In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:
To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.
The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.
Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.
The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.
Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives.
Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.
The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators.
This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described.
The Activity Alert concludes with general advice for improving network defense practices.
First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012.
A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data.
Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications.
To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system.
JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.
Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.
Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII.
JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.
JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service.
Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks.
Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.
In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services.
Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide.
Some possible indications of a JBiFrost RAT infection can include, but are not limited to:
Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.
Strict application whitelisting is recommended to prevent infections from occurring.
The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails. You can help prevent JBiFrost RAT infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email does not compromise your device. The United Kingdom National Cyber Security Centre (UK NCSC) has published phishing guidance.
China Chopper is a publicly available, well-documented webshell that has been in widespread use since 2012.
Webshells are malicious scripts that are uploaded to a target host after an initial compromise and grant a threat actor remote administrative capability.
Once this access is established, webshells can also be used to pivot to additional hosts within a network.
China Chopper is extensively used by threat actors to remotely access compromised web servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.
As China Chopper is just 4 KB in size and has an easily modifiable payload, detection and mitigation are difficult for network defenders.
China Chopper has two main components: the China Chopper client-side, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.
The webshell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly available (originally posted on hxxp://www.maicaidao.com).
The MD5 hash of the web client is shown in table 1 below.
Table 1: China Chopper webshell client MD5 hash
|Webshell Client||MD5 Hash|
The webshell server is uploaded in plain text and can easily be changed by the attacker. This makes it harder to define a specific hash that can identify adversary activity. In summer 2018, threat actors were observed targeting public-facing web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution.
China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the threat actor remote access to the victim host. After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the webshell server can be accessed by the threat actor at any time using the client application. Once successfully connected, the threat actor proceeds to manipulate files and data on the web server.
China Chopper’s capabilities include uploading and downloading files to and from the victim using the file-retrieval tool
wget to download files from the internet to the target; and editing, deleting, copying, renaming, and even changing the timestamp, of existing files.
The most powerful defense against a webshell is to avoid the web server being compromised in the first place. Ensure that all the software running on public-facing web servers is up-to-date with security patches applied. Audit custom applications for common web vulnerabilities.
One attribute of China Chopper is that every action generates a hypertext transfer protocol (HTTP) POST. This can be noisy and is easily spotted if investigated by a network defender.
While the China Chopper webshell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.
The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.
The most effective way to detect and mitigate China Chopper is on the host itself—specifically on public-facing web servers. There are simple ways to search for the presence of the web-shell using the command line on both Linux and Windows based operating systems.
To detect webshells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (e.g., Hypertext Preprocessor [PHP] binaries spawning processes) and out-of-pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.
We also recommend that you use web access logs as a source of monitoring, such as through traffic analytics. Unexpected pages or changes in traffic patterns can be early indicators.
Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this by accessing the credentials in memory within a Windows process called Local Security Authority Subsystem Service (LSASS).
These credentials, either in plain text, or in hashed form, can be reused to give access to other machines on a network.
Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organizations globally to re-evaluate their network defenses.
Mimikatz is typically used by threat actors once access has been gained to a host and the threat actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.
Mimikatz source code is publicly available, which means anyone can compile their own versions of the new tool and potentially develop new Mimikatz custom plug-ins and additional functionality.
Our cyber authorities have observed widespread use of Mimikatz among threat actors, including organized crime and state-sponsored groups.
Once a threat actor has gained local administrator privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the threat actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.
For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.
Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.
The tool can obtain Local Area Network Manager and NT LAN Manager hashes, certificates, and long-term keys on Windows XP (2003) through Windows 8.1 (2012r2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos “golden tickets.”
Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing a threat actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available “Invoke-Mimikatz” PowerShell script, Mimikatz activity is very difficult to isolate and identify.
Mimikatz has been used across multiple incidents by a broad range of threat actors for several years. In 2011, it was used by unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.
More recently, Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.
In addition, a Microsoft research team identified use of Mimikatz during a sophisticated cyberattack targeting several high-profile technology and financial organizations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.
Updating Windows will help reduce the information available to a threat actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.
To prevent Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords in LSASS memory. This is default behavior for Windows 8.1/Server 2012 R2 and later, but can be specified on older systems which have the relevant security patches installed. Windows 10 and Windows Server 2016 systems can be protected by using newer security features, such as Credential Guard.
Credential Guard will be enabled by default if:
You should verify that your physical and virtualized servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows Server.
Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organization that discourage password reuse, even across common level accounts on a network. The freely available Local Administrator Password Solution from Microsoft can allow easy management of local administrator passwords, preventing the need to set and store passwords manually.
Network administrators should monitor and respond to unusual or unauthorized account creation or authentication to prevent Kerberos ticket exploitation, or network persistence and lateral movement. For Windows, tools such as Microsoft Advanced Threat Analytics and Azure Advanced Threat Protection can help with this.
Network administrators should ensure that systems are patched and up-to-date. Numerous Mimikatz features are mitigated or significantly restricted by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third-party modules are often developed.
Most up-to-date antivirus tools will detect and isolate non-customized Mimikatz use and should therefore be used to detect these instances. But threat actors can sometimes circumvent antivirus systems by running Mimikatz in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates a threat actor is actively present in the network, rather than an automated process at work.
Several of Mimikatz’s features rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply privileged access management principles.
Since Mimikatz can only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from Microsoft.
Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid in identifying Mimikatz or pass-the-hash abuse, as well as in providing some mitigation against attempts to bypass detection software.
PowerShell Empire is an example of a post-exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. PowerShell Empire can also be used to generate malicious documents and executables for social engineering access to networks.
The PowerShell Empire framework was designed as a legitimate penetration testing tool in 2015. PowerShell Empire acts as a framework for continued exploitation once a threat actor has gained access to a system.
The tool provides a threat actor with the ability to escalate privileges, harvest credentials, exfiltrate information, and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common legitimate application (PowerShell) and can operate almost entirely in memory, PowerShell Empire can be difficult to detect on a network using traditional antivirus tools.
PowerShell Empire has become increasingly popular among hostile state actors and organized criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.
Initial exploitation methods vary between compromises, and threat actors can configure the PowerShell Empire uniquely for each scenario and target. This, in combination with the wide range of skill and intent within the PowerShell Empire user community, means that the ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by threat actors.
PowerShell Empire enables a threat actor to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing powershell.exe to be present on the system Its communications are encrypted and its architecture is flexible.
PowerShell Empire uses "modules" to perform more specific malicious actions. These modules provide the threat actor with a customizable range of options to pursue their goals on the victim’s systems. These goals include escalation of privileges, credential harvesting, host enumeration, keylogging, and the ability to move laterally across a network.
PowerShell Empire’s ease of use, flexible configuration, and ability to evade detection make it a popular choice for threat actors of varying abilities.
During an incident in February 2018, a UK energy sector company was compromised by an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the threat actor with initial access to the network.
In early 2018, an unknown threat actor used Winter Olympics-themed socially engineered emails and malicious attachments in a spear-phishing campaign targeting several South Korean organizations. This attack had an additional layer of sophistication, making use of
Invoke-PSImage, a stenographic tool that will encode any PowerShell script into an image.
In December 2017, APT19 targeted a multinational law firm with a phishing campaign. APT19 used obfuscated PowerShell macros embedded within Microsoft Word documents generated by PowerShell Empire.
Our cybersecurity authorities are also aware of PowerShell Empire being used to target academia. In one reported instance, a threat actor attempted to use PowerShell Empire to gain persistence using a Windows Management Instrumentation event consumer. However, in this instance, the PowerShell Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.
Identifying malicious PowerShell activity can be difficult due to the prevalence of legitimate PowerShell activity on hosts and the increased use of PowerShell in maintaining a corporate environment.
To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.
Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. This page provides a good summary of PowerShell security practices.
The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.
A combination of script code signing, application whitelisting, and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate PowerShell scripts and it is strongly advised that they be thoroughly tested before deployment.
When organizations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.
Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.
HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.
HTran facilitates TCP connections between the victim and a hop point controlled by a threat actor. Malicious threat actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network.
The use of HTran has been regularly observed in compromises of both government and industry targets.
A broad range of threat actors have been observed using HTran and other connection proxy tools to
HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are
HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.
Recent investigations by our cybersecurity authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.
In one incident, the threat actor compromised externally-facing web servers running outdated and vulnerable web applications. This access enabled the upload of webshells, which were then used to deploy other tools, including HTran.
HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.
The threat actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.
In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:
Attackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers from installing malicious applications.
Network monitoring and firewalls can help prevent and detect unauthorized connections from tools such as HTran.
In some of the samples analyzed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.
HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:
sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);
This error message is relayed to the connecting client in the clear. Network defenders can monitor for this error message to potentially detect HTran instances active in their environments.
There are several measures that will improve the overall cybersecurity of your organization and help protect it against the types of tools highlighted in this report. Network defenders are advised to seek further information using the links below.
Further information: invest in preventing malware-based attacks across various scenarios. See UK NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware.
NCCIC encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact NCCIC at
NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at http://www.us-cert.gov/.
NCCIC strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback.
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.
MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.
Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.
Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques.
APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.
Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems.
PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as
netsh. PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity.
When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems.
A successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include
Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response.
An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft). In general, organizations should prepare by
MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups. MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection.  
Restricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access.
Virtual Private Network Connection Recommendations
Network Architecture Recommendations
Network Service Restriction Recommendations
Compromised account credentials continue to be the number one way threat actors are able to penetrate a network environment. The accounts organizations create for MSPs increase the risk of credential compromise, as MSP accounts typically require elevated access. It is important organizations’ adhere to best practices for password and permission management, as this can severely limit a threat actor’s ability to access and move laterally across a network. Provided below are key items organizations should implement and routinely audit to ensure these risks are mitigated.
Account Configuration Recommendations
Logging Configuration Recommendations
Building a sound architecture supported by strong technical controls is only the first part to protecting a network environment. It is just as critical that organizations continuously monitor their systems, update configurations to reflect changes in their network environment, and maintain relationships with MSPs. Listed below are key operational controls organizations should incorporate for protection from threats.
Operational Control Recommendations
It is important to note that—while the recommendations provided in this TA aim at preventing the initial attack vectors and the spread of any malicious activity—there is no single solution to protecting and defending a network. NCCIC recommends network defenders use a defense-in-depth strategy to increase the odds of successfully identifying an intrusion, stopping malware, and disrupting threat actor activity. The goal is to make it as difficult as possible for an attacker to be successful and to force them to use methods that are easier to detect with higher operational costs.
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.
APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.
APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.
Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.
Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.
Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.
The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.
Respond and Recover:
Execution and Internal Reconnaissance:
Respond and Recover:
Compromising the credentials of legitimate users automatically provides a threat actor access to the network resources available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.
Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated privileges and are often ignored after initial configuration.
A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the impact of a password compromise because the threat actor needs the other factor—that is, a smartcard or a token—for authentication.
Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often enabled by default. Protocols required for operations must be authorized, and the most secure version must be implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
Retail Payment Systems
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537 – HIDDEN COBRA FASTCash-Related Malware examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs.
Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States.
FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.
According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.
HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed legitimate scripts on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. Although the infection vector is unknown, all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates; there is no evidence HIDDEN COBRA actors successfully exploited the AIX operating system in these incidents.
HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages.
Figure 1: Anatomy of a FASTCash scheme
A review of log files showed HIDDEN COBRA actors making typos and actively correcting errors while configuring the targeted server for unauthorized activity. Based on analysis of the affected systems, analysts believe that the scripts —used by HIDDEN COBRA actors and explained in the Technical Details section below—inspected inbound financial request messages for specific primary account numbers (PANs). The scripts generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances.
Analysts believe HIDDEN COBRA actors blocked transaction messages to stop denial messages from leaving the switch and used a
GenerateResponse* function to approve the transactions. These response messages were likely sent for specific PANs matched using
CheckPan()verification (see figure 1 for additional details on
HIDDEN COBRA actors used malicious Windows executable applications, command-line utility applications, and other files in the FASTCash campaign to perform transactions and interact with financial systems, including the switch application server. The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees. HIDDEN COBRA actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server. Although these threat actors used different malware in each known incident, static analysis of malware samples indicates similarities in malware capabilities and functionalities.
HIDDEN COBRA actors likely used legitimate credentials to move laterally through a bank’s network and to illicitly access the switch application server. This pattern suggests compromised systems within a bank’s network were used to access and compromise the targeted payment switch application server.
Although some of the files used by HIDDEN COBRA actors were legitimate, and not inherently malicious, it is likely that HIDDEN COBRA actors used these legitimate files for malicious purposes. See MAR-10201537 for details on the files used. Malware samples obtained for analysis included AIX executable files intended for a proprietary UNIX operating system developed by IBM. The IBM AIX executable files were designed to conduct code injection and inject a library into a currently running process. One of the sample AIX executables obtained provides export functions, which allows an application to perform transactions on financial systems using the ISO 8583 standard.
Upon successful compromise of a bank’s payment switch application server, HIDDEN COBRA actors likely deployed legitimate scripts—using command-line utility applications on the payment switch application server—to enable fraudulent behavior by the system in response to what would otherwise be normal payment switch application server activity. Figure 1 depicts the pattern of fraudulent behavior. The scripts alter the expected behavior of the server by targeting the business process, rather than exploiting a technical process.
During analysis of log files associated with known FASTCash incidents, analysts identified the following commonalities:
.so(shared object) commands using the following pattern:
/tmp/.ICE-unix/e <PID> /tmp.ICE-unix/<filename>m.so <argument>
./sun <PID>/tmp/.ICE-unix/engine.so <argument>
Additionally, both commands use either the
inject (mode 0) or
eject (mode 1) argument with the following ISO 8583 libraries:
m.so [with argument “0” or “1”]
m1.so [with argument “0” or “1”]
m2.so [with argument “0” or “1”]
m3.so [with argument “0” or “1”]
NCCIC recommends administrators review bash history logs of all users with root privileges. Administrators can find commands entered by users in the bash history logs; these would indicate the execution of scripts on the switch application server. Administrators should log and monitor all commands.
The U.S. Government recommends that network administrators review MAR-10201537 for IOCs related to the HIDDEN COBRA FASTCash campaign, identify whether any of the provided IOCs fall within their organization’s network, and—if found—take necessary measures to remove the malware.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible impacts to the affected organization include
Require Chip and Personal Identification Number Cryptogram Validation
Isolate Payment System Infrastructure
Logically Segregate Operating Environments
Encrypt Data in Transit
Monitor for Anomalous Behavior as Part of Layered Security
Recommendations for Organizations with ATM or Point-of-Sale Devices
NCCIC encourages users and administrators to use the following best practices to strengthen the security posture of their organization’s systems:
For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).
Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.
Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.
Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.
Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.
Example Filenames and Paths:
Typical Registry Keys:
System Root Directories:
Negative consequences of Emotet infection include
NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam:
If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the system and taking action to isolate the infected workstation based on the results. If multiple workstations are infected, the following actions are recommended:
MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s SLTT governments. More information about this topic, as well as 24/7 cybersecurity assistance for SLTT governments, is available by phone at 866-787-4722, by email at SOC@cisecurity.org, or on MS-ISAC’s website at https://msisac.cisecurity.org/.
To report an intrusion and request resources for incident response or technical assistance, contact NCCIC by email at NCCICCustomerService@hq.dhs.gov or by phone at 888-282-0870.
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:
The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
See the following links for a downloadable copy of IOCs:
NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs.
According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report  in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities.
Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.
During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows:
Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert.
Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include
Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.
Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.
Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.
Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:
Detection and Response
This alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible impacts include
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide   . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware.
DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.
The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown.
The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis.
Negative consequences of VPNFilter malware infection include:
DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware.
Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities.
Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot.
While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices.
CPU hardware implementations
On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems.
Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.
Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to
Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:
Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems.
NCCIC recommends users and administrators
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.
|Link to Vendor Information||Date Added|
|AMD||May 21, 2018|
|ARM||May 21, 2018|
|Intel||May 22, 2018|
|Microsoft||May 21, 2018|
|Redhat||May 21, 2018|
Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.
NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.
The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.
For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml.
Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.
Legacy Protocols and Poor Security Practice
Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to
Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:
These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population.
Own the Router, Own the Traffic
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
Network Devices—Often Easy Targets
Stage 1: Reconnaissance
Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include
Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.
Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.
Stage 2: Weaponization and Stage 3: Delivery
Commercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. [6-8] If the targeted network is blocking external SNMP at the network boundary, cyber actors spoof the source address of the SNMP UDP datagram as coming from inside the targeted network. The design of SMI (directors and clients) requires the director and clients to be on the same network. However, since SMI is an unauthenticated protocol, the source address for SMI is also susceptible to spoofing.
The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation.
Stage 4: Exploitation
Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.
Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.
Stage 5: Installation
SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.
On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.
Stage 6: Command and Control
Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to
At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible.
Review network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.
SNMP and TFTP
Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors’ SNMP tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor’s devices.
SMI and TFTP
Review network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 126.96.36.199(3) and 188.8.131.52(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors’ SMI tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.
Determine if SMI is present
Detect use of SMI
The following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.
Detect use of SIET
The following signatures detect usage of the SIET's commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:
In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to “any”. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.
Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
There is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.
Owners or operators
Refer to the vendor-specific guidance for the make and model of network device in operation.
For information on mitigating SNMP vulnerabilities, see
How to Mitigate SMI Abuse
How to Mitigate GRE Tunneling Abuse:
Operating System Fingerprinting is analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. 
Spear phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they were sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, which can further expose them to future compromises. 
In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. 
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937. To request information from or report cyber incidents to UK authorities, contact NCSC at www.ncsc.gov.uk/contact.
Commands associated with Cisco IOS. These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls, or in the logs of network devices. Network device owners and operators should review the Cisco documentation of their particular makes and models for strings that would allow the owner or operator to customize the list for an Intrusion Detection System (IDS). Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
Strings associated with Cisco IOS configurations may be seen in the outbound network traffic of unencrypted management tools such as Telnet, HTTP, or TFTP. This is a subset of the possible strings. Network device owners and operators should export the configuration of their particular makes and models to a secure host and examine it for strings that would allow the owner or operator to customize the list for an IDS. Detecting outbound configuration data leaving an organization destined for Internet-based hosts should be a cause for concern and further investigation to ensure the destination is authorized to receive the configuration data. Because configuration data provides an adversary with information—such as the password hashes—to enable future attacks, configuration data should be encrypted between sender and receiver. Outbound configuration files may be triggered by SNMP queries and Cisco Smart Install commands. In such cases, the outbound file would be sent via TFTP. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
Russian state-sponsored cyber actors could potentially target the network devices from other manufacturers. Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions. Export the current configuration and identify strings associated with the configuration. Place the device-specific administrative and configuration strings into network-based and host-based IDS. Examples for Juniper JUNOS may include: “enable”, ”reload”, ”show”, ”set”, ”unset” ”file copy”, or ”request system scripts” followed by other expected parameters. Examples for MicroTic may include: “ip”, ”interface”, ”firewall”, ”password”, or ”ping”. See the documentation for your make and model for specific strings and parameters to place on watch.
These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls or network devices. Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
The following are important functions to monitor:
|OID Name||OID Value||Meaning|
|184.108.40.206.220.127.116.11.18.104.22.168.1.2||1||Protocol type = TFTP|
|22.214.171.124.126.96.36.199.188.8.131.52.1.3||1||Source file type = network file|
|184.108.40.206.220.127.116.11.18.104.22.168.1.4||4||Destination file type = running config|
|22.214.171.124.126.96.36.199.188.8.131.52.1.5||184.108.40.206||TFTP server IP = 220.127.116.11|
|18.104.22.168.22.214.171.124.126.96.36.199.1.6||backup||File name = backup|
|188.8.131.52.184.108.40.206.220.127.116.11.1.14||4||Activate the status of the table entry|
Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 18.104.22.168(3) and 22.214.171.124(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:
In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.
According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.
On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity.
In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.
Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.
Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.
Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:
Indicators of a password spray attack include:
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
To help deter this style of attack, the following steps should be taken:
The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at firstname.lastname@example.org or (202) 324-3691.