Threat Advisories

I. Targeted Entities

U.S. Critical Infrastructures

II. Introduction

CISA, NSA, and FBI have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental U.S. and its territories, including Guam.

Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.

These actors could use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. (Cybersecurity and Infrastructure Security Agency, 2024)

III. Additional Background Information

In December 2023, an operation disrupted a botnet comprising hundreds of U.S.-based small office/home office (SOHO) routers that were hijacked by state-sponsored hackers from the People’s Republic of China (PRC). The hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against the U.S. and other foreign victims. These further hacking activities included a campaign targeting critical infrastructure organizations in the U.S. and elsewhere that was the subject of a May 2023 FBI, National Security Agency, and CISA advisory (Office of Public Affairs, 2024).

The KV Botnet primarily targets Cisco and Net Gear routers, exploiting a vulnerability due to their “end of service” status. This means they were no longer receiving security patches or software updates from the manufacturer. The operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet (Office of Public Affairs, 2024).

Volt Typhoon employs a multi-faceted approach to infiltrate and compromise target networks, starting with comprehensive pre-compromise reconnaissance to understand the network architecture and operational protocols. They exploit vulnerabilities in public-facing network appliances to gain initial access, then aim to escalate privileges within the network, often targeting administrator credentials. Utilizing valid credentials, they move laterally through the network, leveraging remote access services like Remote Desktop Protocol (RDP) to reach critical devices such as domain controllers (DC). Volt Typhoon conducts discovery within the network, utilizing stealthy tactics such as living-off-the-land (LOTL) binaries and PowerShell queries on event logs to extract critical information while minimizing detection. LOTL tools like ntdsutil, netsh, and systeminfo were used to gather information about the network service and system details. Also, Volt Typhoon implanted binary files such as SMSvcService.exe and Brightmetricagent.exe that can open reverse proxies between a compromised device and malicious C2 servers. The PowerShell script logins.ps1 was also observed collecting successful logon events on infected systems without being noticed. (Cybersecurity and Infrastructure Security Agency, 2024).

After achieving full domain compromise, Volt Typhoon extracts the Active Directory database (NTDS.dit) from the DC using techniques like the Volume Shadow Copy Service (VSS), bypassing file locking mechanisms. Additionally, Volt Typhoon uses offline password cracking methods to decipher hashed passwords, enabling elevated access within the network. With elevated credentials, Volt Typhoon focuses on strategic network infiltration, aiming to access Operational Technology (OT) assets, such as sensors and control systems. Volt Typhoon was observed testing access to OT systems using default vendor credentials and exploiting compromised credentials obtained through NTDS.dit theft. This access grants them the capability to potentially disrupt critical infrastructure systems such as HVAC and energy controls, indicating a significant threat to infrastructure security (Cybersecurity and Infrastructure Security Agency, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21^st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22^nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

IV. MITRE ATT&CK

• T1592 – Gather Victim Host Information
  Adversaries may obtain crucial details about victim hosts, encompassing administrative data (e.g., name, assigned IP) and configuration specifics (e.g., operating system). This information is gathered through various methods, including direct actions like Active Scanning or Phishing, as well as compromising sites to collect data from visitors.

• T1583.003 – Acquire Infrastructure: Botnet
  Adversaries may obtain compromised systems through purchasing, leasing, or renting botnets, which are networks of compromised systems. By utilizing these botnets, adversaries can orchestrate coordinated tasks, including subscribing to services like booter/stresser to launch large-scale activities such as Phishing or Distributed Denial of Service (DDoS) attacks.

• T1190 – Exploit Public-Facing Application
  Adversaries may exploit weaknesses in internet-facing systems, targeting software bugs, glitches, or misconfigurations. This may involve websites, databases, standard services, or network protocols, potentially leading to compromise. Cloud-based or containerized applications could provide access to underlying infrastructure, cloud/container APIs, or exploitation of weak access management. Edge network infrastructure and appliances may also be targeted. Frameworks like OWASP and CWE can be used to identify common web vulnerabilities that adversaries may exploit.

• T1078 – Valid Accounts
  Adversaries leverage compromised credentials for various purposes such as Initial Access, Persistence, Privilege Escalation, or Defense Evasion. These credentials can circumvent access controls for resources, provide persistent access to remote systems, and access services like VPNs or Outlook Web Access. Adversaries often opt for legitimate access to evade detection, and inactive accounts may be exploited to avoid detection. The overlap of permissions across systems poses a risk, allowing adversaries to pivot and attain high-level access, bypassing enterprise controls.

• T1068 – Exploitation for Privilege Escalation
  Adversaries may exploit software vulnerabilities to elevate privileges, capitalizing on programming errors in operating systems or kernel code to execute adversary-controlled actions. When operating with lower privileges, adversaries target higher-privileged components to escalate access, potentially reaching SYSTEM or root permissions. By exploiting vulnerabilities in drivers, adversaries may introduce a Bring Your Own Vulnerable Driver (BYOVD) for kernel mode code execution.
• T1110.002 – Brute Force: Password Cracking
  Adversaries use password cracking techniques to recover usable credentials, especially plaintext passwords, when they obtain credential material like password hashes. Techniques like OS Credential Dumping and Data from Configuration Repository can provide hashed credentials. Adversaries may systematically guess passwords or use pre-computed rainbow tables outside the target network to crack hashes, obtaining plaintext passwords for unauthorized access.

• Other Relevant MITRE ATT&CK Techniques
  T1133, T1059, T1587.004, T1589, T1590, T1591, T1593.
  

VII. References

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | Cybersecurity and Infrastructure Security Agency CISA. (2024, February 7). https://www.cisa.gov/news-events/cybersecurity-advisories/aa24038a#_Appendix_C:_MITRE

U.S. government disrupts botnet people’s republic of China used to conceal hacking of critical infrastructure. Office of Public Affairs | United States Department of Justice. (2024, January 31). https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Joy Boddu, Likhitha Duggi

I. Targeted Entities

ConnectWise ScreenConnect customers

II. Introduction

A critical authentication bypass has been discovered in ConnectWise’s ScreenConnect, a software for remote desktop access. This exploit potentially allows attackers access to confidential information and critical systems without needing the proper credentials. Once authenticated via the authentication bypass, attackers can leverage a path-traversal vulnerability to potentially execute remote code inside critical systems.

III. Additional Background Information

On February 19, 2024, ConnectWise released a Threat Advisory for patching multiple vulnerabilities discovered in the company’s ScreenConnect software. ScreenConnect is a remote desktop and access software that can be used for direct connections to desktops, mobile devices, and more. The vulnerabilities, CVE-2024-1709 and CVE-2024-1708, were first reported on February 13^th. These vulnerabilities have been classified as significantly exploitable with CVE-2024-1709 receiving a 10.0 critical base score and CVE-2024-1708 receiving an 8.4 high base score by NIST.

The first vulnerability, CVE-2024-1709, involves authentication bypass, which is directly related to CWE-288 – Authentication Bypass Using an Alternate Path or Channel. A flaw was found in a text file named “SetupWizard.aspx”, which has the functionality of setting up the administrative user and installing a license for the system. In unpatched versions, this setup file can be accessed even after the initial setup is completed. This is accomplished by adding additional components after the legitimate URL to SetupWizard.aspx (/SetupWizard.aspx/[anything]) and exploiting how the .NET framework handles URL paths. The code inside the text file does not check if the ScreenConnect instance setup has already been completed, making it possible for anyone to access the setup wizard and overwrite the internal user database, effectively gaining administrative access (Poudel, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21^st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22^nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

V. MITRE ATT&CK

• T1190 – Exploit Public-Facing Applications
  Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

• T1068 – Exploitation for Privilege Escalation
  Adversaries may exploit software vulnerabilities to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.

• T1105 – Ingress Tool Transfer
  Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command-and-control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment.

• T1136 – Create Account
  Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.

• T1203 – Exploitation for Client Execution
  Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.

CVE-2024-1708

VII. Additional OSINT Information

Sigma rule for detecting requests made to the Setup Wizard with trailing paths (Huntress).

Sigma rule for detecting the ScreenConnect server writing to a temporary XML file (Huntress).

Setup Wizard YARA Rule for detecting Internet Information Services (IIS) log entries in reference to the SetupWizard (Huntress).

Sigma rule that alerts file modifications in the App_Extensions root directory (Huntress).

VIII. References

CVE-2024-1709. NIST. (n.d.-b). https://nvd.nist.gov/vuln/detail/CVE-2024-1709

CVE-2024-1708. NIST. (n.d.-a). https://nvd.nist.gov/vuln/detail/CVE-2024-1708

ConnectWise ScreenConnect 23.9.8 security fix. ConnectWise. (2024, February 19). https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Detection guidance for ConnectWise CWE-288. Huntress. (2024a, February 20). https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2

Understanding the ConnectWise screenconnect CVE-2024-1709 & CVE-2024-1708: Huntress blog. Huntress. (2024, February 21). https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

Mitre ATT&CK®. MITRE. (n.d.). https://attack.mitre.org/

Poudel, S. (2024, February 22). Unveiling the ScreenConnect authentication bypass (CVE-2024-1709 & CVE-2024-1708). Logpoint. https://www.logpoint.com/en/blog/emerging-threats/screenconnect-authentication-bypass/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Benjamin Price

I. Targeted Entities

• NetScaler Users*

II. Introduction

This cyberattack has been targeting NetScaler application delivery controller (ADC) and NetScaler Gateway; tools that improve the delivery speed of applications to an end user and provides secure remote access to application and services, respectively. Threat actors exploited this vulnerabiltiy as a zero-day attack to drop a webshell. The webshell allowed the threat actors access to the victim’s active directory (AD) and collect and exfiltrate data.

III. Additional Background Information

In June 2023, threat actors exploited a public facing applications called NetScaler Application Delivery Controller and NeScaler Gateway. Threat actors implanted a webshell on the organization’s NetScaler ADC appliance, and then abused elevation controls to initilalize an exploit chain to a binary file to extract data.

The affected versions following this vulnerability are for Netscaler and Netscaler Gateway: 13.1 before 13.1-40.13. Intially, CVE-2023-3519 was CVE-2019-19781 that as discovered in December 2019 and it attracted signifcant attention due to its potential to be exploited for the same purpose as it is being seen (unauthneticated remote code execution). In the 2019-29781 CVE attackers would gain access through Citrix NetScaler server to exploit public facing applications such as Citrix ADC and gateway and we can see that happening in the 2023-3519 CVE as well.

According to NISTs’ CVSS Severity and Metrics the vulnerability has been rate the following:

Threat Actor Activity
Victim 1

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

Threat Actor Activity
Victim 2

Threat actors uploaded a PHP webshell *logouttm.php* [T1036.005], likely as part of their initial exploit chain, to */netscaler/ns_gui/vpn/. Within an hour of installing the webshell, the actors implanted an Executable and Linkable Format (ELF) binary pykeygen that set user unique identifier (UID) to root and executed /bin/sh [T1059.004] via setuid and execve syscall.* [T1106]. Note: A third party also observed threat actors use an ELF binary (named pip4) to execute /bin/sh via syscall and change the UID to root. pip4 was located at /var/python/bin.

With root level access, the actors used hands-on-keyboard for discovery. They queried the AD via ldapsearch for users, groups, and computers. They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration.

After exfiltrating the files, the actors deleted them from the system [T1070.004] as well as some access logs, error logs, and authentication logs [T1070.002]. The victim organization detected the intrusion and mitigated the activity but did not identify signs of additional malicious activity.

For command and control (C2), the actors appeared to use compromised pfSense devices [T1584]; the victim observed communications with two pfSense IP addresses indicating the actor was using them for multi-hop proxying C2 traffic [T1090.003].

Updated vulnerabilities affecting Netscaler ADC and Netscaler Gateway:

As of October 23^rd, Cyber Florida recived updates regarding vulnerabilities affecting Netscaler ADC and Netscaler Gateway. The vulnerabilities in mention: CVE-2023-4966 and CVE 2023-4967 both place high in the CVSS score for severity, and should be mitigated immediately. CVE-2023-4966, a sensitive information disclosure vulnerability, allows attackers to get access to large amounts of data in memory at the end of a buffer. Frequently seen within this attack vector are efforts to gain unauthetnicated access to previous session tokens that allow attackers impersonate authenticated users and their escalate priveleges. CVE 2023-4967, although less critical than the first observed vulnerability, is still a severe vulnerability that can lead to a Denial of Service (D.O.S) attack and cause great harm to a company.

As of October 23^rd, updated effected versions of Netscaler ADC and Netscaler Gateway are the following:

• Netscaler ADC and Netscaler Gateway 14.1 before 14.1-8.50
• Netscaler ADC and Netscaler Gateway 13.1 before 13.1-49.15
• Netscaler ADC and Netscaler Gateway 13.0 before 13.0-92.19

V. MITRE ATT&CK

• T1190 – Exploit Public-Facing Applications
  Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.

• T1505.003 – Server Software Component: Web Shell
  Adversaries may backdoor web servers with web shells to establish persistent access to systems. The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.

• T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
  An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. As part of their initial exploit chain, the threat actors uploaded a TGZ file contain a setuid binary on the ADC appliance

• T1036.008 – Masquerading: Masquerade File Type
  Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.

• T1018 – Remote System Discovery
  Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.The threat actors queried the AD for computers. The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.

• T1016.001 – System Network Configuration Discovery: Internet Connection Discovery
  Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Networksegmentation controls prevented this activity.

• T1046 – Network Service Discovery
  Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. The threat actors conducted SMB scanning on the organization’s subnet.

• T1056.001 – Archive Collected Data: Archive via Utility
  Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.The threat actors encrypted discovery data collected via openssl in “tar ball.”

• T1090.001 – Proxy: Internal Proxy
  Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion.The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).

• T1531 – Account Access Removal
  Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).

Cisa.gov

Third-party provide IP addresses afiliated with Citrix CVE-2023-3519

Cisa.gov

Third-party provided IOCs affiliated with Citrix CVE-2023-3519

Cisa.gov

Updated NetScaler ADC and NetScaler Gateway containing unathenticated buffer-related vulnerablities *10/23/2023*

Support.citrix.com

VIII. References

Threat actors exploiting Citrix CVE-2023-3519 to Implant Webshells – CISA. https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf

Enterprise Techniques. Mitre ATT&CK®. (n.d.). https://attack.mitre.org/versions/v13/techniques

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967. (2023, October 23). https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

Rapid. (n.d.). CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability. Rapid7. https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/#:~:text=On%20October%2010%2C%202023%2C%20Citrix,the%20end%20of%20a%20buffer.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Nahyan Jamil, Alessandro Lovadina, Ben Price, Erika Delvalle, Ariana Manrique, Yousef Blassy

I. Targeted Entities

• Ivanti Users

II. Introduction

Norwegian authorities recently revealed a critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), posing a significant security threat. The flaw enables unauthenticated remote attackers to bypass authentication and gain access to the server’s API, potentially leading to data theft and unauthorized system modifications.

III. Additional Background Information

On July 24th, the Norwegian Government Security and Service Organization (DSS) and the Norwegian National Security Agency (NSM) informed the public about a zero day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management and mobile application/content management (Tenable). This vulnerability has received a maximum CVSS score of 10, which means that it is very easy to exploit and does not require particular tools or skills to do so (Mnemonic).

This vulnerability, classified as CVE-2023-35078, is an authentication bypass in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application program interface (API), normally accessible only to authenticated users (Tenable). Successful exploitation would allow an attacker to be able to access “specific API paths”. By utilizing these unrestricted API paths, a malicious actor could potentially steal personally identifiable information (PII) such as names, phone numbers, and other mobile device details. An attacker can also make other configuration changes, including the creation of an EPMM administrative account on the server that can make further changes to a vulnerable system (CISA). The attack consists of changing the URI path to the API v2, which can in fact be accessed without any authentication methods (Mnemonic). According to the API documentation, all API calls are based on the URL format: https://[core-server]/api/v2/. If we add the path to a vulnerable endpoint, it is easy to execute commands withouth needing authentication, as shown here: https://[core-server]/vulnerable/path/api/v2. Luckily, it is fairly simple to detect whether the vulnerability has been exploited in a system. This can be done by checking the logs from the mobile management software to determine if the API v2 endpoint in Ivanti’s EPMM has been targeted (Uzun). This may be evident if regular API calls to unusual paths are present in the logs.

Ivanti reported that the vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older unsupported versions/releases are also at risk (CISA). Furthermore, the company has promptly issued security patches for the EPMM vulnerability. Customers can fix it by upgrading the software to EPMM versions 11.8.1.1, 11.9.1.1, and 11.10.0.2. These fixed versions cover also unsupported and End-of-Life (EoL) software versions that are lower than 11.8.1.0 (Uzun).

According to the articles posted by Ivanti, the vulnerability was exploited in the wild as a zero-day against a small number of customers (Tenable). However, it is known that the unnamed attackers utilized this flaw to compromise 12 government ministries in Norway (Muncaster).

IV. MITRE ATT&CK

• T1190 – Exploit Public Facing Application
  Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
• T1059 – Command and Scripting Interpreter
  Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
• T1018 – Remote System Discovery
  Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.
• T1015.003 -Server Software Component: Web Shell
  Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
• T1070 – Indicator Removal
  Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
• T1005- Data from Local System
  Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
• T1572 – Protocol Tunneling
  Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
• T1090 – Proxy (Internal Proxy)
  Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

V. Recommendations

• Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

• Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

• Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

• Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.

• Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

• Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.

• Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

• Manage Default Accounts on Enterprise Assets and Software: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

• Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

VI. IOCs (Indicators of Compromise)

VIII. References

Mnemonic. (2023, July 25). Advisory: Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability. https://www.mnemonic.io/resources/blog/ivanti-endpoint-manager-mobileepmm-authentication-bypass-vulnerability/

Tenable®. (2023, July 25). CVE-2023-35078: IVaNti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access vulnerability. https://www.tenable.com/blog/cve-2023-35078-ivanti-endpoint-managermobile-epmm-mobileiron-core-unauthenticated-api-access

Uzun, T. (2023, July 25). Critical Zero-Day in Ivanti EPMM (Formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/

Cybersecurity and Infrastructure Security Agency CISA. (2023, July 24). Ivanti releases security updates for Endpoint Manager Mobile (EPMM) CVE-2023-35078. https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-securityupdates-endpoint-manager-mobile-epmm-cve-2023-35078

Muncaster, P. (2023, July 25). Ivanti patches Zero-Day bug used in Norway attacks. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/ivantipatches-zeroday-bug-norway/

Uzun, T. (2023, August 4). Critical Zero-day in Ivanti EPMM (formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Nahyan Jamil, Erika Delvalle, Alessandro Lovadina, Sreten Dedic, EJ Bulut, Uday Bilakhiy, Yousef Blassy.

I. Targeted Entities

• MOVEit Customers

II. Introduction

A critical SQL injection vulnerability has been discovered in MOVEit, a managed file transfer software. Exploiting this flaw, remote attackers gained unauthorized access to the database, enabling them to execute arbitrary code.

III. Additional Background Information

The Cybersecurity & Infrastructure Security Agency has issued an alert about the use of a SQL injection vulnerability in the MOVEit Transfer web application, CVE-2023-34362. This could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. According to its development company Progress, an attacker may be able to infer information about the structure and contents of the database and execute SQL queries that alter or delete data, depending on the database engine that is being used, such as MySQL or Azure SQL (Progress). All versions of MOVEit Transfer are affected by this vulnerability (Pernet), and the exploitation of the MOVEit Transfer environment can occur via HTTP or HTTPS.

An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance (Tenable). On compromised systems, unauthorized access may appear as unexpected file creation in the MOVEit Transfer root folder c:MOVEit Transferwwwroot or appear similar to exfiltration traffic such as unexpected large file downloads and uploads (Kroll) from unknown IP addresses (Pernet).

The threat actors deployed a LEMURLOOT web shell named human2.aspx located in the wwwroot folder of the MOVEit install folder. The file name has probably been chosen to remain unnoticed since another legitimate component of the software called human.aspx is used by MOVEit for its web interface. The web shell’s access is protected by a password. Attempts to connect to the web shell without the proper password results in the malicious code providing a 404 Not Found error (Pernet).

LEMURLOOT is written in C# and is designed to interact with the MOVEit Transfer environment. The malware can authenticate incoming connections using a hard-coded password and after successfully breaching into the system, it can run multiple commands and scripts from the X-siLock-Step1 – 3 fields that will download sensitive files from the MOVEit Transfer database, extract Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with the LEMURLOOT web shell is gzip compressed (Mandiant)

The vulnerability is known to affect all versions of the MOVEit Transfer product with the earliest known exploitation dating to May 27, 2023 (Mandiant). Patches are available for all years of the MOVEit Transfer product. Currently, other MOVEit products such as MOVEit Automation, Client, Mobile, Gateway, etc. are not susceptible to vulnerability and do not require any immediate action (Progress).

IV. MITRE ATT&CK

• T1190 – Exploit Public Facing Application
  Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
• T1059.001 – Command and Scripting Interpreter: PowerShell
  Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
• T1059.003 – Server Software Component: Web Shell
  Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

• T1210 – Exploitation of Remote Services
  Adversaries may exploit remote services to gain unauthorized access to internal systems once inside a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel privileges to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

V. Recommendations

• Disable HTTP and HTTPS traffic to their MOVEit transfer Environment
• Check for indicators or unauthorized access in the last 30 days
• Apply patches as they become readily available
• Kroll advises MOVEit Administrators look in the “C:MOVEit Transferwwwroot” directory for suspicious .aspx files such as “human2.aspx” or “machine2.aspx”.

VI. IOCs (Indicators of Compromise)

VII. Additional OSINT Information

VIII. References

Kroll. (2023, June 7). Critical MOVEit Transfer Vulnerability (CVE-2023-34362).
https://www.kroll.com/en/insights/publications/cyber/responding-critical-moveit-transfer-vulnerability-cve-2023-34362

Mandiant. (2023, June 2). Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft.
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Pernet, C. (2023, June 6). Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America. TechRepublic.
https://www.techrepublic.com/article/zero-day-moveit-vulnerability/

Tenable®. (2023, June 2). CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild.
https://www.tenable.com/blog/cve-2023-34362-moveit-transfer-critical-zero-day-vulnerability-exploited-in-the-wild

Progress Customer Community. (2023, June 16). Community.progress.com.
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Benjamin Price, Erika Delvalle, Nahyan Jamil, and Alessandro Lovadina

I. Targeted Entities

• Windows and Fortinet systems

II. Introduction

Several critical vulnerabilities were discovered in both Microsoft and Fortinet products, where remote code execution and arbitrary code execution can be leveraged, respectively.

For both companies, these vulnerabilities can allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. User accounts configured with fewer user rights could be less impacted when compared to user accounts operating with administrative rights.

III. Background Information

Microsoft has revealed that their security update for the month of April consisted of an update to fix a total of 97 flaws; one being an actively exploited zero-day vulnerability. Microsoft reported seven vulnerabilities to be labeled as “critical,” the most serious classification that can be used. The types of vulnerabilities that were provided in Microsoft’s advisory are the following: elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing (Abrams, 2023).

As for the zero-day vulnerability, known as CVE-2023-28252, it is a Windows common log file system driver elevation privilege vulnerability; this allows for the user privilege to be escalated to SYSTEM, which is the highest privilige in Windows. Microsoft also reported that this vulnerability was seen in the wild before the security updates patched the vulnerability (MS-ISAC, 2023).

Moreover, a cybersecurity solutions provider, Fortinet, has announced their release of patch for several high-security flaws in products such as FortiOS, FortiProxy, FortiSandbox, FortiWeb, FortiClient, and FortiManager. These issues could allow for cross-site scripting attacks, unauthorized API calls, command execution, arbitrary code execution, privilege escalation, and man-in-the-middle attacks. Fortinet also reported a critical missing authentication vulnerability, tracked as CVE-2022-41331 with a CVSS score of 9.3, in the infrastructure server for FortiPresence. This could be exploited by a remote and unauthenticated attacker through crafted authentication requests to access Redis and MongoDB instances; (Arghire, 2023).

Affected Microsoft Systems:

• NET Core
• Azure Machine Learning
• Azure Service Connector
• Microsoft Bluetooth Driver
• Microsoft Defender for Endpoint
• Microsoft Dynamics
• Microsoft Dynamics 365 Customer Voice
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Message Queuing
• Microsoft Office
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft PostScript Printer Driver
• Microsoft Printer Drivers
• Microsoft WDAC OLE DB provider for SQL
• Microsoft Windows DNS
• Visual Studio
• Visual Studio Code
• Windows Active Directory
• Windows ALPC
• Windows Ancillary Function Driver for WinSock
• Windows Boot Manager
• Windows Clip Service
• Windows CNG Key Isolation Service
• Windows Common Log File System Driver
• Windows DHCP Server
• Windows Enroll Engine
• Windows Error Reporting
• Windows Group Policy
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kerberos
• Windows Kernel
• Windows Layer 2 Tunneling Protocol
• Windows Lock Screen
• Windows Netlogon
• Windows Network Address Translation (NAT)
• Windows Network File System
• Windows Network Load Balancing
• Windows NTLM
• Windows PGM
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Point-to-Point Tunneling Protocol
• Windows Raw Image Extension
• Windows RDP Client
• Windows Registry
• Windows RPC API
• Windows Secure Boot
• Windows Secure Channel
• Windows Secure Socket Tunneling Protocol (SSTP)
• Windows Transport Security Layer (TLS)
• Windows Win32K

Affected Fortinet Systems:

• FortiDDoS-F versions prior to 6.4.1
• FortiDDoS versions prior to 5.7.0
• FortiADC versions prior to 7.2.0
• FortiAnalyzer versions prior to 7.2.2
• FortiManager versions prior to 7.2.2
• FortiAuthenticator versions prior to 6.5.0
• FortiClientMac versions prior to 7.2.0
• FortiClientWindows versions prior to 7.2.0
• FortiOS versions prior to 7.2.4
• FortiNAC-F versions prior to 7.2.0
• FortiNAC versions prior to 9.4.2
• FortiProxy versions prior to 7.2.3
• FortiPresence versions prior to 2.0.0
• FortiSOAR versions prior to 8.0.0
• FortiSandbox versions prior to 4.2.3
• FortiDeceptor versions prior to 4.2.0
• FortiWeb versions prior to 7.2.0
• FortiSIEM versions prior to 6.5.0

VI. CVEs (Common Vulnerabilities and Exposures)

• CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – Elevates privileges to SYSTEM, the highest user privilege level in Windows
• CVE-2022-40679 – FortiADC / FortiDDoS / FortiDDoS-F – Command injection in log & report module: An improper neutralization of special elements used in an OS command vulnerability in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
• CVE-2022-41330 – FortiOS / FortiProxy – Cross Site Scripting vulnerabilities in administrative interface: Multiple improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerabilities in FortiOS & FortiProxy administrative interface may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP or HTTPS GET requests.
• CVE-2022-43952 – FortiADC – Cross-Site Scripting in Fabric Connectors: An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in FortiADC may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
• CVE-2022-43955 – FortiNAC – FortiWeb – XSS vulnerability in HTML generated attack report files: An improper neutralization of input during web page generation in the FortiWeb web interface may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report.
• CVE-2022-30850 – FortiAuthenticator – Reflected XSS in the password reset page: An improper neutralization of script-related HTML tags in a web page vulnerability in FortiAuthenticator may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the “reset-password” page.
• CVE-2023-27995 – FortiSOAR – Server-side Template Injection in playbook execution: An improper neutralization of special elements used in a template engine vulnerability in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

V. Recommendations

Microsoft Systems:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
• Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
• Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Fortinet Systems:

Apply appropriate updates provided by FortiNet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
• Safeguard 7.3: Perform Automated Operating System Patch Management: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
• Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
• Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
• Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
• Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
• Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Safeguard 6.8: Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
  • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

VII. References

Arghire, I. (2023, April 12). Fortinet Patches Critical Vulnerability in Data Analytics Solution. SecurityWeek. Retrieved April 12, 2023, from https://www.securityweek.com/fortinet-patches-critical-vulnerability-in-data-analytics-solution/

Abrams, L. (2023, April 11). Microsoft April 2023 Patch Tuesday Fixes 1 Zero-day, 97 Flaws. BleepingComputer. Retrieved April 12, 2023, from https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2023-patch-tuesday-fixes-1-zero-day-97-flaws/

MS-ISAC. (2023, April 11). MS-ISAC CYBERSECURITY ADVISORY – Critical Patches Issued for Microsoft Products April 11, 2023 – PATCH NOW – TLP: CLEAR

MS-ISAC. (2023, April 12). MS-ISAC CYBERSECURITY ADVISORY – Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution – PATCH NOW – TLP: CLEAR

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Sreten Dedic

I. Targeted Entities

• Opportunistic organizations

II. Introduction

Arechclient2 is a .NET remote access trojan (RAT) that has numerous capabilities. The RAT can profile victim systems, steal information like browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions.

III. Cyber Florida SOC Observations

Update 12/8/2022: 
Cyber Florida identified additional content in analysis that was not previously reported. This information pertains to network connections. Within utilizing the InstallUtil.exe binary to execute code, the InstallUtil.exe process was observed reaching out to a pastebin[.]com page. This page contained the CnC IP address. Additionally, the victim IP address (observed in the UIP parameter) appears to be ascertained from the InstallUtil.exe process from hxxp://eth0[.]me (which appears to be a site that identifies the visiting host’s IP address). 

Original Post: 
Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services (googleusercontent.com). Within the Base64 data, exfiltrated usernames and passwords were observed. Based on observations, the exfiltrated data appears to be from cached browser credentials (Google Chrome profiles, Firefox profiles, Microsoft Edge profiles, etc.) In reviewing logs and network traffic there were parameters of interest within the data payload that would aid in identifying this activity. The following payload parameters were observed the network traffic: ConnectionType, Client, SessionID, BotName, Computer, BuildID, BotOS, URLData, UIP.

Based on observing network traffic for the command control communication, there may be similarities associated to the Redline Stealer malware. See CERT Italy article. https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/

Screenshot samples of log and network traffic have been provided in the appendix of this report.

Some of the interesting evasion tactics Cyber Florida observed were the utilization of “sleep” functions and the usage of .NET Framework’s InstallUtil.exe binary to communicate with the command and control server. The “sleep” functionality appeared to delay the usage of InstallUtil.exe. In testing, the Installutil.exe appeared to run in perpetuity regularly communicating with the command and control server. In reviewing a few of the automated sandboxes, the Installutil.exe activity was not identified. This may be due to the “sleep” activity being utilized.

Another evasion tactic appears to be attempting to modify Windows Defender settings via the second observed PowerShell instance. The cmdlet Set-MpPreference with the options –ExclusionPath ‘C:’ was employed. This command appears to create a malware scan exclusion, which would prevent Windows Defender from scanning the entire C: volume.

The following links provide examples and context of InstallUtil.exe malware usage and abuse.

https://gbhackers.com/hiding-malware-legitimate-tool/ (not directly related to observed activity)

https://www.ired.team/offensive-security/code-execution/t1118-installutil (not directly related to observed activity)

https://attack.mitre.org/techniques/T1218/004/

During initial malicious binary execution, a persistence mechanism was observed via the common HKCUSoftwareMicrosoftWindowsCurrentVersionRun location.

IV. Additional Background Information

Blackpoint Cyber discovered an ISO file that contained a malicious Windows executable that was downloaded to a victim’s computer and was not detected by an antivirus program. A malicious executable, named Setup.exe, was observed using various defense evasion techniques including obfuscation, injection, and uncommon automation tools. These tools were used to drop a RAT named Arechclient2 (Blackpoint Cyber). The size of Setup.exe is over 300 megabytes (Blackpoint Cyber).

The initial attack vector that was used to send Setup.exe to the victim is unknown. This is the execution step. When Setup.iso is double-clicked, the ISO file can be mounted like a CD and, oftentimes, the contents of the file are automatically executed (Blackpoint Cyber). Running Setup.exe will start the extraction of three files and execute multiple child processes (Blackpoint Cyber). A new folder, IXP000.TMP, is made in the victim’s AppDataLocalTemp directory and three files are created into the newly created directory: Funding.mpeg, Mali.mpeg, and Dns.mpeg (Blackpoint Cyber).

The Dns.mpeg script is heavily obfuscated. The script searches for AvastUI.exe and AVGUI.exe running on the victim’s computer. The two executables are found in the Avast antivirus product line (Blackpoint Cyber). If those two executables are not found, Dns.mpeg sets Hole.exe.pif to the name AutoIT3.exe. In the script .au3 (or d.au3) there are over 3,000 references to a function named Xspci(). This function takes a string as its first argument and a number as its second argument. The function is responsible for decoding strings (Blackpoint Cyber).

The .au3 script accomplishes three things through injection: 1. establishing persistence using a URL file in the victim’s startup folder. 2. copying the ntdll.dll file from the C:WindowsSysWOW64 folder to avoid antivirus hooks. 3. injecting the embedded payload into jsc.exe (Blackpoint Cyber). The function that is responsible for the above tasks is KXsObHGILZNaOurxqSUainCYU() which takes a pointer to the binary to be injected, a string argument, and a string argument with the path to the binary that would be executed and injected into as arguments (Blackpoint Cyber). The script establishes persistence by adding a URL file to the victim’s startup folder that will execute a Microsoft Visual Basic Script (VBS) on every login (Blackpoint Cyber).

Arechclient2 has a decompilation phase. Test.exe, a C# binary, can be loaded into tools that statically and dynamically analyze code. One such tool is DnSpy (Blackpoint Cyber). The class names in Test.exe were minimized to single and double characters to add an additional layer of confusion for reverse engineers (Blackpoint Cyber). The actual name of Test.exe is 2qbarx12tqm.exe (Blackpoint Cyber). Arechclient2 also contains a command and control (C2) phase. When Arechclient2 is executed, it connects to https[:]//pastebin.com/raw/nJqnWX3u to collect C2 information (Blackpoint Cyber). The requested file, nJqnWX3u, contains the IP address 34[.]141[.]198[.]105 as a string. It also connects to http[:]//eth0.me to get its public IP address (Blackpoint Cyber). Arechclient2 connects to its C2 server on port 15647 to receive commands. The server responds with information to control the encryption status (“On” or “Off”) in JSON format (Blackpoint Cyber). If the communications are intercepted and the encryption is set to “Off,” further communications will be in plaintext (Blackpoint Cyber).

V. MITRE ATT&CK

• T1059.001 – Command and Scripting Interpreter: PowerShell
  Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.
• T1555.003 – Credentials From Web Browsers
  Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
• T1547.001 – Registry Run Keys / Startup Folder
  Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
• T1562.001 – Impair Defenses: Disable or Modify Tools
  Adversaries may modify and/or disable security tools to avoid possible detection of their malware, tools, and activities. Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events.
• T1218.004 – System Binary Proxy Execution: InstallUtil
  Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:WindowsMicrosoft.NETFramework vInstallUtil.exe and C:WindowsMicrosoft.NETFramework64 vInstallUtil.exe.
• T1095 –Non-Application Layer Protocol
  Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.
• T1132.001 –Standard Encoding
  Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.

VI. Recommendations

• Phishing awareness training
  Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
• Set antivirus programs to conduct regular scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Malware monitoring
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Strong cyber hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on endpoint protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Network Monitoring
  Review network logs, payload, etc. for related IP address and associated network parameters.

VII. Indicators of Compromise (IOCs)

VIII. Additional OSINT Information

• Embedded Binary
  https://www.virustotal.com/gui/file/9b2799e3fea7c214253ebba7a7cbb2b30ffe77dca6e92d8d7d25b539c4e9bd7c/details

• Main Binary
  https://www.virustotal.com/gui/file/b3eba1fcd0633a5ba27ba2715ad1e38943c2bf5e6e4182298a3bf39492f8eca4/details

• https://www.joesandbox.com/analysis/724055/0/htmL
• https://cert-agid.gov.it/news/scoperto-il-malware-redline-stealer-veicolato-come-lastpass/

IX. Appendix

This screenshot shows the payload sent to a victim, as seen by Cyber Florida. A portion of the Base64 and UIP fields have been redacted.

 The following screenshot is similar from the log above but was acquired via network packet capture. 

X. References

Blackpoint Cyber. “Ratting out arechclient2 – Blackpoint Whitepaper.” Blackpoint Cyber. Accessed November 15, 2022. https://blackpointcyber.com/lp/ratting-out-arechclient2/?utm_campaign=ratting_out_arechclient2_whitepaper&utm_source=resource_library.  

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya. 

I. Targeted Entities

• Colorado’s official website

II. Introduction

Colorado state officials say that on Wednesday, October 5, 2022, Colorado’s website was rendered unusable as the result of an apparent cyberattack after a known Russia-based hacker group made a Telegram post saying that it would be targeting U.S. state websites. While the U.S. election system is largely disconnected from the Internet, state websites are prime targets for hackers who want to undermine confidence in elections.

III. Background Information

The cyberattack flooded the state’s website with web traffic, and is a common and simple way to disable websites. There is no indication that any of Colorado’s internal systems were accessed or that its election systems were compromised.[1] However, given how close this attack is to the U.S. midterms, experts say that the attack could give the false impression that U.S. elections are vulnerable to foreign interference.[1]

Killnet, the group responsible for the attack, is a Russian-aligned group that claims to be made up of amateur hacktivists who support Russian’s international interests. Killnet adheres to the same model that Ukraine’s IT Army (the IT Army is a Ukrainian government-affiliated movement that frequently posts a list of Russian websites on Telegram for supporters around the globe to try to overwhelm with traffic). The tactic Killnet uses to overwhelm websites with traffic is known as a distributed denial of service, or DDoS.[1] On Wednesday, KillNet posted a list of 12 target states to its Telegram channel: Alabama, Alaska, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Kansas, Kentucky, and Mississippi.[1]

It is unclear if other states were affected, but federal officials have repeatedly stated that they do not expect a cyberattack to affect the midterm elections. The Cybersecurity and Infrastructure Security Agency (CISA), which oversees federal cybersecurity support for election infrastructure, released a joint announcement with the FBI saying, “any attempts by cyber actors to compromise election infrastructure are unlikely to result in large-scale disruptions or prevent voting.”[2]

Because DDoS attacks are simple to conduct and don’t inflict lasting damage or give criminals access to hidden information, cybersecurity professionals and other hackers generally regard them as unimpressive. However, Killnet has started becoming more effective at making websites unreachable, and has the potential to cause significant disruptions.[1]

IV. MITRE ATT&CK

• T1498 – Network Denial of Service
  Killnet performed a DDoS attack to degrade and block the availability of targeted websites. Network DoS can be performed by exhausting the network bandwidth services rely on.

V. Recommendations

• Set antivirus programs to conduct regular scans
  Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
• Monitor malware
  Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
• Turn on endpoint protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because of the nature of this threat advisory, there are no IOCs. However, it is important that businesses and entities create a business continuity and disaster recovery plan in case a DDoS attack were to occur.

VII. References

(1) Collier, Kevin. “Cyberattack on Colorado State Website Follows Russian Hacktivist Threat.” NBCNews.com. NBCUniversal News Group, October 6, 2022. https://www.nbcnews.com/tech/security/colorado-state-websites-struggle-russian-hackers-vow-attack-rcna51012.

(2) “Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting.” FBI & CISA Public Service Announcement, October 4, 2022. https://www.cisa.gov/uscert/sites/default/files/publications/PSA_cyber-activity_508.pdf.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, and Uday Bilakhiya.