The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive (ED) 20-04 addressing a critical vulnerability— CVE-2020-1472—affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker with network access to a domain controller could exploit this vulnerability to compromise all Active Directory identity services.
Earlier this month, exploit code for this vulnerability was publicly released. Given the nature of the exploit and documented adversary behavior, CISA assumes active exploitation of this vulnerability is occurring in the wild.
ED 20-04 applies to Executive Branch departments and agencies; however, CISA strongly recommends state and local governments, the private sector, and others patch this critical vulnerability as soon as possible. Review the following resources for more information:
- CISA Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
- CERT/CC Vulnerability Note [VU#490028]
- Microsoft Security Vulnerability Information for CVE-2020-1472
- Microsoft’s guidance on How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
CERT/CC Releases Information on Critical Vulnerability in Microsoft Windows Netlogon Remote Protocol
The CERT Coordination Center (CERT/CC) has released information on CVE-2020-1472, a vulnerability affecting Microsoft Windows Netlogon Remote Protocol. An unauthenticated attacker could exploit this vulnerability to obtain Active Directory domain administrator access. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors.
The Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following resources and apply the necessary updates and workaround.
- CERT/CC Vulnerability Note VU#490028
- Microsoft’s Security Advisory for CVE-2020-1472
- Microsoft’s guidance on How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
Drupal has released security updates to address vulnerabilities in Drupal 7.x, 8.8.x, 8.9.x, and 9.0.x. An attacker could exploit some of these vulnerabilities to obtain sensitive information or leverage the way HTML is rendered.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Drupal security updates and apply the necessary updates:
Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:
Adobe has released a security update to address vulnerabilities in Media Encoder. An attacker could exploit these vulnerabilities to obtain sensitive information.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Adobe Security Bulletin and apply the necessary update.
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.
This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.
Click here for a PDF version of this report.Technical Details
CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.
After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.
CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.
Table 1 illustrates some of the common tools this threat actor has used.
Table 1: Common exploit tools
ChunkyTuna web shellChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.
Tiny web shellTiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.
China Chopper web shellChina Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. FRPC FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. Chisel Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. ngrok ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. Nmap Nmap is used for vulnerability scanning and network discovery. Angry IP Scanner Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. Drupwn Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.
Notable means of detecting this threat actor:
- CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.
- The threat actor uses FRPC over port 7557.
- Malware Analysis Report MAR-10297887-1.v1 details some of the tools this threat actor used against some victims.
The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.
- Tiny web shell
- ChunkyTuna web shell
/var/nstmp/chiselMITRE ATT&CK Framework Initial Access
As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.
Table 2: Initial access techniques
After gaining initial access, the threat actor began executing scripts, as shown in table 3.
Table 3: Execution techniques
CISA observed the threat actor using the techniques identified in table 4 to establish persistence.
Table 4: Persistence techniques
CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.Defense Evasion
CISA observed the threat actor using the techniques identified in table 5 to evade detection.
Table 5: Defensive evasion techniques
CISA observed the threat actor using the techniques identified in table 6 to further their credential access.
Table 6: Credential access techniques
CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.
Table 7: Discovery techniques
CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.
Table 8: Lateral movement techniques
CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.
Table 9: Collection techniques
CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).
Table 10: Command and control techniques
CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.MitigationsRecommendations
CISA and FBI recommend implementing the following recommendations.
- If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert AA20-031A.
- This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.
- If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest.
- If compromised, rebuild/reimage compromised NetScaler devices.
- Routinely audit configuration and patch management programs.
- Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
- Implement multi-factor authentication, especially for privileged accounts.
- Use separate administrative accounts on separate administration workstations.
- Implement the principle of least privilege on data access.
- Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
- Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.
- Keep software up to date.
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at firstname.lastname@example.org.Resources
CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
CISA Alert AA20-073A: Enterprise VPN Security
CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CISA Security Tip: Securing Network Infrastructure Devices
- September 15, 2020: Initial Version
The Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. This Advisory analyzes the threat actor’s indicators of compromise (IOCs); and tactics, techniques, and procedures (TTPs); and exploited Common Vulnerabilities and Exposures (CVEs).
CISA encourages users and administrators to review the following resources for more information.
- Joint Cybersecurity Advisory: Iran-Based Threat Actor Exploits VPN Vulnerabilities
- MAR-10297887-1.v1: Iranian Web Shells
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued an advisory about Chinese Ministry of State Security (MSS)-affiliated cyber threat actors targeting U.S. government agencies. Through the National Cybersecurity Protection System, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools.
CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks to characterize the tactics, techniques, and procedures (TTPs) used by Chinese MSS-affiliated actors. CISA encourages users and administrators to review the joint cybersecurity advisory and CISA's Chinese Malicious Cyber Activity page for more information.
The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these—and other threat actors with varying degrees of skill—routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).Key Takeaways
- Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.
- Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.
- Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.
- If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.
- This Advisory identifies some of the more common—yet most effective—TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.
Click here for a PDF version of this report.Technical Details
Through the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.
According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years. These hackers acted for both their own personal gain and the benefit of the Chinese MSS.
According to the indictment,
To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.
The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.MITRE PRE-ATT&CK® Framework for Analysis
In the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK® Framework TTPs.Target Selection and Technical Information Gathering
Target Selection [TA0014] is a critical part of cyber operations. While cyber threat actors’ motivations and intents are often unknown, they often make their selections based on the target network’s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).
- Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
- The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.
These information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.
While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.
CISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015]).
Table 1: Technical information gathering techniques observed by CISAMITRE ID Name Observation T1245 Determine Approach/Attack Vector The threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. T1247 Acquire Open Source Intelligence (OSINT) Data Sets and Information CISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. T1254 Conduct Active Scanning CISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. Technical Weakness Identification
CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.
Additionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.
Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 monthsVulnerability Observations CVE-2020-5902: F5 Big-IP Vulnerability CISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances CISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks. CVE-2019-11510: Pulse Secure VPN Servers CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance. CVE-2020-0688: Microsoft Exchange Server CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks.
Additionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018]).
Table 3: Technical weakness identification techniques observed by CISAMITRE ID Name Observation T1288 Analyze Architecture and Configuration Posture CISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. T1291 Research Relevant Vulnerabilities CISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. Build Capabilities
CISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build Capabilities [TA0024]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.
Table 4: Build capabilities observed by CISAMITRE ID Name Observation T1352 C2 Protocol Development CISA observed beaconing from a Federal Government entity to the threat actors’ C2 server. T1328 Buy Domain Name CISA has observed the use of domains purchased by the threat actors. T1329 Acquire and / or use of 3rd Party Infrastructure CISA has observed the threat actors using virtual private servers to conduct cyber operations. T1346 Obtain/Re-use Payloads CISA has observed the threat actors use and reuse existing capabilities. T1349 Build or Acquire Exploit CISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. MITRE ATT&CK Framework for Analysis
CISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB. Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.
During incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.
Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actorsTool Observations Cobalt Strike CISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. China Chopper Web Shell CISA has observed the actors successfully deploying China Chopper against organizations’ networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. Mimikatz CISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.
The following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.Initial Access
In the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.
CISA has observed the threat actors using the Initial Access [TA0001] techniques identified in table 6.
Table 6: Initial access techniques observed by CISAMITRE ID Name Observation T1204.001 User Execution: Malicious Link CISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent T1566.002 Phishing: Spearphishing Link CISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. T1190 Exploit Public-Facing Application CISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers.
Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information.Execution
CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.
CISA has observed Chinese MSS-affiliated actors using the Execution [TA0002] technique identified in table 7.
Table 7: Execution technique observed by CISAMITRE ID Name Observation T1072 Software Deployment Tools CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ C2 server, which is usually an indication of compromise. Credential Access
Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.
CISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006] techniques highlighted in table 8.
Table 8: Credential access techniques observed by CISAMITRE ID Name Observation T1003.001 Operating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory CISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. T1110.004 Brute Force: Credential Stuffing CISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. Discovery
As with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (Discovery [TA0007]).
Table 9: Discovery technique observed by CISAMITRE ID Name Observation T1046 Network Service Scanning CISA has observed suspicious network scanning activity for various ports at Federal Government entities. Collection
Within weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009] technique listed in table 10.
Table 10: Collection technique observed by CISAMITRE ID Name Observation T1114 Email Collection CISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. Command and Control
CISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.
CISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011] techniques listed in table 11.
Table 11: Command and control techniques observed by CISAMITRE ID Name Observation T1090.002 Proxy: External Proxy CISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. T1090.003 Proxy: Multi-hop Proxy CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. T1573.002 Encrypted Channel: Asymmetric Cryptography CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. Mitigations
CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.
CISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see CISA Alert: Top 10 Routinely Exploited Vulnerabilities.
Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber ActorsVulnerability Vulnerable Products Patch Information CVE-2020-5902
- Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)
- Citrix Application Delivery Controller
- Citrix Gateway
- Citrix SDWAN WANOP
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0
- Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0
- Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5
- Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15
- Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15
- Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
- Microsoft Exchange Servers
- Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability
CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems.Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at email@example.com.References
-  U.S. Department of Justice Press Release
-  U.S. Department of Justice Press Release
-  Shodan
-  MITRE Common Vulnerabilities and Exposures List
-  National Institute of Standards and Technology National Vulnerability Database
-  CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities
-  CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
-  CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
-  CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
-  GitHub
-  Exploit-DB
-  What is Mimikatz: The Beginner's Guide (VARONIS)
- September 14, 2020: Initial Version
The Cybersecurity and Infrastructure Security Agency (CISA) has released CISA Insights: Actions to Counter Email-Based Attacks on Elections-Related Entities in light of increased sophisticated phishing operations targeting individuals and groups involved in the upcoming U.S. elections.
CISA strongly recommends elections-related individuals and organizations to prioritize the protection of email accounts and systems.
- Use provider-offered protections, if utilizing cloud email.
- Secure user accounts on high value services.
- Implement email authentication and other best practices.
- Secure email gateway capabilities.
See the following resources for more information.
- CISA Insights: Actions to Counter Email-Based Attacks on Elections-Related Entities
- CISA Tip: Best Practices for Securing Election Systems
- CISA Tip: Avoiding Social Engineering and Phishing Scams
- Microsoft Blog: New cyberattacks targeting U.S. elections
The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber threats and statistics from 2019–2020. The report highlights that phishing and spearphishing are still the most common cyberattacks, and ransomware has become a significant threat to operations across multiple sectors.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review ACSC’s Annual Cyber Threat Report July 2019 to June 2020 and CISA’s Tip on Avoiding Social Engineering and Phishing Attacks and webpage on Ransomware for more information.
Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.
Google has released Chrome version 85.0.4183.102 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.
Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s September 2020 Security Update Summary and Deployment Information and apply the necessary updates.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against finance and business organizations worldwide. A DoS attack is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. In a DDoS attack, the incoming traffic originates from many different sources, making it impossible to stop the attack by blocking a single source. These attacks can cost an organization both time and money while their resources and services are inaccessible.
If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance.
- Contact your network administrator to confirm whether the service outage is due to maintenance or an in-house network issue. Network administrators can also monitor network traffic to confirm the presence of an attack, identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.
- Contact your internet service provider to ask if there is an outage on their end or if their network is the target of an attack and you are an indirect victim. They may be able to advise you on an appropriate course of action.
For more information, see CISA’s Tip on Understanding Denial-of-Service Attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has released Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy (VDP). BOD 20-01 requires each federal agency to publish a VDP. Publication of agency VDPs will make it easier for users to report vulnerabilities they find in the Federal Government’s internet-accessible systems. CISA released a draft version of BOD 20-01 for public comment in December 2019 and incorporated many of the received suggestions in the final version.
CISA encourages users to review BOD 20-01 and the CISA blog post, Improving Vulnerability Disclosure Together (Officially) for more information.
September is National Preparedness Month, which promotes family and community disaster planning. This year’s theme is “Disasters Don’t Wait. Make Your Plan Today.” The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators use this month as an opportunity to asses cybersecurity preparedness for cyber-related events, such as identity theft, ransomware infection, or a data breach.
Learn more about preparing for a natural disaster or general emergency at Ready.gov/September. See Ready.gov/Cybersecurity and the following CISA Tips for resources on preparing for, and responding to, unexpected cyber-related events:
- Protecting Against Ransomware
- Avoiding Social Engineering and Phishing Attacks
- Preventing and Responding to Identity Theft
- Protecting Against Malicious Code
Cisco has released security updates to address vulnerabilities in Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:
- Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability cisco-sa-jabber-UyTKCPGg
- Enterprise NFV Infrastructure Software File Overwrite Vulnerability cisco-sa-nfvis-file-overwrite-UONzPMkr
- Jabber for Windows Protocol Handler Command Injection Vulnerability cisco-sa-jabber-vY8M4KGB
- IOS XR Authenticated User Privilege Escalation Vulnerability cisco-sa-iosxr-cli-privescl-sDVEmhqv
- IOS XR Software Authenticated User Privilege Escalation Vulnerability cisco-sa-iosxr-LJtNFjeN
This joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.Key Takeaways
When addressing potential incidents and applying best practice incident response procedures:
- First, collect and remove for further analysis:
- Relevant artifacts,
- Logs, and
- Next, implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
- Finally, consider soliciting incident response support from a third-party IT security organization to:
- Provide subject matter expertise and technical support to the incident response,
- Ensure that the actor is eradicated from the network, and
- Avoid residual issues that could result in follow-up compromises once the incident is closed.
Click here for a PDF version of this report.Technical Details
The incident response process requires a variety of technical approaches to uncover malicious activity. Incident responders should consider the following activities.
- Indicators of Compromise (IOC) Search – Collect known-bad indicators of compromise from a broad variety of sources, and search for those indicators in network and host artifacts. Assess results for further indications of malicious activity to eliminate false positives.
- Frequency Analysis – Leverage large datasets to calculate normal traffic patterns in both network and host systems. Use these predictive algorithms to identify activity that is inconsistent with normal patterns. Variables often considered include timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.
- Pattern Analysis – Analyze data to identify repeating patterns that are indicative of either automated mechanisms (e.g., malware, scripts) or routine human threat actor activity. Filter out the data containing normal activity and evaluate the remaining data to identify suspicious or malicious activity.
- Anomaly Detection – Conduct an analyst review (based on the team’s knowledge of, and experience with, system administration) of collected artifacts to identify errors. Review unique values for various datasets and research associated data, where appropriate, to find anomalous activity that could be indicative of threat actor activity.
When hunting and/or investigating a network, it is important to review a broad variety of artifacts to identify any suspicious activity that may be related to the incident. Consider collecting and reviewing the following artifacts throughout the investigation.Host-Based Artifacts
- Running Processes
- Running Services
- Parent-Child Process Trees
- Integrity Hash of Background Executables
- Installed Applications
- Local and Domain Users
- Unusual Authentications
- Non-Standard Formatted Usernames
- Listening Ports and Associated Services
- Domain Name System (DNS) Resolution Settings and Static Routes
- Established and Recent Network Connections
- Run Key and other AutoRun Persistence
- Scheduled Tasks
- Artifacts of Execution (Prefetch and Shimcache)
- Event logs
- Anti-virus detections
- Identify any process that is not signed and is connecting to the internet looking for beaconing or significant data transfers.
- Collect all PowerShell command line requests looking for Base64-encoded commands to help identify malicious fileless attacks.
- Look for excessive .RAR, 7zip, or WinZip processes, especially with suspicious file names, to help discover exfiltration staging (suspicious file names include naming conventions such as, 1.zip, 2.zip, etc.).
- Collect all user logins and look for outlier behavior, such as a time of login that is out of the ordinary for the user or a login from an Internet Protocol (IP) address not normally used by the user.
- On Linux/Unix operating systems (OSs) and services, collect all cron and systemd /etc/passwd files looking for unusual accounts and log files, such as accounts that appear to be system / proc users but have an interactive shell such as /bin/bash rather than /bin/false/nologin
- On Microsoft OSs, collect Scheduled Tasks, Group Policy Objects (GPO), and Windows Management Instrumentation (WMI) database storage on hosts of interest looking for malicious persistence.
- Use the Microsoft Windows Sysinternals Autoruns tool, which allows IT security practitioners to view—and, if needed, easily disable—most programs that automatically load onto the system.
- Check the Windows registry and Volume Shadow Copy Service for evidence of intrusion.
- Consider blocking script files like .js, .vbs, .zip, .7z, .sfx and even Microsoft Office documents or PDFs.
- Collect any scripts or binary ELF files from /dev/shm/tmp and /var/tmp.
- Kernel modules listed (lsmod) for signs of a rootkit; dmesg command output can show signs of rootkit loading and device attachment amongst other things.
- Archive contents of /var/log for all hosts.
- Archive output from journald. These logs are pretty much the same as /var/log; however, they provide some integrity checking and are not as easy to modify. This will eventually replace the /var/log contents for some aspects of the system. Check for additional Secure Shell (SSH) keys added to user’s authorized_keys.
- Anomalous DNS traffic and activity, unexpected DNS resolution servers, unauthorized DNS zone transfers, data exfiltration through DNS, and changes to host files
- Remote Desktop Protocol (RDP), virtual private network (VPN) sessions, SSH terminal connections, and other remote abilities to evaluate for inbound connections, unapproved third-party tools, cleartext information, and unauthorized lateral movement
- Uniform Resource Identifier (URI) strings, user agent strings, and proxy enforcement actions for abusive, suspicious, or malicious website access
- Hypertext Transfer Protocol Secure/Secure Sockets Layer (HTTPS/SSL)
- Unauthorized connections to known threat indicators
- Internet Relay Chat (IRC)
- File Transfer Protocol (FTP)
- Look for new connections on previously unused ports.
- Look for traffic patterns related to time, frequency, and byte count of the connections.
- Preserve proxy logs. Add in the URI parameters to the event log if possible.
- Disable LLMNR on the corporate network; if unable to disable, collect LLMNR (UDP port 5355) and NetBIOS-NS (UDP port 137).
- Review changes to routing tables, such as weighting, static entries, gateways, and peer relationships.
After determining that a system or multiple systems may be compromised, system administrators and/or system owners are often tempted to take immediate actions. Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of:
- Modifying volatile data that could give a sense of what has been done; and
- Tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware).
Below—and partially listed in figure 1—are actions to avoid taking and some of the consequence of taking such actions.
- Mitigating the affected systems before responders can protect and recover data
- This can cause the loss of volatile data such as memory and other host-based artifacts.
- The adversary may notice and change their tactics, techniques, and procedures.
- Touching adversary infrastructure (Pinging, NSlookup, Browsing, etc.)
- These actions can tip off the adversary that they have been detected.
- Preemptively blocking adversary infrastructure
- Network infrastructure is fairly inexpensive. An adversary can easily change to new command and control infrastructure, and you will lose visibility of their activity.
- Preemptive credential resets
- Adversary likely has multiple credentials, or worse, has access to your entire Active Directory.
- Adversary will use other credentials, create new credentials, or forge tickets.
- Failure to preserve or collect log data that could be critical to identifying access to the compromised systems
- If critical log types are not collected, or are not retained for a sufficient length of time, key information about the incident may not be determinable. Retain log data for at least one year.
- Communicating over the same network as the incident response is being conducted (ensure all communications are held out-of-band)
- Only fixing the symptoms, not the root cause
- Playing “whack-a-mole” by blocking an IP address—without taking steps to determine what the binary is and how it got there—leaves the adversary an opportunity to change tactics and retain access to the network.
Figure 1: Common missteps to be avoided when responding to an incidentMitigations
The following recommendations and best practices may be helpful during the investigation and remediation process. Note: Although this guidance provides best practices to mitigate common attack vectors, organizations should specific to [Client]’s network should tailor mitigations specific to their network.General Mitigation Guidance Restrict or Discontinue Use of FTP and Telnet Services
The FTP and Telnet protocols transmit credentials in cleartext, which are susceptible to being intercepted. To mitigate this risk, discontinue FTP and Telnet services by moving to more secure file storage/file transfer and remote access services.
- Evaluate business needs and justifications to host files on alternative Secure File Transfer Protocol (SFTP) or HTTPS-based public sites.
- Use Secure Shell (SSH) for access to remote devices and servers.
- Investigate the business needs and justification for allowing traffic from non-approved VPN services.
- Identify such services across the enterprise and develop measures to add the application and browser plugins that enable non-approved VPN services to the denylist.
- Enhance endpoint monitoring to obtain visibility on devices with non-approved VPN services running. Enhanced endpoint monitoring and detection capabilities would enable an organization’s IT security personnel to manage approved software as well as identify and remove any instances of unapproved software.
- Cyber actors regularly identify servers that are out of date or end of life (EOL) to gain access to a network and perform malicious activities. These present easy and safe locations to maintain persistence on a network.
- Often these services and servers are systems that have begun decommissioning, but the final stage has not been completed by shutting down the system. This means they are still running and vulnerable to compromise.
- Ensuring that decommissioning of systems has been completed or taking appropriate action to remove them from the network limits their susceptibility and reduces the investigative surface to be analyzed.
Note: proceed with caution to avoid the adverse effects detailed in the Common Mistakes in Incident Handling section above.
- Reimage or remove any compromised systems found on the network.
- Monitor and educate users to be cautious of any downloads from third-party sites or vendors.
- Block the known bad domains and add a web content filtering capability to block malicious sites by category to prevent future compromise.
- Sanitize removable media and investigate network shares accessible by users.
- Improve existing network-based malware detection tools with sandboxing capabilities.
- Identify and disable ports, protocols, and services not needed for official business to prevent would-be attackers from moving laterally to exploit vulnerabilities. This includes external communications as well as communications between networks.
- Document allowed ports and protocols at the enterprise level.
- Restrict inbound and outbound access to ports and protocols not justified for business use.
- Restrict allowed access list to assets justified by business use.
- Enable a firewall log for inbound and outbound network traffic as well as allowed and denied traffic.
Service accounts are privileged accounts dedicated to certain services to perform activities related to the service or application without being tied to a single domain user. Given that services tend to be privileged accounts and thereby have administrative privileges, they are often a target for attackers aiming to obtain credentials. Interactive login to a service account not directly tied to an end-user account makes it difficult to identify accountability during cyber incidents.
- Audit the Active Directory (AD) to identify and document active service accounts.
- Restrict use of service accounts using AD group policy.
- Disallow interactive login by adding service account to a group of non-interactive login users.
- Continuously monitor service account activities by enhancing logging.
- Rotate service accounts and apply password best practices without service, degradation, or disruption.
- If an attacker (or malware) gains access to a remote user’s computer, steals authentication data (login/password), hijacks an active remote administration session, or successfully attacks a vulnerability in the remote administration tool’s software, the attacker (or malware) will gain unrestricted control of the enterprise network environment. Attackers can use compromised hosts as a relay server for reverse connections, which could enable them to connect to these remote administration tools from anywhere.
- Remove all remote administration tools that are not required for day-to-day IT operations. Closely monitor and log events for each remote-control session required by department IT operations.
Allowing unrestricted RDP access can increase opportunities for malicious activity such as on path and Pass-the-Hash (PtH) attacks.
- Implement secure remote desktop gateway solutions.
- Restrict RDP service trust across multiple network zones.
- Implement privileged account monitoring and short time password lease for RDP service use.
- Implement enhanced and continuous monitoring of RDP services by enabling logging and ensure RDP logins are captured in the logs.
Credential resets need to be done to strategically ensure that all the compromised accounts and devices are included and to reduce the likelihood that the attacker is able to adapt in response to this.
- Force password resets; revoke and issue new certificates for affected accounts/devices.
- If it is suspected that the attacker has gained access to the Domain Controller, then the passwords for all local accounts—such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and kbrtgt—should be reset. It is essential that the password for the kbrtgt account is reset as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The account should be reset twice (as the account has a two-password history).
- The first account reset for the kbrtgt needs to be allowed to replicate prior to the second reset to avoid any issues.
- If it is suspected that the ntds.dit file has been exfiltrated, then all domain user passwords will need to be reset.
- Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
Attackers frequently exploit software or hardware vulnerabilities to gain access to a targeted system.
- Known vulnerabilities in external facing devices and servers should be patched immediately, starting with the point of compromise, if known.
- Ensure external-facing devices have not been previously compromised while going through the patching process.
- If the point of compromise (i.e., the specific software, device, server) is known, but how the software, device, or server was exploited is unknown, notify the vendor so they can begin analysis and develop a new patch.
- Follow vendor remediation guidance including the installation of new patches as soon as they become available.
Properly implemented defensive techniques and programs make it more difficult for a threat actor to gain access to a network and remain persistent yet undetected. When an effective defensive program is in place, attackers should encounter complex defensive barriers. Attacker activity should also trigger detection and prevention mechanisms that enable organizations to identify, contain, and respond to the intrusion quickly. There is no single technique, program, or set of defensive techniques or programs that will completely prevent all attacks. The network administrator should adopt and implement multiple defensive techniques and programs in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful attack. This layered mitigation approach is known as defense-in-depth.User Education
End users are the frontline security of the organizations. Educating them in security principles as well as actions to take and not take during an incident will increase the organization’s resilience and might prevent easily avoidable compromises.
- Educate users to be cautious of any downloads from third-party sites or vendors.
- Train users on recognizing phishing emails. There are several systems and services (free and otherwise) that can be deployed or leveraged.
- Train users on identifying which groups/individuals to contact when they suspect an incident.
- Train users on the actions they can and cannot take if they suspect an incident and why (some users will attempt to remediate and might make things worst).
- Enable application directory allowlisting through Microsoft Software Restriction Policy or AppLocker.
- Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted.
- Prevent the execution of unauthorized software by using application allowlisting as part of the OS installation and security hardening process.
- Decrease a threat actor’s ability to access key network resources by implementing the principle of least privilege.
- Limit the ability of a local administrator account to log in from a local interactive session (e.g., Deny access to this computer from the network) and prevent access via an RDP session.
- Remove unnecessary accounts and groups; restrict root access.
- Control and limit local administration; e.g. implementing Just Enough Administration (JEA), just-in-time (JIT) administration, or enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy.
- Make use of the Protected Users Active Directory group in Windows domains to further secure privileged user accounts against pass-the-hash attacks.
- Identify what data is essential to keeping operations running; make regular backup copies.
- Test that backups are working to ensure they can restore the data in the event of an incident.
- Create offline backups to help recover from a ransomware attack or from disasters (fire, flooding, etc.).
- Securely store offline backups at an offsite location. If feasible, choose an offsite location that is at a distance from the primary location that would be unaffected in the event of a regional natural disaster.
- Create and deploy a secure system baseline image to all workstations.
- Mitigate potential exploitation by threat actors by following a normal patching cycle for all OSs, applications, and software, with exceptions for emergency patches.
- Apply asset and patch management processes.
- Reduce the number of cached credentials to one (if a laptop) or zero (if a desktop or fixed asset).
- Configure and monitor workstation system logs through a host-based endpoint detection and response platform and firewall.
- Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the OS security baseline.
- Ensure that your anti-malware solution remains up to date.
- Monitor antivirus scan results on a regular basis.
- Create a secure system baseline image and deploy it to all servers.
- Upgrade or decommission end-of-life non-Windows servers.
- Upgrade or decommission servers running Windows Server 2003 or older versions.
- Implement asset and patch management processes.
- Audit for and disable unnecessary services.
- Establish remote server logging and retention.
- Reduce the number of cached credentials to zero.
- Configure and monitor system logs via a centralized security information and event management (SIEM) appliance.
- Add an explicit DENY for %USERPROFILE%.
- Restrict egress web traffic from servers.
- In Windows environments, use Restricted Admin mode or remote credential guard to further secure remote desktop sessions against pass-the-hash attacks.
- Restrict anonymous shares.
- Limit remote access by only using jump servers for such access.
- On Linux, use SELINUX or AppArmor in enforcing mode and/or turn on audit logging.
- Turn on bash shell logging; ship this and all logs to a remote server.
- Do not allow users to use su. Use Sudo -l instead.
- Configure automatic updates in yum or apt.
- Mount /var/tmp and /tmp as noexec.
- Create a change control process for all implemented changes.
- Implement an intrusion detection system (IDS).
- Apply continuous monitoring.
- Send alerts to a SIEM tool.
- Monitor internal activity (this tool may use the same tap points as the netflow generation tools).
- Employ netflow capture.
- Set a minimum retention period of 180 days.
- Capture netflow on all ingress and egress points of network segments, not just at the Managed Trusted Internet Protocol Services or Trusted Internet Connections locations.
- Capture all network traffic
- Retain captured traffic for a minimum of 24 hours.
- Capture traffic on all ingress and egress points of the network.
- Use VPN
- Maintain site-to-site VPN with customers and vendors.
- Authenticate users utilizing site-to-site VPNs.
- Use authentication, authorization, and accounting for controlling network access.
- Require smartcard authentication to an HTTPS page in order to control access. Authentication should also require explicit rostering of permitted smartcard distinguished names to enhance the security posture on both networks participating in the site-to-site VPN.
- Establish appropriate secure tunneling protocol and encryption.
- Strengthen router configuration (e.g., avoid enabling remote management over the internet and using default IP ranges, automatically log out after configuring routers, and use encryption.).
- Turn off Wi-Fi protected setup, enforce the use of strong passwords, and keep router firmware up-to-date.
- Improve firewall security (e.g., enable automatic updates, revise firewall rules as appropriate, implement allowlists, establish packet filtering, enforce the use of strong passwords, encrypt networks).
- Whenever possible, ensure access to network devices via external or untrusted networks (specifically the internet) is disabled.
- Manage access to the internet (e.g., providing internet access from only devices/accounts that need it, proxying all connections, disabling internet access for privileged/administrator accounts, enabling policies that restrict internet access using a blocklist, a resource allowlist, content type, etc.)
- Conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.
- Define areas within the network that should be segmented to increase the visibility of lateral movement by a threat and increase the defense-in-depth posture.
- Develop a process to block traffic to IP addresses and domain names that have been identified as being used to aid previous attacks.
- Evaluate and consider the security configurations of Microsoft Office 365 (O365) and other cloud collaboration service platforms prior to deployment.
- Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
- Protect Global Admins from compromise and use the principle of “Least Privilege.”
- Enable unified audit logging in the Security and Compliance Center.
- Enable alerting capabilities.
- Integrate with organizational SIEM solutions.
- Disable legacy email protocols, if not required, or limit their use to specific users.
- Create a secure system baseline image and deploy it to all networking equipment (e.g., switches, routers, firewalls).
- Remove unnecessary OS files from the internetwork operating system (IOS). This will limit the possible targets of persistence (i.e., files to embed malicious code) if the device is compromised and will align with National Security Agency Network Device Integrity best practices.
- Remove vulnerable IOS OS files (i.e., older iterations) from the device’s boot variable (i.e., show boot or show bootvar).
- Update to the latest available operating system for IOS devices.
- On devices with a Secure Sockets Layer VPN enabled, routinely verify customized web objects against the organization’s known good files for such VPNs, to ensure the devices remain free of unauthorized modification.
- Ensure that any incident response tools that point to external domains are either removed or updated to point to internal security tools. If this is not done and an external domain to which a tool points expires, a malicious threat actor may register it and start collecting telemetry from the infrastructure.
- Implement policies to block workstation-to-workstation RDP connections through a Group Policy Object on Windows, or by a similar mechanism.
- Store system logs of mission critical systems for at least one year within a SIEM tool.
- Review the configuration of application logs to verify that recorded fields will contribute to an incident response investigation.
- Reduce the number of domain and enterprise administrator accounts.
- Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).
- If possible, use technical methods to detect or prevent browsing by privileged accounts (authentication to web proxies would enable blocking of Domain Administrators).
- Use two-factor authentication (e.g., security tokens for remote access and access to any sensitive data repositories).
- If soft tokens are used, they should not exist on the same device that is requesting remote access (e.g., a laptop) and instead should be on a smartphone, token, or other out-of-band device.
- Create privileged role tracking.
- Create a change control process for all privilege escalations and role changes on user accounts.
- Enable alerts on privilege escalations and role changes.
- Log privileged user changes in the network environment and create an alert for unusual events.
- Establish least privilege controls.
- Implement a security-awareness training program.
Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.Physical Separation of Sensitive Information
Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.
- Implement Principles of Least Privilege and need-to-know when designing network segments.
- Separate sensitive information and security requirements into network segments.
- Apply security recommendations and secure configurations to all network segments and network layers.
As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.
- Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
- Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
- Use VPNs to securely extend a host/network by tunneling through public or private networks.
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Create an insider threat program.
- Assign additional personnel to review logging and alerting data.
- Complete independent security (not compliance) audits.
- Create an information sharing program.
- Complete and maintain network and system documentation to aid in timely incident response, including:
- Network diagrams,
- Asset owners,
- Type of asset, and
- An up-to-date incident response plan.
- CISA Insights
- CISA Alert: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
- CISA Alert: Microsoft Office 365 Security Recommendations
- CISA Incident Handling Overview for Election Officials
- Preparing for and Responding to Cyber Security Incidents (ACSC)
- Strategies to Mitigate Cyber Security Incidents (ACSC)
- Managing Cyber Security Incidents (ACSC)
- Incident Management (UK NCSC)
- Incident Management: Be Resilient, Be Prepared (NZ NCSC)
- Canadian Centre for Cyber Security Publications
- Baseline Cyber Security Controls for Small and Medium Organizations (Canada)
- Guideline on Network Security Zones (Canada)
- Network Security Zoning - Design Considerations for Placement of Services within Zones (Canada)
-  Australian Cyber Security Centre (ACSC)
-  Canada’s Communication Security Establishment
-  New Zealand National Cyber Security Centre (NZ NCSC)
-  New Zealand CERT NZ
-  United Kingdom National Cyber Security Centre (UK NCSC)
-  United States Cybersecurity and Infrastructure Security Agency (CISA)
- September 1, 2020: Initial Version