware in what appears to be legitimate software and updates occur, that software can result in the mass dissemination of malware.</p>
<p>Vulnerabilities range widely, but two include failing to manage library dependencies (by keeping dependencies up to date, developers can take advantage of bug fixes, security patches, new features, and reduce security vulnerabilities) and bad-faith actors (people that intentionally break into systems, or contributors intentionally changing the software to be exploitable).</p>
<p>The military, the US Cybersecurity and Infrastructure Security Agency (CISA), Google, and DARPA are concerned about this. According to a report in a 2022 issue of MIT Technology Review, “Much of modern civilization now depends on an ever-expanding corpus of open source code because it saves money, attracts talent, and makes a lot of work easier.”</p>
<p>While the open-source movement has opened an ecosystem we depend on, experts say we do not fully understand it. The MIT Technology Review report says, “There are countless software projects, millions of lines of code, numerous mailing lists and forums, and an ocean of contributors whose identities and motivations are often obscure, making it hard to hold them accountable.”</p>
<p>None of this seems to have slowed the rush to open source. A recent report from the Linux Foundation and The Laboratory for Innovation Science at Harvard estimated that OSS comprises 80-90% of any given software package; this number is likely to continue to grow. Red Hat’s “The State of Enterprise Open Source” report found that “79% of respondents expect that over the next two years, their organization will increase the use of enterprise open source software for emerging technologies.” In the past two decades, companies have used open-source code with increasing frequency, and companies are increasingly contributing to open-source projects that they use, even collaborating with competitors.</p>
<p>Clear guidelines exist for best practices related to any secure software, open or otherwise, including code reviews, scanning for vulnerabilities, visibility into the system, knowing the attack surface, having zero-trust architecture, and red teaming. These are just some ways code, packages, and systems can be evaluated for security. Ultimately, security requires an in-depth knowledge of the system and how the various parts interact.</p>
<p>The key advantage of open-source software is that the source code is available for inspection by anyone. According to Netsec. news, “anyone can check the code to see if best practices have been followed and if the coding is sloppy. Importantly, it is possible to see exactly what the software does with open source. Suppose the source code cannot be checked [such as proprietary software]. In that case, there is no alternative other than to trust that developers have been diligent, and the company has not incorporated code that performs hidden functions from the user.” Having a large and active community of users is a vulnerability, but it also means that with the volume of people looking for security gaps, potential issues are quickly identified.</p>
<p>Knarik Petrosyan, writing for Security Boulevard, reports that businesses use third-party open-source software because it is more cost-effective and flexible than paid-for development solutions. Most organizations use some form of community-borne software, even without knowing it. It can increase the speed of development and decrease the costs. Petrosyan says, “Created voluntarily, OSS has code available for public inspection, modification, and enhancement. It’s used for various processes and tools, often to augment in-house proprietary code.” Corporations, from the smallest to the largest, have used OSS.</p>
<p>A 2021 MIT Technology Review article posed an important question: “If the internet runs on free, open-source software, who is paid to fix it?” Volunteer-run projects like Log4J keep the internet running. The result is unsustainable burnout and a national security risk when they go wrong. The Log4J project is an open-source tool used widely to record activity inside various types of software. It helps run applications from iCloud to Twitter.</p>
<p>Although Log4J's vulnerability has been a crucial piece of internet structure, it is extremely easy to exploit. It was made more complicated because it was founded as a volunteer project.</p>
<p>Early attacks came from kids who passed malicious code on Minecraft servers. Hackers, including some linked to China and Iran, seek to exploit the vulnerability in any machine they can find that is running the flawed code. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), has said this is “one of the most serious flaws” she’s ever seen. Developer Fillipp Valsorda at Google echoed these concerns, stating, “Open-source runs the internet and, by extension, the economy…it is extremely common even for core infrastructure projects to have a small team of maintainers or even a single maintainer that is not paid to work on that project.”</p>
<p>As reported in the July 2022 MIT Technology Review, DARPA, the US military’s research arm, is working to understand the collision of code and community that makes open-source projects work. The idea behind the project is to find out more about how the system functions and predict potential risks better. To this end, DARPA’s “SocialCyber” program is an 18-month-long, multimillion-dollar project combining sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. According to the Review, “It’s different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.”</p>
<p>In that same July 2022 MIT Technology Review report, Sergey Bratus, the DARPA program manager behind the project, said, “The open-source ecosystem is one of the grandest enterprises in human history.” Open-source software is inextricably linked to critical infrastructure, and Bratus said that open source underpins “The systems that run our industry, power grids, shipping, transportation.”</p>
<p>This is a special concern for the military because our adversaries could write critical code, and the stakes of possible security breaches are incredibly high.</p>
<p>To try and get a handle on this problem, DARPA, through the SocialCyber Program, has contracted with multiple teams of what it calls “performers,” including small, boutique cybersecurity research shops with deep technical chops. One such performer is New York–based Margin Research, which has assembled a team of well-respected researchers. “There is a desperate need to treat open-source communities and projects with a higher level of care and respect,” said Sophia d’Antoine, the firm’s founder.</p>
<p>Margin's work maps out who is working on what specific parts of open-source projects. For example, Huawei is currently the biggest contributor to the Linux kernel. Another contributor works for Positive Technologies, a Russian cybersecurity firm that, like China’s Huawei, has been sanctioned by the US government. In many cases, open-source that we all depend on is run by one or two volunteers. This makes a lot of existing infrastructure very fragile because it depends on open source, and the basis of that software could be run by someone who quits one day, which happened in 2018 when a developer behind a popular open-source project called UA-Parser-JS quit, unwilling to work for free anymore. The software was later hijacked by malicious actors who inserted critical vulnerabilities into the software.</p>
<p>Users have created this illusion of trust around open-source software and its code. As the military, governments, and others are now just realizing, we assume it (open source) will always be there because it’s always been there. D'Antoine from Margin Research said, “The government is only just realizing that our critical infrastructure is running code that could be being written by sanctioned entities. Right now.”</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p> </p>
<p>Wkly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cybersecurityintelligence.com/blog/whats-the-problem-with-open-source-software-and-cybersecurity-7098.html">https://www.cybersecurityintelligence.com/blog/whats-the-problem-with-open-source-software-and-cybersecurity-7098.html</a></p></div>Can a Public-Private Cyber Partnership Work?https://redskyalliance.org/xindustry/can-a-public-private-cyber-partnership-work2023-08-23T16:00:00.000Z2023-08-23T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12201638272,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12201638272,RESIZE_400x{{/staticFileLink}}" width="250" alt="12201638272?profile=RESIZE_400x" /></a>In 2020, the US Cyber Command (CYBERCOM) established its private sector partnership program named UNDER ADVISEMENT (who thought up this name?), the purpose of which is to engage industry organizations and share critical cyber threat information and intelligence that supports both CYBERCOM missions and the private sector’s cybersecurity priorities. According to CYBERCOM’s website <a href="https://www.cybercom.mil">https://www.cybercom.mil</a>, formal agreements are made with private sector stakeholders to establish trust, create dialogue and establish a two-way information exchange channel. CYBERCOM developed UNDER ADVISEMENT to share cyber threat Indicators of Compromise (IOC) with the private sector during the 2018 mid-term elections and has since expanded. Since being in effect for the past three years, CYBERCOM cites program successes to include info sharing after incidents like SolarWinds and Colonial Pipeline to illustrate how unified responses across the sectors could greatly reduce the impact of major cyber events.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/redshorts2020/solarwinds-fireeye-u-s-government">https://redskyalliance.org/redshorts2020/solarwinds-fireeye-u-s-government</a></p>
<p>See: <a href="https://redskyalliance.org/oillandgas/colonial-pipeline-company-hit">https://redskyalliance.org/oillandgas/colonial-pipeline-company-hit</a> </p>
<p>The program is seen as a mutually-beneficial arrangement wherein CYBERCOM provides actionable threat indicators to partners while receiving industry data in return that it can use to enrich the command’s visibility and, by extension, its understanding of how threats target specific sectors. UNDER ADVISEMENT is similar to the National Security Agency’s Cybersecurity Collaboration Center and the Department of Homeland Security’s (DHS) Joint Cyber Defense Collaborative. Though specific metrics are not available quantifying and qualifying what UNDER ADVISEMENT success looks like, the program is looking to expand the team of military and civilian experts to two dozen and double the number of public-private partnerships it has in 2023. As one US senator acknowledged, UNDER ADVISEMENT, along with hunt-forward operations, “augment homeland and network defenses while also exposing adversary tactics.”</p>
<p>Regarding cybersecurity, advocates have consistently championed public-private partnerships as necessary for improving the resiliency of the two sectors. In 2013, DHS published a strategy promoting the importance of information sharing to collective cybersecurity. This makes sense given the interconnectivity and integration between the two and the fact that, in many cases, both are targeted by the same types of threat actors, if not the same actors themselves. Even though, on paper, such a relationship should reap benefits for all parties involved; this clarion call has been repeated for more than a decade, indicating that historically there has been hesitancy to cooperate. One of the major impediments has been the over-classification of threat intelligence collected by the US government, which understandably has to walk a line between addressing the needs of the public to operational considerations that it wishes to protect for continued intelligence value.</p>
<p>Another issue has centered on trust. A partnership based on trust requires confidence in both parties being transparent with one another and providing the types of information that are valid and useful in enhancing security procedures. When this does not occur, it immediately casts doubt on an already fragile relationship, calling into question the credibility of the information shared. For example, the DHS and the Federal Bureau of Investigation disseminated a 2017 joint advisory that provided IOCs that proved to be faulty, as many of the listed IP addresses listed as malicious in the report turned out to link back to harmless domains.</p>
<p>It is also difficult to “trust” a government entity when they have the authority to fine and disclose cyber events that could help hackers learn what attacks are the most effective.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/4-days-cyber-reporting">https://redskyalliance.org/xindustry/4-days-cyber-reporting</a></p>
<p>Another criticism of this relationship is that information tended to go one way without the government reciprocating or providing equal information. This stigma has been so entrenched that “information sharing” has become a throw-away expression, a meaningless phrase meant to be something more than what was happening. This term even received criticism for the former director of the Cybersecurity and Infrastructure Security Agency (CISA), who said he was “sick” of the term and its characterization as an end-all, be-all cybersecurity solution. Government officials seek to rebrand the practice as “Operational Collaboration,” a term conveying voluntary interaction among equal parties. It also intimates a more active engagement than the passing of technical data back and forth, as evidenced by the various hamlets of such exchanges, such as InfraGard and Information Sharing and Analysis Centers, to name a couple.</p>
<p>While the government is worried about protecting its sources and methods, the private sector is concerned with protecting the information of its clients and customers. Notable incidents such as social media failing to safeguard customer data or these platforms collaborating with the government place this data at risk or at least potentially put sensitive information in the hands of another party without providing such knowledge to the individuals involved. The US government has not received favorable press recently concerning its misuse and abuses of private data, a further fear that sharing data might fall victim to witting or unwitting malpractice. This heightens concerns, especially when government intelligence agencies are invited to be “Trusted Advisers.”</p>
<p>A productive and transparent public-private information-sharing collaborative is the backbone of achieving cyber resiliency, the goal for enhanced cybersecurity in today’s global cyber threat landscape. It is also the cornerstone of President Biden’s cybersecurity plans, which informed the United States National Cybersecurity Strategy and is being factored into the requirements of other cybersecurity initiatives that bolster critical infrastructure, such as supply chain security and incident reporting, among others. Critical industries benefit from knowing they are high-value intelligence targets for foreign actor cyber exploitation. It is logical to get the government involved, especially those agencies with advanced capabilities to track and neutralize these threats. But such acts cannot come at the expense of taking liberties with cooperation and running the risk of overreaching its authorities. This is an area where the government needs to spend time in assuring private sector partners and may be the biggest challenge in taking the public-private sector relationship to the next level.</p>
<p>Challenges only become obstacles when lessons learned are not applied to them. Fortunately, there are signs that the government is making strides to improve this situation. Now advisories provide IOCs and relevant tactics, techniques, and procedures used by threat actors. They also provide guidance to identify the threats and be better positioned to mitigate and respond to them. This is just one victory, but it does show how more information, not less or redacted information, directly impacts the defensive capabilities of industries at the siege. The UNDER ADVISEMENT program has a real opportunity to continue to right the information-sharing ship if it is continued to be implemented constructively. Expansion of the program needs to be done responsibly, where confidence is built through engagement with measurable milestones and periodic updates of what data was most helpful and how it was applied against hostile cyber activity. Because when it comes to information sharing, the government needs every industry and sector to convene around a table of equals, and by doing so, the country and its citizens will be the ones to benefit the most.</p>
<p>What would be better for all parties involved would be to avoid a cyber breach in the first place. Users of Red Sky Alliance’s RedXray targeted cyber threat notification service <a href="https://www.redskyalliance.com/redxray">https://www.redskyalliance.com/redxray</a> can be notified daily of any cyber threats that have not yet breached the target’s network. This threat file will be loaded into the target’s Security Information and Event Management (SIEM) and blocked/blacklisted from future attacks.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/archive/2023/08/10/the-future-of-cybersecurity-depends-on-public-private-partnership-will-we-get-it-right/">https://www.oodaloop.com/archive/2023/08/10/the-future-of-cybersecurity-depends-on-public-private-partnership-will-we-get-it-right/</a></p></div>MS Critical Patcheshttps://redskyalliance.org/xindustry/ms-critical-patches2023-08-10T16:30:00.000Z2023-08-10T16:30:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12185081291,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12185081291,RESIZE_400x{{/staticFileLink}}" alt="12185081291?profile=RESIZE_400x" width="250" /></a>Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p><strong>THREAT INTELLIGENCE</strong>: Microsoft has reported that CVE-2023-38180 has been exploited in the wild.</p>
<p><strong>SYSTEMS AFFECTED:</strong></p>
<ul>
<li>.NET Core</li>
<li>.NET Framework</li>
<li>NET</li>
<li>Azure Arc</li>
<li>Azure DevOps</li>
<li>Azure HDInsights</li>
<li>Dynamics Business Central Control</li>
<li>Memory Integrity System Readiness Scan Tool</li>
<li>Microsoft Dynamics</li>
<li>Microsoft Edge (Chromium-based)</li>
<li>Microsoft Exchange Server</li>
<li>Microsoft Office</li>
<li>Microsoft Office Excel</li>
<li>Microsoft Office Outlook</li>
<li>Microsoft Office SharePoint</li>
<li>Microsoft Office Visio</li>
<li>Microsoft Teams</li>
<li>Microsoft WDAC OLE DB provider for SQL</li>
<li>Microsoft Windows Codecs Library</li>
<li>Reliability Analysis Metrics Calculation Engine</li>
<li>Role: Windows Hyper-V</li>
<li>SQL Server</li>
<li>Tablet Windows User Interface</li>
<li>Visual Studio</li>
<li>Windows Bluetooth A2DP driver</li>
<li>Windows Cloud Files Mini Filter Driver</li>
<li>Windows Common Log File System Driver</li>
<li>Windows Cryptographic Services</li>
<li>Windows Defender</li>
<li>Windows Fax and Scan Service</li>
<li>Windows Group Policy</li>
<li>Windows HTML Platform</li>
<li>Windows Kernel</li>
<li>Windows LDAP - Lightweight Directory Access Protocol</li>
<li>Windows Message Queuing</li>
<li>Windows Mobile Device Management</li>
<li>Windows Projected File System</li>
<li>Windows Reliability Analysis Metrics Calculation Engine</li>
<li>Windows Smart Card</li>
<li>Windows System Assessment Tool</li>
<li>Windows Wireless Wide Area Network Service</li>
</ul>
<p><strong>RISK</strong>:</p>
<p><em><strong>Government:</strong></em></p>
<p>Large and medium government entities - HIGH<br /> Small government - MEDIUM</p>
<p><em><strong>Businesses:</strong></em></p>
<p>Large and medium business entities - N/A</p>
<p>Small business entities - MEDIUM</p>
<p>Home Users: LOW</p>
<p><strong>TECHNICAL SUMMARY:</strong> </p>
<p>Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.</p>
<p>A full list of all vulnerabilities can be found at the link below:</p>
<p><a href="https://learn.cisecurity.org/e/799323/ate-guide-releaseNote-2023-Aug/4t42j7/1122918831?h=byM2G5-HzEeqkP3C-DU1lA2piK7suYMx4282CUts5uw">https://learn.cisecurity.org/e/799323/ate-guide-releaseNote-2023-Aug/4t42j7/1122918831?h=byM2G5-HzEeqkP3C-DU1lA2piK7suYMx4282CUts5uw</a></p>
<p>Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.</p>
<p>RECOMMENDATIONS: CISA recommends the following actions be taken:</p>
<p>Apply appropriate patches or mitigations Microsoft provided to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</p>
<p>o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant enterprise changes could impact this Safeguard.</p>
<p>o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management monthly or more frequently.</p>
<p>Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</p>
<p>o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</p>
<p>o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities from the user's primary, non-privileged account, such as internet browsing, email, and productivity suite use.</p>
<p>Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)</p>
<p>o Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data securely. Conduct training at hire and, at a minimum, annually. Review and update content annually or when significant enterprise changes could impact this Safeguard.</p>
<p>o Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.</p>
<p>Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious processes, files, API calls, etc., behavior. (M1040: Behavior Prevention on Endpoint)</p>
<p>o Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.</p>
<p>o Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include an Endpoint Detection and Response (EDR) client or host-based IPS agent.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<ul>
<li><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-august-08-2023_2023-090">https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-august-08-2023_2023-090</a></p></div>Truebothttps://redskyalliance.org/xindustry/truebot2023-07-11T16:00:00.000Z2023-07-11T16:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}12143866499,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12143866499,RESIZE_400x{{/staticFileLink}}" alt="12143866499?profile=RESIZE_400x" width="250" /></a>The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint cybersecurity advisory (CSA) regarding new Truebot malware variants that are being used against organizations in the United States and Canada.</p>
<p>Older versions of the Truebot malware variant were delivered via malicious phishing email attachments, the CSA explained.<a href="#_ftn1">[1]</a></p>
<p>But as recently as 31 May 2023, the organizations observed newer versions of the malware that allow cyber threat actors to gain initial access by exploiting a remote code execution vulnerability found in the Netwrix Auditor application (CVE-2022-31199). The exploitation of this vulnerability enables threat actors to deploy malware.</p>
<p>“Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants,” the CSA stated.</p>
<p>The authoring entities advised US and Canadian organizations to learn about Truebot malware indicators of compromise (IOCs) and implement security controls to protect against phishing. Cyber threat actors primarily use the Truebot malware variant for the purpose of exfiltrating data for financial gain.</p>
<p>In addition to increasing phishing awareness, the authoring organizations urged potential victims to apply patces to CVE-2022-31199 and update the Netwrix Auditor to version 10.5. “Netwrix recommends using their Auditor application only on internally facing networks,” the CSA continued. “System owners that don't follow this recommendation, and use the application in externally facing instances, are at increased risk to having CVE-2022-31199 exploited on their systems.”</p>
<p>As always, applying reliable security controls will go a long way in reducing cyber risk. For example, organizations may consider implementing application controls to manage the execution of software, auditing user accounts, or disabling file and printer sharing services. </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://healthitsecurity.com/news/cisa-warns-of-truebot-activity-infecting-us-networks">https://healthitsecurity.com/news/cisa-warns-of-truebot-activity-infecting-us-networks</a></p></div>RU Ransomware Gang Breacheshttps://redskyalliance.org/xindustry/ru-ransomware-gang-breaches2023-06-27T12:00:00.000Z2023-06-27T12:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12127000067,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12127000067,RESIZE_400x{{/staticFileLink}}" width="250" alt="12127000067?profile=RESIZE_400x" /></a>The US Department of Energy and several other federal agencies were compromised in a Russian cyber-extortion gang’s global hack of a file-transfer program popular with corporations and governments. Still, the impact was not expected to be great, Homeland Security officials said on 15 June 2023. But for others, among what could be hundreds of victims from industry to higher education, including patrons of at least two state motor vehicle agencies, the hack was beginning to show some serious impacts.<a href="#_ftn1">[1]</a></p>
<p>Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that were months in the making, this campaign was short, relatively superficial, and caught quickly. “Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said. “Although we are very concerned about this campaign and working on it urgently, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she added.</p>
<p>A senior CISA official said neither the US military nor the intelligence community was affected. Energy Department spokesperson Chad Smith said two agency entities were compromised but did not provide more detail. Known victims to date include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company, and the U.K. drugstore chain Boots. The exploited program, MOVEit, is widely used by businesses to share files securely. Security experts say that can include sensitive financial and insurance data.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/moveit-tech-talk">https://redskyalliance.org/xindustry/moveit-tech-talk</a></p>
<p>Louisiana officials said that people with a driver’s license or vehicle registration in the state likely had their personal information exposed. That included their name, address, Social Security number, and birthdate. They encouraged Louisiana residents to freeze their credit to guard against identity theft.</p>
<p>The Oregon Department of Transportation confirmed last week that the attackers accessed some sensitive personal information for about 3.5 million people to whom state-issued identity cards or driver’s licenses were issued.</p>
<p>The Cl0p ransomware syndicate behind the hack announced on its dark website that its victims, who it suggested numbered in the hundreds, had until 21 June 2023 to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online. The gang, among the world’s most prolific cybercrime syndicates, also claimed it would delete any data stolen from governments, cities, and police departments.</p>
<p>The senior CISA official told reporters a “small number” of federal agencies were hit, declining to name them, and said, “This is not a widespread campaign affecting a large number of federal agencies.” The official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands, and no data from an affected federal agency had been leaked online by Cl0p. US officials “have no evidence to suggest coordination between Cl0p and the Russian government,” the official said.</p>
<p>The parent company of MOVIEit’s US maker, Progress Software, alerted customers to the breach on 31 May 2023 and issued a patch. But cybersecurity researchers say scores, if not hundreds of companies, could have had sensitive data quietly exfiltrated by then. “At this point, we are seeing industry estimates of several hundred victims across the country,” the senior CISA official said. Federal officials encouraged victims to come forward, but they often don’t. The US lacks a federal data breach law, and disclosure of hacks varies by state. Publicly traded corporations, healthcare providers, and critical infrastructure purveyors have regulatory obligations.</p>
<p>Cyber security investigators detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. It said it was not able to break down those agencies by country. The hackers were actively scanning for targets, penetrating them, and stealing data as far back as 29 March 2023.</p>
<p>According to federal contracting data, the Office of the Comptroller of the Currency in the Treasury Department uses MOVEit. Spokeswoman Stephanie Collins said the agency was aware of the hack and has been monitoring the situation closely. She said it was “conducting detailed forensic analysis of system activity and has not found any indications of a breach of sensitive information.” She would not say how the agency uses the file-transfer program.</p>
<p>This is far from the first time Cl0p (Clop) breached a file-transfer program to gain access to data it could use to extort companies. Other instances include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.</p>
<p>The Associated Press emailed Cl0p asking what government agencies it had hacked. It did not receive a response, but the gang posted a new message on its dark web leak site: “We got a lot of emails about government data, we don’t have, it we have completely deleted this information, we, are only interested in business.”</p>
<p>Cybersecurity experts say the Cl0p criminals are not to be trusted to keep their word. Investigators following this cyber group are aware of at least three cases in which data stolen by ransomware crooks appeared on the dark web six to 10 months after victims paid a ransom. Cl0p ransomware is a variant of a previously known strain called CryptoMix. In 2019, Cl0p was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. The threat actors would send phishing emails, leading to a macro-enabled document that would drop a loader named Get2. This loader can download tools this group uses, such as SDBot, FlawedAmmy, or FlawedGrace. After the threat actors obtain the initial foothold on the system, they start employing reconnaissance, lateral movement, and exfiltration techniques to prepare for the ransomware deployment. SDBot has been observed delivering Cl0p as the final payload.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<ul>
<li><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/a-russian-ransomware-gang-breaches-the-energy-department-and-other-federal-agencies/">https://www.securityweek.com/a-russian-ransomware-gang-breaches-the-energy-department-and-other-federal-agencies/</a></p></div>New #StopRansomware Guidehttps://redskyalliance.org/xindustry/new-stopransomware-guide2023-05-25T16:10:00.000Z2023-05-25T16:10:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11147225465,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11147225465,RESIZE_400x{{/staticFileLink}}" alt="11147225465?profile=RESIZE_400x" width="250" /></a>On 23 May 2023, US authorities in CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide. Ransomware actors have accelerated their tactics and techniques since its initial release in 2020 and this guide will assist in helping cyber prevention. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware.<a href="#_ftn1">[1]</a></p>
<table width="100%">
<tbody>
<tr>
<td>
<p><strong>This guide was developed through the US Joint Ransomware Task Force (JRTF).</strong></p>
<p><em>The JRTF, co-chaired by CISA and FBI, is an interagency, collaborative effort to combat the growing threat of ransomware attacks. The JRTF was launched in response to a series of high[1]profile ransomware attacks on US critical infrastructure and government agencies.</em></p>
<p><em>The JRTF:</em></p>
<p><em>• Coordinates and streamlines the US Government's response to ransomware attacks and facilitates information sharing and collaboration between government agencies and private sector partners.</em></p>
<p><em>• Ensures operational coordination for activities such as developing and sharing best practices for preventing and responding to ransomware attacks, conducting joint investigations and operations against ransomware threat actors, and providing guidance and resources to organizations that have been victimized by ransomware.</em></p>
<p><em>• Represents a significant step forward in enabling unity of effort across the US Government's efforts to address the growing threat of ransomware attacks.</em></p>
</td>
</tr>
</tbody>
</table>
<p>The #StopRansomware Guide<a href="#_ftn2">[2]</a> serves as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The authoring organizations recommend that entities review this joint guide to prepare and protect their facilities, personnel, and customers from the impacts of ransomware and data exfiltration. For more information and to access the latest resources about how to stop ransomware, please visit stopransomware.gov.</p>
<p>This joint guide was developed through the Joint Ransomware Task Force (JRTF), an interagency collaborative effort to reduce the prevalence and impact of ransomware attacks. JRTF was established by Congress in 2022 and is co-chaired by CISA and FBI. For additional information about the JRTF, please visit CISA's newly launched Joint Ransomware Task Force (JRTF) webpage.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<ul>
<li><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf">https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.cisa.gov/resources-tools/resources/stopransomware-guide">https://www.cisa.gov/resources-tools/resources/stopransomware-guide</a></p></div>Critical MS Patcheshttps://redskyalliance.org/xindustry/critical-ms-patches2023-05-24T16:00:00.000Z2023-05-24T16:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}11137467285,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11137467285,RESIZE_400x{{/staticFileLink}}" alt="11137467285?profile=RESIZE_400x" width="250" /></a>Multiple vulnerabilities have been recently discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.<a href="#_ftn1">[1]</a></p>
<p> </p>
<p><strong>THREAT INTELLIGENCE:</strong></p>
<p>Microsoft reported that there are three zero-day vulnerabilities addressed in this advisory. Two vulnerabilities (CVE-2023-29336 and CVE-2023-24932) are reported to have been exploited in attacks in the wild. The third vulnerability (CVE-2023-29325) has been publicly disclosed.</p>
<p>Win32k Elevation of Privilege vulnerability could allow an attacker to gain SYSTEM user privileges, Window’s highest user privilege level. (CVE-2023-29336)</p>
<p>Secure Boot Security Feature Bypass Vulnerability could allow an attacker to install UEFI boot kits if the attacker has physical access or Administrative rights to a target device. (CVE-2023-24932)</p>
<p>Windows OLE Remote Code Execution Vulnerability could allow attackers to execute remote code using specially crafted emails on a victim's machine. (CVE-2023-29325)</p>
<p><strong>SYSTEMS AFFECTED:</strong></p>
<p>Microsoft Bluetooth Driver; Microsoft Edge (Chromium-based); Microsoft Graphics Component; Microsoft Office Access; Microsoft Office Excel; Microsoft Office SharePoint; Microsoft Office Word; Microsoft Teams; Microsoft Windows; Codecs Library Reliable Multicast Transport Driver (RMCAST) Remote Desktop Client SysInternals Visual Studio Code Windows Backup Engine Windows Installer Windows iSCSI Target Service Windows Kernel Windows LDAP - Lightweight Directory Access Protocol Windows MSHTML Platform Windows Network File System Windows NFS Portmapper Windows NTLM Windows OLE Windows RDP Client Windows Remote Procedure Call Runtime Windows Secure Boot Windows Secure Socket Tunneling Protocol (SSTP) Windows SMB Windows Win32K</p>
<p><strong>RISK:</strong></p>
<p><em><strong>Government:</strong></em></p>
<p>Large and medium government entities HIGH</p>
<p>Small government MEDIUM</p>
<p><em><strong>Businesses:</strong></em></p>
<p>Large and medium business entities HIGH</p>
<p>Small business entities MEDIUM</p>
<p>Home Users: LOW</p>
<p><strong>TECHNICAL SUMMARY:</strong></p>
<p>Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.</p>
<p>A full list of all vulnerabilities can be found at the link below:</p>
<p><a href="https://learn.cisecurity.org/e/799323/update-guide/4sxgq4/935735820?h=hOcA4oUX9zGesPyIcAjkaUogirUGDLJTTsjNCMeR2vI">https://learn.cisecurity.org/e/799323/update-guide/4sxgq4/935735820?h=hOcA4oUX9zGesPyIcAjkaUogirUGDLJTTsjNCMeR2vI</a></p>
<p>Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.</p>
<p><strong>RECOMMENDATIONS:</strong></p>
<p><em><strong>CISA recommends the following actions be taken:</strong></em></p>
<p>Apply appropriate patches or mitigations Microsoft provided to vulnerable systems immediately after appropriate testing. (M1051: Update Software)</p>
<ul>
<li>Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant enterprise changes could impact this Safeguard.</li>
<li>Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management monthly or more frequently. Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)</li>
<li>Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.</li>
<li>Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities from the user's primary, non-privileged account, such as internet browsing, email, and productivity suite use.</li>
<li>Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)</li>
<li>Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. A security awareness program aims to educate the enterprise’s workforce on how to interact with enterprise assets and data securely. Conduct training at hire and, at a minimum, annually. Review and update content annually or when significant enterprise changes could impact this Safeguard.</li>
<li>Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious processes, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)</li>
<li>Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.</li>
<li>o Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include an Endpoint Detection and Response (EDR) client or host-based IPS agent.</li>
</ul>
<p><strong>REFERENCES:</strong></p>
<p>BleepingComputer</p>
<p><a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2023-patch-tuesday-fixes-3-zero-days-38-flaws/">https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2023-patch-tuesday-fixes-3-zero-days-38-flaws/</a></p>
<p>Microsoft</p>
<p><a href="https://msrc.microsoft.com/update-guide">https://msrc.microsoft.com/update-guide</a></p>
<p><a href="https://msrc.microsoft.com/update-guide/releaseNote/2023-May">https://msrc.microsoft.com/update-guide/releaseNote/2023-May</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-may-9-2023_2023-048">https://www.cisecurity.org/advisory/critical-patches-issued-for-microsoft-products-may-9-2023_2023-048</a></p></div>21st Century Five Eyeshttps://redskyalliance.org/xindustry/21st-century-five-eyes2023-05-03T16:00:00.000Z2023-05-03T16:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11038596256,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11038596256,RESIZE_400x{{/staticFileLink}}" width="250" alt="11038596256?profile=RESIZE_400x" /></a>The Five Eyes agencies recently issued cybersecurity guidance and best practices for smart cities. The document describes potential risks and provides recommendations for addressing them. Those readers who do not follow the novels Tom Clancy and John le Carre may not be familiar with The Five Eyes. The Five Eyes are the intelligence agencies of the US, Canada, Britain, Australia, and New Zealand that share intelligence.<a href="#_ftn1">[1]</a></p>
<p>Smart cities integrate Information and Communication Technologies (ICT), community-wide data, and intelligent solutions to optimize governance and communities that connect Operational Technology (OT), managing physical infrastructure with IoT devices, cloud computing, AI, and 5G communications.</p>
<p>Smart cities provide numerous benefits for authorities and citizens. Still, the associated cybersecurity risks should not be ignored as they can be an attractive target for threat actors, profit-driven cybercriminals, and state-sponsored threat actors looking to obtain valuable information or cause disruption or destruction. The cybersecurity guidance for smart cities is provided by US agencies CISA, NSA, and FBI, the UK’s National Cyber Security Centre, Canada’s Centre for Cyber Security, the Australian Cyber Security Centre, and New Zealand’s National Cyber Security Centre.</p>
<p>One of the risks associated with smart cities is the expanded and interconnected attack surface created when previously separate systems are integrated into a single network. This enables an attacker who has gained initial access to the network to move laterally and causes cascading, cross-sector disruptions of infrastructure operations. “For example, malicious actors accessing a local government IoT sensor network might be able to obtain lateral access into emergency alert systems if the systems are interconnected,” the agencies explained.</p>
<p>Another risk comes from the ICT supply chain and the vendors that provide hardware and software. Threat actors can abuse supply chain vulnerabilities to steal valuable data, cause disruption, or weaken confidence in the integrity of systems. “Illicit access gained through a vulnerable ICT supply chain could allow the degradation or disruption of infrastructure operations and the compromise or theft of sensitive data from utility operations, emergency service communications, or visual surveillance technologies. Smart city IT vendors may also have access to vast amounts of sensitive data from multiple communities to support integrating infrastructure services, including sensitive government information and Personally Identifiable Information (PII), which would be an attractive target for malicious actors,” the agencies said.</p>
<p>Another major risk category is related to the automation of infrastructure operations, such as traffic and wastewater management. This automation can introduce new vulnerabilities, and the volume of data and the complexity of automation can lead to reduced visibility. To address these risks, owners should keep track of the individuals and vendors responsible for the overall system and each segment, ensuring no ambiguity regarding roles and responsibilities to avoid degrading cybersecurity posture and incident response capabilities.</p>
<p>When it comes to supply chains and vendors, they should be carefully vetted, and risks should be assessed. “This includes scrutinizing vendors from nation-states associated with cyberattacks or those subject to national legislation requiring them to hand over data to foreign intelligence services,” the agencies said.</p>
<p>Specific recommendations described in the guidance include applying the least privilege principle and implementing a zero-trust architecture, enforcing multi-factor authentication, securely managing assets, improving the security of devices, protecting Internet-exposed systems, patching systems, conducting training, and developing and exercising incident response and recovery plans.</p>
<p>The Five Eyes guidance summarizes the recommendations for securing smart cities and includes links to numerous useful resources provided by various government agencies.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br />Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br />LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> <br />Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a><a href="https://www.securityweek.com/five-eyes-agencies-issue-cybersecurity-guidance-for-smart-cities/">https://www.securityweek.com/five-eyes-agencies-issue-cybersecurity-guidance-for-smart-cities/</a></p></div>More than just $$$$https://redskyalliance.org/xindustry/more-than-just2023-04-26T12:40:00.000Z2023-04-26T12:40:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11031054063,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11031054063,RESIZE_400x{{/staticFileLink}}" alt="11031054063?profile=RESIZE_400x" width="250" /></a>It is a worrying fact that, while digital technology is transforming both our personal lives and our interactions with companies and government, it is also making us increasingly susceptible to fraud and other crimes. According to the US Cybersecurity and Infrastructure Security Defense Agency, 47% of American adults have had their information exposed online from cyber criminals. There is no reason to suspect that the picture is much different elsewhere. Even those organizations that might be expected to be alive to the threats are not immune. Earlier this month, Capita, an outsourcing company with UK government contracts worth more than $8 billion, admitted it had been infiltrated by what are thought to be Russian cyber criminals.<a href="#_ftn1">[1]</a></p>
<p>The figures from the US Cybersecurity and Infrastructure Security Defense Agency are quoted in a report out today from RiskOptics, a US company formerly known as Reciprocity that helps businesses manage information and cyber risk. As the report points out, the increasing number of attacks is leading organizations to spend ever more on trying to prevent them and dealing with the aftermath. The topic has become a critical issue for boardrooms around the world. Yet, despite this renewed focus, “business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives — or that it could be used as a strategic asset and core business differentiator,” it adds.</p>
<p>This latter point was explained by the CEO and chief product officer at RiskOptics, in an interview shortly before this report. Hitherto, he said dealing with risk had been seen largely as a matter of compliance. Indeed, Reciprocity made its name with a product, ZenGRC, that helped internal audit, compliance and information security teams manage and implement appropriate processes. But the company had latterly taken the decision to focus on developing a different view of risk and therefore understanding it better. Hence the name change to RiskOptics. “It stops security people just saying ‘No’ to everything,” he said. Stressing that an organization could never be 100% secure, he added it was better to do a quantitative analysis of risks and benefits. The advantage of this was that, instead of just throwing ever more resources at the problem — and the report shows that IT teams are already overstretched to the point that there are serious shortages of personnel — senior executives could focus on the threats and vulnerabilities of particular parts of the business and perhaps see opportunities.</p>
<p>The need for all executives to accept the importance of cybersecurity and not leave it to the IT specialists is also stressed by Rapid7, a leader in detecting cyber risks and threats. In an interview earlier this month, he echoed other expert’s view of the futility of increasing budgets to meet the escalating incidence of security breaches. He said there were two underlying issues, the effectiveness of cybersecurity measures and the ability of organizations to operationalize such measures. He said the issue had three elements, technology, people and processes. The last was “the glue” that made the system work. If this aspect was tracked and maintained properly it would be easier to identify the technology and people risks.</p>
<p>Two key recommendations. The first was that board members had to be more prepared to ask questions about cybersecurity so that they understood not just how much was being spent but also how effective the systems in place were. The second is to re-examine the role of the chief information security officer. The post was increasingly common but was often taken up by people from technological backgrounds. An understanding of the technology was clearly crucial, but to be effective the CISO needed “a multitude of qualities,” analysts added. Pointing out that they should share some of the attributes of an effective chief operating officer, he said they needed to be able to lead transformational change and, in the event of a breach, to be able to identify which parts of the business would be worst affected.</p>
<p>Given the devastating effects that cyber-attacks can have on organizations and their reputations, it is inevitable that there is an increasingly crowded and confusing, field of companies offering security solutions. One approach being pioneered by Illumio, a 10-year-old US company based in California, is “zero trust segmentation.” Running slightly counter to the vogue for flat hierarchies with free-flowing information, the idea is that when breaches occur, they are contained and so do not become serious threats to the whole organization. Unsurprisingly, many of the company’s early adopters were banks. But, as businesses and governments recognized that cyber risks were “existential” and as serious as financial risks, all sorts of other organizations became interested, said CEO Andrew Rubin in a recent interview.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/<br /> • Website: https://www. wapacklabs. com/<br /> • LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.forbes.com/sites/rogertrapp/2023/04/18/combatting-cyber-attacks-requires-more-than-just-money/">https://www.forbes.com/sites/rogertrapp/2023/04/18/combatting-cyber-attacks-requires-more-than-just-money/</a></p></div>CISA Warns of 5 Actively Exploited Security Flawshttps://redskyalliance.org/xindustry/cisa-warns-of-5-actively-exploited-security-flaws2023-04-18T13:00:52.000Z2023-04-18T13:00:52.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11029684500,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11029684500,RESIZE_400x{{/staticFileLink}}" width="250" alt="11029684500?profile=RESIZE_400x" /></a>The US Cybersecurity and Infrastructure Security Agency (CISA), on 07 April 2023 added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.</p>
<ul>
<li>CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability</li>
<li>CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability</li>
<li>CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability</li>
</ul>
<p>In a recent report, researchers revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation targets publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty">https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty</a></p>
<p>The cyber threat investigators are tracking the affiliate actor under its uncategorized name UNC4466 said it first observed exploitation of the flaws on 22 October 2022.</p>
<p>In one incident, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/ficker-stealer-debuts-rust">https://redskyalliance.org/xindustry/ficker-stealer-debuts-rust</a></p>
<p>Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.</p>
<p>The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) in March 2023 as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.</p>
<p>Federal Civilian Executive Branch (FCEB) agencies have until 28 April 2023 to apply the patches to secure their networks against potential threats.</p>
<p>The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browsers to address zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said have been exploited in real-world attacks.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li> Website: https://www. wapacklabs. com/</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2023/04/cisa-warns-of-5-actively-exploited.html">https://thehackernews.com/2023/04/cisa-warns-of-5-actively-exploited.html</a></p></div>