Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design. 

CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users. 

This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs.  

In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov. 

Please share your thoughts with us via our anonymous product survey; we welcome your feedback.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

This advisory is in response to ransomware actors targeting customers of a utility billing software provider through unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM).

This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025.

SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, a path traversal vulnerability. Ransomware actors likely exploited CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents.

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025.

Organizations using SimpleHelp RMM should: 

• Search for evidence of compromise,
• Apply the mitigations outlined in the advisory such as patching CVE-2024-57727 and/or implementing appropriate workarounds to prevent or respond to confirmed or potential compromises, and
• Follow CISA’s Known Exploited Vulnerabilities Catalog.

• ICSA-25-162-01 Siemens Tecnomatix Plant Simulation
• ICSA-25-162-02 Siemens RUGGEDCOM APE1808
• ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-04 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-05 Siemens SIMATIC S7-1500 CPU Family
• ICSA-25-162-06 Siemens Energy Services
• ICSA-25-162-07 AVEVA PI Data Archive
• ICSA-25-162-08 AVEVA PI Web API
• ICSA-25-162-09 AVEVA PI Connector for CygNet
• ICSA-25-162-10 PTZOptics and Other Pan-Tilt-Zoom Cameras

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025.

Recommended mitigations include:

• Implementing multifactor authentication;
• Maintaining offline data backups;
• Developing and testing a recovery plan; and
• Keeping all operating systems, software, and firmware updated.

Stay vigilant and take proactive measures to protect your organization. 

This guidance includes the following three resources:

• Implementing SIEM and SOAR Platforms – Executive Guidance outlines how executives can enhance their organization’s cybersecurity framework by implementing these technologies to improve visibility into network activities, enabling swift detection and response to cyber threats.
• Implementing SIEM and SOAR Platforms – Practitioner Guidance focuses on how practitioners can quickly identify and respond to potential cybersecurity threats and leverage these technologies to streamline incident response processes by automating predefined actions based on detected anomalies.
• Priority Logs for SIEM Ingestion – Practitioner Guidance offers insights for prioritizing log ingestion into a SIEM, ensuring that critical data sources are effectively collected and analyzed to enhance threat detection and incident response capabilities tailored for organizations.

CISA encourages organizations to review this guidance and implement the recommended best practices to strengthen their cybersecurity. For access to the guidance documents, please visit CISA’s SIEM and SOAR Resource page.

See the following resource for more information: Notice: Security Advisory (Update).

CISA believes the threat activity may be part of a larger campaign targeting various SaaS companies’ cloud applications with default configurations and elevated permissions.

CISA urges users and administrators to review the following mitigations and apply necessary patches and updates for all systems:

1. Monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications/service principals.
   1. Handle deviations from regular login schedules as suspicious.
   2. For more information, see NSA and CISA’s Identity Management guidance, as well as CISA’s guidance on Identity, Credential, and Access Management (ICAM) Reference Architecture.
2. Review Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conduct internal threat hunting in alignment with documented organizational incident response polices.
3. (Applies to single tenant apps only) Implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault’s allowlisted range of IP addresses.
   1. Note: A Microsoft Entra Workload ID Premium License is required to apply conditional access policies to an application service principal and is available to customers at an additional cost.[1]
4. For certain Commvault customers, rotate their application secrets, rotate those credentials on Commvault Metallic applications and service principles available between February and May 2025.[2] Note: This mitigation only applies to a limited number of customers who themselves have control over Commvault’s application secrets.
   1. Customers who have the ability to, if applicable, should establish a policy to regularly rotate credentials at least every 30 days.
5. Review the list of Application Registrations and Service Principals in Entra with administrative consent for higher privileges than the business need.
6. Implement general M365 security recommendations outlined in CISA’s Secure Cloud Business Applications (SCuBA) Project.

Precautionary Recommendations for On-premises Software Versions

1. Where technically feasible, restrict access to Commvault management interfaces to trusted networks and administrative systems.
2. Detect and block path-traversal attempts and suspicious file uploads by deploying a Web Application Firewall and removing external access to Commvault applications [CSA-250502].
3. Apply the patches provided [3] and follow these best practices [4].
   1. Especially monitor activity from unexpected directories, particularly web-accessible paths.

CISA added CVE-2025-3928 to the Known Exploited Vulnerabilities Catalog and is continuing to investigate the malicious activity in collaboration with partner organizations.

References

[1] Workload identities - Microsoft Entra Workload ID | Microsoft Learn

[2] Change a Client Secret for the Azure App for OneDrive for Business

[3] CV_2025_03_1: Critical Webserver Vulnerability

[4] Best Practice Guide: Enhancing Security with Conditional Access and Sign-In Monitoring

Additional Resources

• Get servicePrincipal – Microsoft Graph v1.0 | Microsoft Learn
• Updated Best Practices in Security for Azure Apps Configuration to Protect M365, D365 or EntraID Workload | Commvault

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.

Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult. 

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence. 

The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.

Download the PDF version of this report: Fast Flux: A National Security Threat (PDF, 841 KB).

Technical details

When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked. 

Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001]. 

Single and double flux

Malicious cyber actors use two common variants of fast flux to perform operations:

1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.

Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.

2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.

Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:

• Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1]
  • Refer to ASD’s ACSC’s “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure for more information on BPH providers. [2]
• Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4]
• Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7]

The key advantages of fast flux networks for malicious cyber actors include:

• Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services.
• Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations.
• Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.

Additional malicious uses

Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts. 

Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a "dummy server interface," which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain "clean" and unblocked. 

The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking. 

As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.

Detection techniques

The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics. 

1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.

2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.

3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.

4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.

5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.

6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.

7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.

8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.

Mitigations

All organizations

To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics. 

Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.

1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses

• Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.
• Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network.
• Block IP addresses known to be associated with malicious fast flux networks.

2. Reputational filtering of fast flux enabled malicious activity

• Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity.

3. Enhanced monitoring and logging

• Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.
• Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns.
• Refer to ASD’s ACSC joint publication, Best practices for event logging and threat detection, for further logging recommendations.

4. Collaborative defense and information sharing

• Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia.
• Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8]

5. Phishing awareness and training

• Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts.
• Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks.
• For more information on mitigating phishing, see joint Phishing Guidance: Stopping the Attack Cycle at Phase One.

Network defenders

The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment. 

However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat. 

For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information. 

Conclusion

Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats. 

The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization's cyber defenses. 

Works cited

[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service 

[2] Australian Signals Directorate’s Australian Cyber Security Centre. "Bulletproof" hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers 

[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf

[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them

[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/

[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service 

[7] Silent Push. 'From Russia with a 71': Uncovering Gamaredon's fast flux infrastructure. New apex domains and ASN/IP diversity patterns discovered. 2023. https://www.silentpush.com/blog/from-russia-with-a-71/

[8] DNS Filter. Security Categories You Should be Blocking (But Probably Aren’t). 2023. https://www.dnsfilter.com/blog/security-categories-you-should-be-blocking-but-probably-arent

[9] National Security Agency. Selecting a Protective DNS Service. 2021. https://media.defense.gov/2025/Mar/24/2003675043/-1/-1/0/CSI-SELECTING-A-PROTECTIVE-DNS-SERVICE-V1.3.PDF

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring cybersecurity agencies’ missions, including their responsibilities to identify and disseminate threats, and develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

National Security Agency (NSA):

• Cybersecurity Report Feedback: CybersecurityReports@nsa.gov
• Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
• Media Inquiries / Press Desk: NSA Media Relations: 443-634-0721, MediaRelations@nsa.gov

Cybersecurity and Infrastructure Security Agency (CISA):

• All organizations should report incidents and anomalous activity to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center at report@cisa.gov, or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.

Federal Bureau of Investigation (FBI):

• To report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC):

• For inquiries, visit ASD’s website at www.cyber.gov.au or call the Australian Cyber Security Hotline at 1300 CYBER1 (1300 292 371).

Canadian Centre for Cyber Security (CCCS):

• CCCS supports Canadian organizations. Visit www.cyber.gc.ca for publications and guidance or contact CCCS via 1-833-CYBER-88 or email contact@cyber.gc.ca.

New Zealand National Cyber Security Centre (NCSC-NZ):

• The NCSC-NZ assists New Zealand organizations. Visit www.ncsc.govt.nz for guidance and resources, or email NCSC-NZ at info@ncsc.govt.nz. 

Cisco has released security advisories for vulnerabilities in the Cisco integrated management controller. A remote cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. 

Oracle released its quarterly Critical Patch Update Advisory for April 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, Akira threat actors began deploying Megazord (a Rust-based code) and Akira (written in C++), including Akira_v2 (also Rust-based) in August 2023. Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia and claimed approximately $42 million (USD) in ransomware proceeds.

CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Akira and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage and the updated #StopRansomware Guide.

The guidance provides best practices for deploying and operating externally developed artificial intelligence (AI) systems and aims to:

• Improve the confidentiality, integrity, and availability of AI systems. 
• Ensure there are appropriate mitigations for known vulnerabilities in AI systems.
• Provide methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services.

CISA encourages organizations deploying and operating externally developed AI systems to review and apply this guidance as applicable. CISA also encourages organizations to review previously published joint guidance on securing AI systems: Guidelines for secure AI system development and Engaging with Artificial Intelligence. For more CISA information and guidance on securing AI systems, see cisa.gov/ai.

Users and administrators are encouraged to review Juniper’s Support Portal and apply the necessary updates.

CISA encourages users and administrators to review the Palo Alto Networks Security Advisory, apply the current mitigations, and update the affected software when Palo Alto Networks makes the fixes available. 

CISA has also added this vulnerability to its Known Exploited Vulnerabilities Catalog.

Additional resources:

• Palo Alto Networks: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
• Volexity: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
   

CISA encourages users and administrators to review and apply the necessary updates: 

• XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142

EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:

• Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
• Software manufacturers must reduce the prevalence of these misconfigurations—thus strengthening the security posture for customers—by incorporating secure-by-design and -default principles and tactics into their software development practices.[1]

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of malicious actors exploiting the identified misconfigurations.

• Remove default credentials and harden configurations.
• Disable unused services and implement access controls.
• Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2]
• Reduce, restrict, audit, and monitor administrative accounts and privileges.

NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:

• Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
• Eliminating default passwords.
• Providing high-quality audit logs to customers at no extra charge.
• Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3]

Download the PDF version of this report: PDF, 660 KB

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 13, and the MITRE D3FEND™ cybersecurity countermeasures framework.[4],[5] See the Appendix: MITRE ATT&CK tactics and techniques section for tables summarizing the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques, and the Mitigations section for MITRE D3FEND countermeasures.

For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.[6],[7]

Overview

Over the years, the following NSA and CISA teams have assessed the security posture of many network enclaves across the Department of Defense (DoD); Federal Civilian Executive Branch (FCEB); state, local, tribal, and territorial (SLTT) governments; and the private sector:

• Depending on the needs of the assessment, NSA Defensive Network Operations (DNO) teams feature capabilities from Red Team (adversary emulation), Blue Team (strategic vulnerability assessment), Hunt (targeted hunt), and/or Tailored Mitigations (defensive countermeasure development).
• CISA Vulnerability Management (VM) teams have assessed the security posture of over 1,000 network enclaves. CISA VM teams include Risk and Vulnerability Assessment (RVA) and CISA Red Team Assessments (RTA).[8] The RVA team conducts remote and onsite assessment services, including penetration testing and configuration review. RTA emulates cyber threat actors in coordination with an organization to assess the organization’s cyber detection and response capabilities.
• CISA Hunt and Incident Response teams conduct proactive and reactive engagements, respectively, on organization networks to identify and detect cyber threats to U.S. infrastructure.

During these assessments, NSA and CISA identified the 10 most common network misconfigurations, which are detailed below. These misconfigurations (non-prioritized) are systemic weaknesses across many networks.

Many of the assessments were of Microsoft^® Windows^® and Active Directory^® environments. This advisory provides details about, and mitigations for, specific issues found during these assessments, and so mostly focuses on these products. However, it should be noted that many other environments contain similar misconfigurations. Network owners and operators should examine their networks for similar misconfigurations even when running other software not specifically mentioned below.

1. Default Configurations of Software and Applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:

• Default credentials
• Default service permissions and configurations settings

Default Credentials

Many software manufacturers release commercial off-the-shelf (COTS) network devices —which provide user access via applications or web portals—containing predefined default credentials for their built-in administrative accounts.[9] Malicious actors and assessment teams regularly abuse default credentials by:

• Finding credentials with a simple web search [T1589.001] and using them [T1078.001] to gain authenticated access to a device.
• Resetting built-in administrative accounts [T1098] via predictable forgotten passwords questions.
• Leveraging default virtual private network (VPN) credentials for internal network access [T1133].
• Leveraging publicly available setup information to identify built-in administrative credentials for web applications and gaining access to the application and its underlying database.
• Leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

In addition to devices that provide network access, printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices commonly contain default credentials that can be used for easy unauthorized access to these devices as well. Further compounding this problem, printers and scanners may have privileged domain accounts loaded so that users can easily scan documents and upload them to a shared drive or email them. Malicious actors who gain access to a printer or scanner using default credentials can use the loaded privileged domain accounts to move laterally from the device and compromise the domain [T1078.002].

Default Service Permissions and Configuration Settings

Certain services may have overly permissive access controls or vulnerable configurations by default. Additionally, even if the providers do not enable these services by default, malicious actors can easily abuse these services if users or administrators enable them.

Assessment teams regularly find the following:

• Insecure Active Directory Certificate Services
• Insecure legacy protocols/services
• Insecure Server Message Block (SMB) service

Insecure Active Directory Certificate Services

Active Directory Certificate Services (ADCS) is a feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of Active Directory (AD) environments. ADCS templates are used to build certificates for different types of servers and other entities on an organization’s network.

Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges. These certificates and domain escalation paths may grant actors unauthorized, persistent access to systems and critical data, the ability to impersonate legitimate entities, and the ability to bypass security measures.

Assessment teams have observed organizations with the following misconfigurations:

• ADCS servers running with web-enrollment enabled. If web-enrollment is enabled, unauthenticated actors can coerce a server to authenticate to an actor-controlled computer, which can relay the authentication to the ADCS web-enrollment service and obtain a certificate [T1649] for the server’s account. These fraudulent, trusted certificates enable actors to use adversary-in-the-middle techniques [T1557] to masquerade as trusted entities on the network. The actors can also use the certificate for AD authentication to obtain a Kerberos Ticket Granting Ticket (TGT) [T1558.001], which they can use to compromise the server and usually the entire domain.
• ADCS templates where low-privileged users have enrollment rights, and the enrollee supplies a subject alternative name. Misconfiguring various elements of ADCS templates can result in domain escalation by unauthorized users (e.g., granting low-privileged users certificate enrollment rights, allowing requesters to specify a subjectAltName in the certificate signing request [CSR], not requiring authorized signatures for CSRs, granting FullControl or WriteDacl permissions to users). Malicious actors can use a low-privileged user account to request a certificate with a particular Subject Alternative Name (SAN) and gain a certificate where the SAN matches the User Principal Name (UPN) of a privileged account.

Note: For more information on known escalation paths, including PetitPotam NTLM relay techniques, see: Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints and Certified Pre-Owned, Active Directory Certificate Services.[10],[11],[12]

Insecure legacy protocols/services

Many vulnerable network services are enabled by default, and assessment teams have observed them enabled in production environments. Specifically, assessment teams have observed Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), which are Microsoft Windows components that serve as alternate methods of host identification. If these services are enabled in a network, actors can use spoofing, poisoning, and relay techniques [T1557.001] to obtain domain hashes, system access, and potential administrative system sessions. Malicious actors frequently exploit these protocols to compromise entire Windows’ environments.

Malicious actors can spoof an authoritative source for name resolution on a target network by responding to passing traffic, effectively poisoning the service so that target computers will communicate with an actor-controlled system instead of the intended one. If the requested system requires identification/authentication, the target computer will send the user’s username and hash to the actor-controlled system. The actors then collect the hash and crack it offline to obtain the plain text password [T1110.002].

Insecure Server Message Block (SMB) service

The Server Message Block service is a Windows component primarily for file sharing. Its default configuration, including in the latest version of Windows, does not require signing network messages to ensure authenticity and integrity. If SMB servers do not enforce SMB signing, malicious actors can use machine-in-the-middle techniques, such as NTLM relay. Further, malicious actors can combine a lack of SMB signing with the name resolution poisoning issue (see above) to gain access to remote systems [T1021.002] without needing to capture and crack any hashes.

2. Improper Separation of User/Administrator Privilege

Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.

Assessment teams have observed the following common account separation misconfigurations:

• Excessive account privileges
• Elevated service account permissions
• Non-essential use of elevated accounts

Excessive Account Privileges

Account privileges are intended to control user access to host or application resources to limit access to sensitive information or enforce a least-privilege security model. When account privileges are overly permissive, users can see and/or do things they should not be able to, which becomes a security issue as it increases risk exposure and attack surface.

Expanding organizations can undergo numerous changes in account management, personnel, and access requirements. These changes commonly lead to privilege creep—the granting of excessive access and unnecessary account privileges. Through the analysis of topical and nested AD groups, a malicious actor can find a user account [T1078] that has been granted account privileges that exceed their need-to-know or least-privilege function. Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain.

Elevated Service Account Permissions

Applications often operate using user accounts to access resources. These user accounts, which are known as service accounts, often require elevated privileges. When a malicious actor compromises an application or service using a service account, they will have the same privileges and access as the service account.

Malicious actors can exploit elevated service permissions within a domain to gain unauthorized access and control over critical systems. Service accounts are enticing targets for malicious actors because such accounts are often granted elevated permissions within the domain due to the nature of the service, and because access to use the service can be requested by any valid domain user. Due to these factors, kerberoasting—a form of credential access achieved by cracking service account credentials—is a common technique used to gain control over service account targets [T1558.003].

Non-Essential Use of Elevated Accounts

IT personnel use domain administrator and other administrator accounts for system and network management due to their inherent elevated privileges. When an administrator account is logged into a compromised host, a malicious actor can steal and use the account's credentials and an AD-generated authentication token [T1528] to move, using the elevated permissions, throughout the domain [T1550.001]. Using an elevated account for normal day-to-day, non-administrative tasks increases the account’s exposure and, therefore, its risk of compromise and its risk to the network.

Malicious actors prioritize obtaining valid domain credentials upon gaining access to a network. Authentication using valid domain credentials allows the execution of secondary enumeration techniques to gain visibility into the target domain and AD structure, including discovery of elevated accounts and where the elevated accounts are used [T1087].

Targeting elevated accounts (such as domain administrator or system administrators) performing day-to-day activities provides the most direct path to achieve domain escalation. Systems or applications accessed by the targeted elevated accounts significantly increase the attack surface available to adversaries, providing additional paths and escalation options.

After obtaining initial access via an account with administrative permissions, an assessment team compromised a domain in under a business day. The team first gained initial access to the system through phishing [T1566], by which they enticed the end user to download [T1204] and execute malicious payloads. The targeted end-user account had administrative permissions, enabling the team to quickly compromise the entire domain.

3. Insufficient Internal Network Monitoring

Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.

Assessment teams have exploited insufficient monitoring to gain access to assessed networks. For example:

• An assessment team observed an organization with host-based monitoring, but no network monitoring. Host-based monitoring informs defensive teams about adverse activities on singular hosts and network monitoring informs about adverse activities traversing hosts [TA0008]. In this example, the organization could identify infected hosts but could not identify where the infection was coming from, and thus could not stop future lateral movement and infections.
• An assessment team gained persistent deep access to a large organization with a mature cyber posture. The organization did not detect the assessment team’s lateral movement, persistence, and command and control (C2) activity, including when the team attempted noisy activities to trigger a security response. For more information on this activity, see CSA CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.[13]

4. Lack of Network Segmentation

Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.

Lack of segmentation between IT and operational technology (OT) environments places OT environments at risk. For example, assessment teams have often gained access to OT networks—despite prior assurance that the networks were fully air gapped, with no possible connection to the IT network—by finding special purpose, forgotten, or even accidental network connections [T1199].

5. Poor Patch Management

Vendors release patches and updates to address security vulnerabilities. Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:

• Lack of regular patching
• Use of unsupported operating systems (OSs) and outdated firmware

Lack of Regular Patching

Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Due to their ease of discovery—via vulnerability scanning [T1595.002] and open source research [T1592]—and exploitation, these systems are immediate targets for adversaries. Allowing critical vulnerabilities to remain on production systems without applying their corresponding patches significantly increases the attack surface. Organizations should prioritize patching known exploited vulnerabilities in their environments.[2]

Assessment teams have observed threat actors exploiting many CVEs in public-facing applications [T1190], including:

• CVE-2019-18935 in an unpatched instance of Telerik^® UI for ASP.NET running on a Microsoft IIS server.[14]
• CVE-2021-44228 (Log4Shell) in an unpatched VMware^® Horizon server.[15]
• CVE-2022-24682, CVE-2022-27924, and CVE-2022-27925 chained with CVE-2022-37042, or CVE-2022-30333 in an unpatched Zimbra^® Collaboration Suite.[16]

Use of Unsupported OSs and Outdated Firmware

Using software or hardware that is no longer supported by the vendor poses a significant security risk because new and existing vulnerabilities are no longer patched. Malicious actors can exploit vulnerabilities in these systems to gain unauthorized access, compromise sensitive data, and disrupt operations [T1210].

Assessment teams frequently observe organizations using unsupported Windows operating systems without updates MS17-010 and MS08-67. These updates, released years ago, address critical remote code execution vulnerabilities.[17],[18]

6. Bypass of System Access Controls

A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH) [T1550.002]. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is also one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

7. Weak or Misconfigured MFA Methods

Misconfigured Smart Cards or Tokens

Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used—because the smart card or token is required instead—there is still a password hash for the account that can be used as an alternative credential for authentication. If the password hash never changes, once a malicious actor has an account’s password hash [T1111], the actor can use it indefinitely, via the PtH technique for as long as that account exists.

Lack of Phishing-Resistant MFA

Some forms of MFA are vulnerable to phishing, “push bombing” [T1621], exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems. (See CISA’s Fact Sheet Implementing Phishing-Resistant MFA for more information.)[3]

For example, assessment teams have used voice phishing to convince users to provide missing MFA information [T1598]. In one instance, an assessment team knew a user’s main credentials, but their login attempts were blocked by MFA requirements. The team then masqueraded as IT staff and convinced the user to provide the MFA code over the phone, allowing the team to complete their login attempt and gain access to the user’s email and other organizational resources.

8. Insufficient ACLs on Network Shares and Services

Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.

Actors can use commands, open source tools, or custom malware to look for shared folders and drives [T1135].

• In one compromise, a team observed actors use the net share command—which displays information about shared resources on the local computer—and the ntfsinfo command to search network shares on compromised computers. In the same compromise, the actors used a custom tool, CovalentStealer, which is designed to identify file shares on a system, categorize the files [T1083], and upload the files to a remote server [TA0010].[19],[20]
• Ransomware actors have used the SoftPerfect^® Network Scanner, netscan.exe—which can ping computers [T1018], scan ports [T1046], and discover shared folders—and SharpShares to enumerate accessible network shares in a domain.[21],[22]

Malicious actors can then collect and exfiltrate the data from the shared drives and folders. They can then use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. Assessment teams routinely find sensitive information on network shares [T1039] that could facilitate follow-on activity or provide opportunities for extortion. Teams regularly find drives containing cleartext credentials [T1552] for service accounts, web applications, and even domain administrators.

Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data. In addition, teams regularly identify sensitive data and PII on shared drives (e.g., scanned documents, social security numbers, and tax returns) that could be used for extortion or social engineering of the organization or individuals.

9. Poor Credential Hygiene

Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes:

• Easily crackable passwords
• Cleartext password disclosure

Easily Crackable Passwords

Easily crackable passwords are passwords that a malicious actor can guess within a short time using relatively inexpensive computing resources. The presence of easily crackable passwords on a network generally stems from a lack of password length (i.e., shorter than 15 characters) and randomness (i.e., is not unique or can be guessed). This is often due to lax requirements for passwords in organizational policies and user training. A policy that only requires short and simple passwords leaves user passwords susceptible to password cracking. Organizations should provide or allow employee use of password managers to enable the generation and easy use of secure, random passwords for each account.

Often, when a credential is obtained, it is a hash (one-way encryption) of the password and not the password itself. Although some hashes can be used directly with PtH techniques, many hashes need to be cracked to obtain usable credentials. The cracking process takes the captured hash of the user’s plaintext password and leverages dictionary wordlists and rulesets, often using a database of billions of previously compromised passwords, in an attempt to find the matching plaintext password [T1110.002].

One of the primary ways to crack passwords is with the open source tool, Hashcat, combined with password lists obtained from publicly released password breaches. Once a malicious actor has access to a plaintext password, they are usually limited only by the account’s permissions. In some cases, the actor may be restricted or detected by advanced defense-in-depth and zero trust implementations as well, but this has been a rare finding in assessments thus far.

Assessment teams have cracked password hashes for NTLM users, Kerberos service account tickets, NetNTLMv2, and PFX stores [T1555], enabling the team to elevate privileges and move laterally within networks. In 12 hours, one team cracked over 80% of all users' passwords in an Active Directory, resulting in hundreds of valid credentials.

Cleartext Password Disclosure

Storing passwords in cleartext is a serious security risk. A malicious actor with access to files containing cleartext passwords [T1552.001] could use these credentials to log into the affected applications or systems under the guise of a legitimate user. Accountability is lost in this situation as any system logs would record valid user accounts accessing applications or systems.

Malicious actors search for text files, spreadsheets, documents, and configuration files in hopes of obtaining cleartext passwords. Assessment teams frequently discover cleartext passwords, allowing them to quickly escalate the emulated intrusion from the compromise of a regular domain user account to that of a privileged account, such as a Domain or Enterprise Administrator. A common tool used for locating cleartext passwords is the open source tool, Snaffler.[23]

10. Unrestricted Code Execution

If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.

Malicious actors often execute code after gaining initial access to a system. For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network.

Assessment teams and malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) [T1059.005] to establish initial access, persistence, and lateral movement. In addition, actors often use scripting languages [T1059] to obscure their actions [T1027.010] and bypass allowlisting—where organizations restrict applications and other forms of code by default and only allow those that are known and trusted. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device [T1068].

MITIGATIONS

Network Defenders

NSA and CISA recommend network defenders implement the recommendations that follow to mitigate the issues identified in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST) as well as with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.

The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.[24]

Mitigate Default Configurations of Software and Applications

Mitigate Improper Separation of User/Administrator Privilege

Mitigate Insufficient Internal Network Monitoring

Mitigate Lack of Network Segmentation

Mitigate Poor Patch Management

Mitigate Bypass of System Access Controls

Mitigate Weak or Misconfigured MFA Methods

Mitigate Insufficient ACLs on Network Shares and Services

Mitigate Poor Credential Hygiene

Mitigate Unrestricted Code Execution

Software Manufacturers

NSA and CISA recommend software manufacturers implement the recommendations in Table 11 to reduce the prevalence of misconfigurations identified in this advisory. These mitigations align with tactics provided in joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. NSA and CISA strongly encourage software manufacturers apply these recommendations to ensure their products are secure “out of the box” and do not require customers to spend additional resources making configuration changes, performing monitoring, and conducting routine updates to keep their systems secure.[1]

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, NSA and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. NSA and CISA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 12–Table 21).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

LEARN FROM HISTORY

The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.

WORKS CITED

[1]   Joint Guide: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default (2023), https://www.cisa.gov/sites/default/files/2023-06/principles_approaches_for_security-by-design-default_508c.pdf
[2]   CISA, Known Exploited Vulnerabilities Catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3]   CISA, Implementing Phishing-Resistant MFA, https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[4]   MITRE, ATT&CK for Enterprise, https://attack.mitre.org/versions/v13/matrices/enterprise/
[5]   MITRE, D3FEND, https://d3fend.mitre.org/
[6]   CISA, Best Practices for MITRE ATT&CK Mapping, https://www.cisa.gov/news-events/news/best-practices-mitre-attckr-mapping
[7]   CISA, Decider Tool, https://github.com/cisagov/Decider/
[8]   CISA, Cyber Assessment Fact Sheet, https://www.cisa.gov/sites/default/files/publications/VM_Assessments_Fact_Sheet_RVA_508C.pdf
[9]   Joint CSA: Weak Security Controls and Practices Routinely Exploited for Initial Access, https://media.defense.gov/2022/May/17/2002998718/-1/-1/0/CSA_WEAK_SECURITY_CONTROLS_PRACTICES_EXPLOITED_FOR_INITIAL_ACCESS.PDF
[10]  Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
[11]  Raj Chandel, Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints, https://www.hackingarticles.in/domain-escalation-petitpotam-ntlm-relay-to-adcs-endpoints/
[12]  SpecterOps - Will Schroeder, Certified Pre-Owned, https://posts.specterops.io/certified-pre-owned-d95910965cd2
[13]  CISA, CSA: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
[14]  Joint CSA: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
[15]  Joint CSA: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a
[16]  Joint CSA: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
[17]  Microsoft, How to verify that MS17-010 is installed, https://support.microsoft.com/en-us/topic/how-to-verify-that-ms17-010-is-installed-f55d3f13-7a9c-688c-260b-477d0ec9f2c8
[18]  Microsoft, Microsoft Security Bulletin MS08-067 – Critical Vulnerability in Server Service Could Allow Remote Code Execution (958644), https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067
[19]  Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
[20]  CISA, Malware Analysis Report: 10365227.r1.v1, https://www.cisa.gov/sites/default/files/2023-06/mar-10365227.r1.v1.clear_.pdf
[21]  Joint CSA: #StopRansomware: BianLian Ransomware Group, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
[22]  CISA Analysis Report: FiveHands Ransomware, https://www.cisa.gov/news-events/analysis-reports/ar21-126a
[23]  Snaffler, https://github.com/SnaffCon/Snaffler
[24]  CISA, Cross-Sector Cybersecurity Performance Goals, https://www.cisa.gov/cross-sector-cybersecurity-performance-goals
[25]  Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), https://public.cyber.mil/stigs/
[26]  NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[27]  NSA, Actively Manage Systems and Configurations, https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf
[28]  NSA, Cybersecurity Advisories & Guidance, https://www.nsa.gov/cybersecurity-guidance
[29]  National Institute of Standards and Technologies (NIST), NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management, https://csrc.nist.gov/pubs/sp/800/63/b/upd2/final
[30]  Microsoft, Uninstall-AdcsWebEnrollment, https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/uninstall-adcswebenrollment
[31]  Microsoft, KB5021989: Extended Protection for Authentication, https://support.microsoft.com/en-au/topic/kb5021989-extended-protection-for-authentication-1b6ea84d-377b-4677-a0b8-af74efbb243f
[32]  Microsoft, Network security: Restrict NTLM: NTLM authentication in this domain, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
[33]  Microsoft, Network security: Restrict NTLM: Incoming NTLM traffic, https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic
[34]  Microsoft, How to disable the Subject Alternative Name for UPN mapping, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-subject-alternative-name-upn-mapping
[35]  Microsoft, Overview of Server Message Block signing, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
[36]  Microsoft, SMB signing required by default in Windows Insider, https://aka.ms/SmbSigningRequired
[37]  NSA, Defend Privileges and Accounts, https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf
[38]  NSA, Advancing Zero Trust Maturity Throughout the User Pillar, https://media.defense.gov/2023/Mar/14/2003178390/-1/-1/0/CSI_Zero_Trust_User_Pillar_v1.1.PDF
[39]  NSA, Continuously Hunt for Network Intrusions, https://media.defense.gov/2019/Sep/09/2002180360/-1/-1/0/Continuously%20Hunt%20for%20Network%20Intrusions%20-%20Copy.pdf
[40]  Joint CSI: Detect and Prevent Web Shell Malware, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
[41]  NSA, Segment Networks and Deploy Application-aware Defenses, https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf
[42]  Joint CSA: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/0/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
[43]  NSA, Stop Malicious Cyber Activity Against Connected Operational Technology, https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/0/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
[44]  NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF
[45]  NSA, Update and Upgrade Software Immediately, https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf
[46]  Microsoft, Microsoft Security Advisory 2871997: Update to Improve Credentials Protection and Management, https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997
[47]  CISA, Secure Cloud Business Applications Hybrid Identity Solutions Architecture, https://www.cisa.gov/sites/default/files/2023-03/csso-scuba-guidance_document-hybrid_identity_solutions_architecture-2023.03.22-final.pdf
[48]  CISA, Secure Cloud Business Applications (SCuBA) Project, https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
[49]  NSA, Transition to Multi-factor Authentication, https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf
[50]  Committee on National Security Systems (CNSS), CNSS Policy 15, https://www.cnss.gov/CNSS/issuances/Policies.cfm
[51]  NSA, NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/
[52]  NSA, Enforce Signed Software Execution Policies, https://media.defense.gov/2019/Sep/09/2002180334/-1/-1/0/Enforce%20Signed%20Software%20Execution%20Policies%20-%20Copy.pdf
[53]  Joint CSI: Keeping PowerShell: Security Measures to Use and Embrace, https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[54]  NIST, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities, https://csrc.nist.gov/publications/detail/sp/800-218/final

Disclaimer of Endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Trademarks

Active Directory, Microsoft, and Windows are registered trademarks of Microsoft Corporation.
MITRE ATT&CK is registered trademark and MITRE D3FEND is a trademark of The MITRE Corporation.
SoftPerfect is a registered trademark of SoftPerfect Proprietary Limited Company.
Telerik is a registered trademark of Progress Software Corporation.
VMware is a registered trademark of VMWare, Inc.
Zimbra is a registered trademark of Synacor, Inc.

Purpose

This document was developed in furtherance of the authoring cybersecurity organizations’ missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

Cybersecurity Report Feedback: CybersecurityReports@nsa.gov
General Cybersecurity Inquiries: Cybersecurity_Requests@nsa.gov 
Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov
Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov 

To report suspicious activity contact CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Appendix: MITRE ATT&CK Tactics and Techniques

See Table 12–Table 21 for all referenced threat actor tactics and techniques in this advisory.

The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) (hereafter referred to as the “authoring agencies”) are releasing this joint cybersecurity advisory (CSA) to detail activity of the People’s Republic of China (PRC)-linked cyber actors known as BlackTech. BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets. The authoring agencies recommend implementing the mitigations described to detect this activity and protect devices from the backdoors the BlackTech actors are leaving behind.

BlackTech (a.k.a. Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) actors have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the militaries of the U.S. and Japan. BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations. This CSA details BlackTech’s tactics, techniques, and procedures (TTPs), which highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential BlackTech compromise.

For more information on the risks posed by this deep level of unauthorized access, see the CSA People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.[1]

Download the PDF version of this report: PDF, 808 KB

Technical Details

This advisory uses the MITRE^® ATT&CK^® for Enterprise framework, version 13.1. See the Appendix: MITRE ATT&CK Techniques for all referenced TTPs.

Background

Active since 2010, BlackTech actors have historically targeted a wide range of U.S. and East Asia public organizations and private industries. BlackTech actors’ TTPs include developing customized malware and tailored persistence mechanisms for compromising routers. These TTPs allow the actors to disable logging [T1562] and abuse trusted domain relationships [T1199] to pivot between international subsidiaries and domestic headquarters’ networks.

Observable TTPs

BlackTech cyber actors use custom malware payloads and remote access tools (RATs) to target victims’ operating systems. The actors have used a range of custom malware families targeting Windows^®, Linux^®, and FreeBSD^® operating systems. Custom malware families employed by BlackTech include:

• BendyBear [S0574]
• Bifrose
• BTSDoor
• FakeDead (a.k.a. TSCookie) [S0436]
• Flagpro [S0696]
• FrontShell (FakeDead’s downloader module)
• IconDown
• PLEAD [S0435]
• SpiderPig
• SpiderSpring
• SpiderStack
• WaterBear [S0579]

BlackTech actors continuously update these tools to evade detection [TA0005] by security software. The actors also use stolen code-signing certificates [T1588.003] to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect [T1553.002].

BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by endpoint detection and response (EDR) products. Common methods of persistence on a host include NetCat shells, modifying the victim registry [T1112] to enable the remote desktop protocol (RDP) [T1021.001], and secure shell (SSH) [T1021.004]. The actors have also used SNScan for enumeration [TA0007], and a local file transfer protocol (FTP) server [T1071.002] to move data through the victim network. For additional examples of malicious cyber actors living off the land, see People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.[2]

Pivoting from international subsidiaries

The PRC-linked BlackTech actors target international subsidiaries of U.S. and Japanese companies. After gaining access [TA0001] to the subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. BlackTech actors exploit trusted network relationships between an established victim and other entities to expand their access in target networks.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship [T1199] of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic [TA0011], blending in with corporate network traffic, and pivoting to other victims on the same corporate network [T1090.002].

Maintaining access via stealthy router backdoors

BlackTech has targeted and exploited various brands and versions of router devices. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. BlackTech actors have compromised several Cisco^® routers using variations of a customized firmware backdoor [T1542.004]. The backdoor functionality is enabled and disabled through specially crafted TCP or UDP packets [T1205]. This TTP is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.

In some cases, BlackTech actors replace the firmware for certain Cisco IOS^®-based routers with malicious firmware. Although BlackTech actors already had elevated privileges [TA0004] on the router to replace the firmware via command-line execution, the malicious firmware is used to establish persistent backdoor access [TA0003] and obfuscate future malicious activity. The modified firmware uses a built-in SSH backdoor [T1556.004], allowing BlackTech actors to maintain access to the compromised router without BlackTech connections being logged [T1562.003]. BlackTech actors bypass the router's built-in security features by first installing older legitimate firmware [T1601.002] that they then modify in memory to allow the installation of a modified, unsigned bootloader and modified, unsigned firmware [T1601.001]. The modified bootloader enables the modified firmware to continue evading detection [T1553.006], however, it is not always necessary.

BlackTech actors may also hide their presence and obfuscate changes made to compromised Cisco routers by hiding Embedded Event Manager (EEM) policies—a feature usually used in Cisco IOS to automate tasks that execute upon specified events—that manipulate Cisco IOS Command-Line Interface (CLI) command results. On a compromised router, the BlackTech-created EEM policy waits for specific commands to execute obfuscation measures or deny execution of specified legitimate commands. This policy has two functions: (1) to remove lines containing certain strings in the output of specified, legitimate Cisco IOS CLI commands [T1562.006], and (2) prevent the execution of other legitimate CLI commands, such as hindering forensic analysis by blocking copy, rename, and move commands for the associated EEM policy [T1562.001].

Firmware replacement process

BlackTech actors utilize the following file types to compromise the router. These files are downloaded to the router via FTP or SSH.

BlackTech actors use the Cisco router's CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory—also called hot patching—to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features. Then, a specifically constructed packet triggers the router to enable the backdoor that bypasses logging and the access control list (ACL). The steps are as follows:

1. Download old legitimate firmware.
2. Set the router to load the old legitimate firmware and reboot with the following command(s):
   

   config t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write reload

3. Download the modified bootloader and modified firmware.
4. Set the router to load the modified firmware with the following command(s):
   

   conf t no boot system usbflash0 [filename] boot system usbflash0 [filename] end write

5. Load the modified bootloader (the router reboots automatically) with the following command:
   

   upgrade rom file bootloader

6. Enable access by sending a trigger packet that has specific values within the UDP data or TCP Sequence Number field and the Maximum Segment Size (MSS) parameter within the TCP Options field.

Modified bootloader

To allow the modified bootloader and firmware to be installed on Cisco IOS without detection, the cyber actors install an old, legitimate firmware and then modify that running firmware in memory to bypass firmware signature checks in the Cisco ROM Monitor (ROMMON) signature validation functions. The modified version’s instructions allow the actors to bypass functions of the IOS Image Load test and the Field Upgradeable ROMMON Integrity test.

Modified firmware

BlackTech actors install modified IOS image firmware that allows backdoor access via SSH to bypass the router’s normal logging functions. The firmware consists of a Cisco IOS loader that will load an embedded IOS image.

BlackTech actors hook several functions in the embedded Cisco IOS image to jump to their own code. They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging.

To enable the backdoor functions, the firmware checks for incoming trigger packets and enables or disables the backdoor functionality. When the backdoor is enabled, associated logging functions on the router are bypassed. The source IP address is stored and used to bypass ACL handling for matching packets. The SSH backdoor includes a special username that does not require additional authentication.

Detection and Mitigation Techniques

In order to detect and mitigate this BlackTech malicious activity, the authoring agencies strongly recommend the following detection and mitigation techniques. It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete. For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH.

The following are the best mitigation practices to defend against this type of malicious activity:

• Disable outbound connections by applying the "transport output none" configuration command to the virtual teletype (VTY) lines. This command will prevent some copy commands from successfully connecting to external systems.
  Note: An adversary with unauthorized privileged level access to a network device could revert this configuration change.[3]
• Monitor both inbound and outbound connections from network devices to both external and internal systems. In general, network devices should only be connecting to nearby devices for exchanging routing or network topology information or with administrative systems for time synchronization, logging, authentication, monitoring, etc. If feasible, block unauthorized outbound connections from network devices by applying access lists or rule sets to other nearby network devices. Additionally, place administrative systems in separate virtual local area networks (VLANs) and block all unauthorized traffic from network devices destined for non-administrative VLANs.[4]
• Limit access to administration services and only permit IP addresses used by network administrators by applying access lists to the VTY lines or specific services. Monitor logs for successful and unsuccessful login attempts with the "login on-failure log" and "login on-success log" configuration commands, or by reviewing centralized Authentication, Authorization, and Accounting (AAA) events.[3]
• Upgrade devices to ones that have secure boot capabilities with better integrity and authenticity checks for bootloaders and firmware. In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.[3],[5]
• When there is a concern that a single password has been compromised, change all passwords and keys.[3]
• Review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized.[3]
• Periodically perform both file and memory verification described in the Network Device Integrity (NDI) Methodology documents to detect unauthorized changes to the software stored and running on network devices.[3]
• Monitor for changes to firmware. Periodically take snapshots of boot records and firmware and compare against known good images.[3]

Works Cited

[1]    Joint CSA, People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices, https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF
[2]    Joint CSA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_PRC_State_Sponsored_Cyber_Living_off_the_Land_v1.1.PDF
[3]    NSA, Network Infrastructure Security Guide, https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF
[4]    NSA, Performing Out-of-Band Network Management, https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF 
[5]    Cisco, Attackers Continue to Target Legacy Devices, https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government or Japan, and this guidance shall not be used for advertising or product endorsement purposes.

Trademark recognition

Cisco and Cisco IOS are registered trademarks of Cisco Technology, Inc.
FreeBSD is a registered trademark of The FreeBSD Foundation.
Linux is a registered trademark of Linus Torvalds.
MITRE and MITRE ATT&CK are registered trademarks of The MITRE Corporation.
Windows is a registered trademark of Microsoft Corporation.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate cyber threats, and to develop and issue cybersecurity specifications and mitigations.

Contact

NSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov 
NSA’s Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov 
NSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov

U.S. organizations: Report incidents and anomalous activity to CISA 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870 and/or to the FBI via your local FBI field office.

Appendix: MITRE ATT&CK Techniques

See Tables 2-9 for all referenced BlackTech tactics and techniques in this advisory.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see:

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13. See Tables 3-13 for the APT actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations.

Overview

By request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors:

• Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.
• Initial Access Vector 2: APT actors exploited CVE-2022-42475 to access the organization’s firewall device.

CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.

APT Actor Activity

Initial Access Vector 1

As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation.

Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account [T1136.001] named Azure with administrative privileges [T1068]. Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.

Initial Access Vector 2

Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.

APT actors initiated multiple Transport Layer Security (TLS)-encrypted sessions [T1573.002] on Transmission Control Protocol (TCP) port 10443 [T1571], indicating successful exchanges of data transfer from the firewall device. APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses:

• 144.202.2[.]71
• 207.246.105[.]240
• 45.77.121[.]232
• 47.90.240[.]218

APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. Note: The following file paths to these web shells were received in coordination with a trusted third-party; however, the artifacts were not received for analysis.

• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\resource.aspx
• c:\inetpub\wwwroot\[REDACTED]\css\font-awesome\css\discover.ashx
• c:\inetpub\wwwroot\[REDACTED]\css\font-awesome\css\configlogin.ashx
• c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\template\layouts\approveinfo.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\errorinfo.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.ashx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\error.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\infos.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info-1.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\new_list.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\errorinfo.aspx
• c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\lgnbotr.ashx
• c:\inetpub\passwordchange\0LECPNJYRH.aspx
• c:\inetpub\passwordchange\9ehj.aspx
• c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\servicesinfo.ashx
• c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\services.aspx
• c:\inetpub\redirectedSites\[REDACTED]\products\uns1fw.aspx
• c:\inetpub\redirectedSites\[REDACTED]\products\uns1ew.aspx

The following IP addresses were identified as associated with the loaded web shells:

• 45.90.123[.]194
• 154.6.91[.]26
• 154.6.93[.]22
• 154.6.93[.]5
• 154.6.93[.]12
• 154.6.93[.]32
• 154.6.93[.]24
• 184.170.241[.]27
• 191.96.106[.]40
• 102.129.145[.]232

Forensic Timeline of APT Actor Activity

Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively. All timestamps are presented in Coordinated Universal Time (UTC).

Post-engagement analysis was extended but analysts were unable to determine additional actions taken by the APT actors, likely due to a lack of sensor coverage and data unavailability. With the data available, it was determined APT actors used the tools listed in Table 2 during their operations.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 3-13 for all referenced APT actors’ tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

DETECTION METHODS

CISA and co-sealers recommend reviewing Tables 3-13: Identified ATT&CK Techniques for Enterprise in conjunction with the detections in this section to identify similar activity.

• Enable logging for new user creation [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add, useradd, and dscl -create [DS0017].
• Monitor for newly constructed scheduled tasks by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. Monitor for changes made to scheduled tasks that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools [DS0003].
• Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence [DS0009].
• Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the LSASS [DS0017].
• Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10) [DS0028].
• Monitor for newly-constructed network connections associated with pings/scans that may attempt to collect a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement from the current system [DS0029].
• Conduct full port scans (1-65535) on internet-facing systems—not just a subset of the ports.

MITIGATIONS

Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Manage Vulnerabilities and Configurations [CPG 1.E, CPG 3.A]

CISA and co-sealers identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the xmlsec XSLT features by design in that version, the application is responsible for certain security protections. CISA and co-sealers recommend the following:

• Document device configurations [CPG 2.O]. Organizations should maintain updated documentation describing the current configuration details of all critical IT assets (and OT, where applicable), as this facilitates more effective vulnerability and response activities.
• Keep all software up to date and patch systems for known exploited vulnerabilities. In places with known exploited vulnerabilities on an endpoint device (e.g., firewall security appliances), conduct investigation prior to patching [CPG 1.E].
• Follow a routine patching cycle [M1051] for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
• Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans [M1016]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations' internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started. For additional guidance on remediating these vulnerabilities, see CISA Insights - Remediate Vulnerabilities for Internet-Accessible Systems.
• Deploy security.txt files [CPG 4.C]. All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116.[9]

Segment Networks [CPG 2.F]

CISA and co-sealers identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.

• Employ proper network segmentation, such as a DMZ, and ensure to address the following recommendations. Note: The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ [CPG 2.K, CPG 2.W].
  • Limit internet-facing port exposure for critical resources in the DMZ networks.
  • Limit exposed ports to only required IP addresses and avoid placing wildcards in destination port or host entries.
  • Ensure unsecured protocols like FTP and HTTP are limited in use and restricted to specific IP ranges.
  • If data flows from untrusted zone to trusted zone, ensure it is conducted over a secure protocol like HTTPS with mandatory multi-factor authentication.
• Use a firewall or web-application firewall (WAF) and enable logging to prevent/detect potential exploitation attempts [M1050]. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
  • Use WAF to limit exposure to just approved ports, as well as monitor file changes in web directories.
• Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.

Manage Accounts, Permissions, and Workstations

APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers recommend the following:

• Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
• Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as users’ passwords expire [CPG 2.A, CPG 2.B, CPG 2.C].
• Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
• Limit the ability of a local administrator account to log in from a local interactive session [CPG 2.E] (e.g., “Deny access to this computer from the network”) and prevent access via an RDP session.
• Establish policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts. Implement and enforce use of Local Administrator Password Solution (LAPS).
• Control and limit local administration, ensuring administrative users do not have access to other systems outside of the local machine and across the domain.
• Create a change control process for all privilege escalations and role changes on user accounts. Enable alerts on privilege escalations and role changes, as well as log privileged user changes in the network environment and create alerts for abnormal events.
• Create and deploy a secure system baseline image to all workstations. See Microsoft’s guidance on Using Security Baselines in Your Organization.
• Implement policies to block workstation-to-workstation RDP connections [CPG 2.V] through a Group Policy Object on Windows, or by a similar mechanism. The RDP service should be disabled if it is unnecessary [M1042].

Secure Remote Access Software

Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. APT actors were observed using legitimate remote access tools—ConnectWise ScreenConnect and AnyDesk—to connect to victim hosts within the organization’s environment and further conduct malicious operations. CISA and co-sealers recommend the following:

• Establish a software behavior baseline to detect anomalies in behavior [CPG 2.T, CPG 2.U].
• Monitor for unauthorized use of remote access software using endpoint detection tools.

For more information, see CISA’s joint Guide to Securing Remote Access Software on best practices for using remote capabilities and how to detect and defend against malicious actors abusing this software.

Other Best Practice Mitigation Recommendations

• Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. Following exploitation of the public-facing application (Zoho ManageEngine ServiceDesk Plus), APT actors were able to download and execute multiple files on the system, which were then utilized to enumerate the network and perform reconnaissance operations.
  • Use directory allowlisting rather than attempting to list every possible permutation of applications in a network environment. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations unless an exception is granted and documented. Application directory allowlisting can be enabled through Microsoft Software Restriction Policy or AppLocker and can prevent the execution of unauthorized software.
• Audit scheduled tasks and validate all findings via a Group Policy Object (GPO) or endpoint detection and response (EDR) solution.
• Follow Microsoft’s Best Practices for Securing Active Directory.
• Review NSA’s Network Infrastructure Security Guide.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and co-sealers recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 3-13).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and co-sealers recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

• NIST: NVD CVE-2022-47966
• NIST: NVD CVE-2022-42475
• CISA: KEV List
• MITRE ATT&CK for Enterprise v13.1
• CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
• CISA: Decider Tool
• CISA: Cross-Sector Cybersecurity Performance Goals
• CISA: Cyber Hygiene Services
• CISA: Remediate Vulnerabilities for Internet-Accessible Systems
• CISA: Layering Network Security Through Segmentation
• NSA: Segment Networks and Deploy Application-Aware Defenses
• CISA: MFA
• CISA: Implementing Phishing-Resistant MFA
• Microsoft: Using Security Baselines in Your Organization
• CISA: Guide to Securing Remote Access Software
• Microsoft: Best Practices for Securing Active Directory
• NSA: Network Infrastructure Security Guide

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.

REFERENCES

1. Snort: Known Malicious User-Agent String – Mirai
2. MITRE: Mimikatz
3. MITRE: Ngrok
4. AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
5. AA22-294A: #StopRansomware: Daixin Team
6. AA23-075A: #StopRansomware: LockBit 3.0
7. GitHub: Interactsh
8. Microsoft: Quser
9. Internet Engineering Task Force (IETF): RFC 9116

VERSION HISTORY

September 7, 2023: Initial version.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the Mitigations section to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

TECHNICAL DETAILS

Overview

QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally. QakBot has been the precursor to a significant amount of computer intrusions, to include ransomware and the compromise of user accounts within the Financial Sector. In existence since at least 2008, QakBot feeds into the global cybercriminal supply chain and has deep-rooted connections to the criminal ecosystem. QakBot was originally used as a banking trojan to steal banking credentials for account compromise; in most cases, it was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network.

Since its initial inception as a banking trojan, QakBot has evolved into a multi-purpose botnet and malware variant that provides threat actors with a wide range of capabilities, to include performing reconnaissance, engaging in lateral movement, gathering and exfiltrating data, and delivering other malicious payloads, including ransomware, on affected devices. QakBot has maintained persistence in the digital environment because of its modular nature. Access to QakBot-affected (victim) devices via compromised credentials are often sold to further the goals of the threat actor who delivered QakBot.

QakBot and affiliated variants have targeted the United States and other global infrastructures, including the Financial Services, Emergency Services, and Commercial Facilities Sectors, and the Election Infrastructure Subsector. FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood of QakBot-related infections and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other previously installed malware or ransomware on victim computers. If a potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA and FBI.

QakBot Infrastructure

QakBot’s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike^[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti^[2], ProLock^[3], Egregor^[4], REvil^[5], MegaCortex^[6], Black Basta^[7], Royal^[8], and PwndLocker.

Historically, QakBot’s C2 infrastructure relied heavily on using hosting providers for its own infrastructure and malicious activity. These providers lease servers to malicious threat actors, ignore abuse complaints, and do not cooperate with law enforcement. At any given time, thousands of victim computers running Microsoft Windows were infected with QakBot—the botnet was controlled through three tiers of C2 servers.

The first tier of C2 servers includes a subset of thousands of bots selected by QakBot administrators, which are promoted to Tier 1 “supernodes” by downloading an additional software module. These supernodes communicate with the victim computers to relay commands and communications between the upstream C2 servers and the infected computers. As of mid-June 2023, 853 supernodes have been identified in 63 countries, which were active that same month. Supernodes have been observed frequently changing, which assists QakBot in evading detection by network defenders. Each bot has been observed communicating with a set of Tier 1 supernodes to relay communications to the Tier 2 C2 servers, serving as proxies to conceal the main C2 server. The Tier 3 server controls all of the bots.

Indicators of Compromise

FBI has observed the following threat actor tactics, techniques, and procedures (TTPs) in association with OakBot infections:

1. QakBot sets up persistence via the Registry Run Key as needed. It will delete this key when running and set it back up before computer restart: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
2. QakBot will also write its binary back to disk to maintain persistence in the following folder: C:\Users\\AppData\Roaming\Microsoft\\
3. QakBot will write an encrypted registry configuration detailing information about the bot to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\

In addition, the below IP addresses were assessed to have obtained access to victim computers. Organizations are encouraged to review any connections with these IP addresses, which could potentially indicate a QakBot and/or follow-on malware infection.

Disclaimer: The below IP addresses are assessed to be inactive as of August 29, 2023. Several of these observed IP addresses were first observed as early as 2020, although most date from 2022 or 2023, and have been historically linked to QakBot. FBI and CISA recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.

Organizations are also encouraged to review the Qbot/QakBot Malware presentation from the U.S. Department of Health & Human Services Cybersecurity Program for additional information.

MITRE ATT&CK TECHNIQUES

For detailed associated software descriptions, tactics used, and groups that have been observed using this software, see MITRE ATT&CK’s page on QakBot.^[9]

MITIGATIONS

Note: For situational awareness, the following SHA-256 hash is associated with FBI’s QakBot uninstaller: 7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117

CISA and FBI recommend network defenders apply the following mitigations to reduce the likelihood of QakBot-related activity and promote identification of QakBot-induced ransomware and malware infections. Disruption of the QakBot botnet does not mitigate other already-installed malware or ransomware on victim computers. Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

Best Practice Mitigation Recommendations

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud) [CPG 2.O, 2.R, 5.A].
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards when developing and managing password policies [CPG 2.B]. This includes:
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
  • Store passwords in hashed format using industry-recognized password managers;
  • Add password user “salts” to shared login credentials;
  • Avoid reusing passwords;
  • Implement multiple failed login attempt account lockouts;
  • Disable password “hints”;
  • Refrain from requiring password changes more frequently than once per year.
    Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
  • Require administrator credentials to install software.
• Use phishing-resistant multi-factor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins. For additional guidance on secure MFA configurations, visit cisa.gov/MFA and CISA’s Implementing Phishing-Resistant MFA Factsheet.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities of internet-facing systems [CPG 1.E]. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. Specifically, Cyber Hygiene services can help provide a second-set of eyes on organizations’ internet-accessible assets. Organizations can email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks to restrict adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated malware with a networking monitoring tool. To aid in detecting the malware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.D, 2.E].
• Disable unused ports [CPG 2.V, 2.W, 2X].
• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task [CPG 2.E].
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

Ransomware Guidance

• CISA.gov/stopransomware is a whole-of-government resource that serves as one central location for ransomware resources and alerts.
• CISA, FBI, the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
• CISA has released a new module in its Cyber Security Evaluation Tool (CSET), the Ransomware Readiness Assessment (RRA). CSET is a desktop software tool that guides network defenders through a step-by-step process to evaluate cybersecurity practices on their networks.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and FBI also recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see MITRE ATT&CK’s page on QakBot).^[9]
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA and FBI recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques.

REPORTING

FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with QakBot-affiliated actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. FBI and CISA do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office or CISA at cisa.gov/report.

RESOURCES

• HHS: Qbot/QakBot Malware
• CISA: CPGs
• NIST: 800-63B Digital Identity Guidelines
• CISA: MFA
• CISA: Implementing Phishing-Resistant MFA
• CISA: Known Exploited Vulnerabilities Catalog
• CISA: Cyber Hygiene
• CISA: Zero Trust
• CISA: #StopRansomware
• CISA: #StopRansomware Guide
• CISA: CSET Tool Sets Sights on Ransomware Threat

REFERENCES

1. MITRE: Cobalt Strike
2. MITRE: Conti
3. MITRE: ProLock
4. MITRE: Egregor
5. MITRE: REvil
6. MITRE: MegaCortex
7. MITRE: Black Basta
8. MITRE: Royal
9. MITRE: QakBot

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.

VERSION HISTORY

August 30, 2023: Initial version.

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

• United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
• Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
• Canada: Canadian Centre for Cyber Security (CCCS)
• New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
• United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.

• Vendors, designers, and developers: Implement secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
  • Follow the Secure Software Development Framework (SSDF), also known as SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
  • Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
  • Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
• End-user organizations:
  • Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
  • Implement a centralized patch management system.
  • Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
  • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.

Download the PDF version of this report:

TECHNICAL DETAILS

Key Findings

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

• CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
• CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
• CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
• CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
• CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
• CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
• CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
• CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
• CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

Additional Routinely Exploited Vulnerabilities

In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.

MITIGATIONS

Vendors and Developers

The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:

• Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.
• Ensure business leaders are responsible for security. Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.
• Follow the SSDF (SP 800-218) and implement secure design practices into each stage of the SDLC. Pay attention to:
  • Prioritizing the use of memory safe languages wherever possible [SSDF PW 6.1].
  • Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [SSDF PW 4.1].
  • Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [SSDF PW.5.1, PW.7.1, PW.7.2].
  • Establishing a vulnerability disclosure program to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [SSDF RV.1.3]. As part of this, establish processes to determine root causes of discovered vulnerabilities.
  • Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [SSDF PW.7.2, PW.8.2].
  • Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [SSDF PW.9.1, PW9.2]
• Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.
• Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

End-User Organizations

The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.

Vulnerability and Configuration Management

• Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
  • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
  • Replace end-of-life software (i.e., software no longer supported by the vendor).
• Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.
• Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources.
    • CISA Insights Risk Considerations for Managed Service Provider Customers
    • CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses
    • ACSC advice on How to Manage Your Security When Engaging a Managed Service Provider
• Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].
• Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].
• Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management

• Enforce phishing-resistant multifactor authentication (MFA) for all users, without exception. [CPG 2.H].
• Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].
• Regularly review, validate, or remove privileged accounts (annually at a minimum) [CPG 2.D, 2.E].
• Configure access control under the principle of least privilege [CPG 2.Q].
  • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible).
    Note: See CISA’s Capacity Enhancement Guide – Implementing Strong Authentication and ACSC’s guidance on Implementing Multi-Factor Authentication for more information on authentication system hardening.

Protective Controls and Architecture

• Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X].
  • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
  • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
  • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).

• Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See the Department of Defense’s Zero Trust Reference Architecture for additional information on Zero Trust.
• Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
  • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].
  • Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].
  • Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].
  • Use a network protocol analyzer to examine captured data, including packet-level data.

Supply Chain Security

• Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].
• Ensure contracts require vendors and/or third-party service providers to:
  • Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].
  • Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].
• Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

RESOURCES

• For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see:
  • Joint CSA Top 10 Routinely Exploited Vulnerabilities
  • Joint CSA Top Routinely Exploited Vulnerabilities
  • Joint CSA 2021 Top Routinely Exploited Vulnerabilities
• See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.
• See ACSC’s Essential Eight mitigation strategies for additional mitigations.
• See ACSC’s Cyber Supply Chain Risk Management for additional considerations and advice.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

PURPOSE

This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

REFERENCES

[1] Apache Log4j Vulnerability Guidance

VERSION HISTORY

August 3, 2023: Initial version.

APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES