US-CERT Feed

AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks

US-Cert Alerts - 9 hours 58 min ago
Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p> <p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p> <p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4> <p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p> <ul> <li><em><strong>Initial Access</strong></em> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0001">TA0001</a>] <ul> <li><i>Valid Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/">T1078</a>]</li> <li><i>Valid Accounts: Cloud Accounts </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1078/004/">T1078.004</a>]</li> <li><i>External Remote Services </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1133/">T1133</a>]</li> <li><i>Drive-by Compromise</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1189">T1189</a>]</li> <li><i>Exploit Public-Facing Application</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1190">T1190</a>] <ul> <li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1195/002">T1195.002</a>]</li> <li><i>Trusted Relationship</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1199">T1199</a>]</li> <li><i>Phishing: Spearphishing Attachment</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001</a>]</li> <li><i>Phishing: Spearphishing Link</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/002">T1566.002</a>]</li> <li><i>Phishing: Spearphishing via Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1566/003">T1566.003</a>]</li> </ul> </li> </ul> </li> <li><i><em><strong>Execution</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0002">TA0002</a>] <ul> <li><i>Windows Management Instrumentation </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1047">T1047</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/001">T1059.001</a>]</li> <li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/003">T1059.003</a>]</li> <li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1059/004">T1059.004</a>]</li> <li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/005">T1059.005</a>]</li> <li><i>Command and Scripting Interpreter: Python </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1059/006">T1059.006</a>]</li> <li><i>Native API </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1106">T1106</a>]</li> <li><i>Exploitation for Client Execution</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1203">T1203</a>]</li> <li><i>User Execution: Malicious Link </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1204/001">T1204.001</a>]</li> <li><i>User Execution: Malicious File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1204/002">T1204.002</a>]</li> <li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1559/002/">T1559.002</a>]</li> <li><i>System Services: Service Execution </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1569/002">T1569.002</a>]</li> </ul> </li> <li><i><em><strong>Persistence</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0003">TA0003</a>] <ul> <li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1037/001">T1037.001</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1053/005">T1053.005</a>]</li> <li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1098/002">T1098.002</a>]</li> <li><i>Create Account: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1136/001">T1136.001</a>]</li> <li><i>Office Application Startup: Office Test </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1137/002">T1137.002</a>]</li> <li><i>Office Application Startup: Outlook Home Page</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1137/004">T1137.004</a>]</li> <li><i>Browser Extensions</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1176">T1176</a>]</li> <li><i>BITS Jobs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1197/">T1197</a>]</li> <li><i>Server Software Component: Web Shell</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1505/003">T1505.003</a>]</li> <li><i>Pre-OS Boot: Bootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1542/003/">T1542.003</a>]</li> <li><i>Create or Modify System Process: Windows Service</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1543/003">T1543.003</a>]</li> <li><i>Event Triggered Execution: Change Default File Association</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001</a>]</li> <li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/003">T1546.003</a>]</li> <li><i>Event Triggered Execution: Accessibility Features</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1546/015">T1546.015</a>]</li> <li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1547/001">T1547.001</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> </ul> </li> <li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0004">TA0004</a>] <ul> <li><i>Process Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055">T1055</a>]</li> <li><i>Process Injection: Process Hollowing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1055/012">T1055.012</a>]</li> <li><i>Exploitation for Privilege Escalation</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1068">T1068</a>]</li> <li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1134/001">T1134.001</a>]</li> <li><i>Event Triggered Execution: Accessibility Features </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1546/008">T1546.008</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1547/009">T1547.009</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1574/002">T1574.002</a>]</li> </ul> </li> <li><i><em><strong>Defense Evasion</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0005">TA0005</a>] <ul> <li><i>Rootkit</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1014">T1014</a>]</li> <li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/001">T1027.001</a>]</li> <li><i>Obfuscated Files or Information: Software Packing </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1027/002">T1027.002</a>]</li> <li><i>Obfuscated Files or Information: Steganography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/003">T1027.003</a>]</li> <li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1027/005">T1027.005</a>]</li> <li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1036/005">T1036.005</a>]</li> <li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/001">T1070.001</a>]</li> <li><i>Indicator Removal on Host: Clear Command History</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/003">1070.003</a>]</li> <li><i>Indicator Removal on Host: File Deletion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/004">T1070.004</a>]</li> <li><i>Indicator Removal on Host: Timestomp</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1070/006">T1070.006</a>]</li> <li><i>Modify Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1112">T1112</a>]</li> <li><i>Deobfuscate/Decode Files or Information </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1140">T1140</a>]</li> <li><i>Exploitation for Defense Evasion</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1211">T1211</a>]</li> <li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/001">T1218.001</a>]</li> <li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1218/005">T1218.005</a>]</li> <li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1218/011">T1218.011</a>]</li> <li><i>Template Injection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1221">T1221</a>]</li> <li><i>Execution Guardrails: Environmental Keying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1480/001">T1480.001</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1548/002">T1548.002</a>]</li> <li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/001">T1550.001</a>]</li> <li><i>Subvert Trust Controls: Code Signing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1553/002">T1553.002</a>]</li> <li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/001">T1562.001</a>]</li> <li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1562/004">T1562.004</a>]</li> <li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1564/001">T1564.001</a>]</li> <li><i>Hide Artifacts: Hidden Window</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1564/003">T1564.003</a>]</li> </ul> </li> <li><i><em><strong>Credential Access</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0006">TA0006</a>] <ul> <li><i>OS Credential Dumping: LSASS Memory</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/001">T1003.001</a>]</li> <li><i>OS Credential Dumping: Security Account Manager </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1003/002">T1003.002</a>]</li> <li><i>OS Credential Dumping: NTDS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/003">T1003.003</a>]</li> <li><i>OS Credential Dumping: LSA Secrets</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/004">T1003.004</a>]</li> <li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1003/005">T1003.005</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Input Capture: Keylogging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1056/001">T1056.001</a>]</li> <li><i>Brute Force: Password Cracking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/002">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1110/003">T1110.003</a>]</li> <li><i>Forced Authentication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1187">T1187</a>]</li> <li><i>Steal Application Access Token</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1528">T1528</a>]</li> <li><i>Unsecured Credentials: Credentials in Files</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/001">T1552.001</a>]</li> <li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1552/006">T1552.006</a>]</li> <li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1555/003">T1555.003</a>]</li> </ul> </li> <li><i><em><strong>Discovery</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0007">TA0007</a>] <ul> <li><i>System Service Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1007">T1007</a>]</li> <li><i>Query Registry</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1012">T1012</a>]</li> <li><i>System Network Configuration Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1016">T1016</a>]</li> <li><i>Remote System Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1018">T1018</a>]</li> <li><i>System Owner/User Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1033">T1033</a>]</li> <li><i>Network Sniffing</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1040">T1040</a>]</li> <li><i>Network Service Scanning</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1046">T1046</a>]</li> <li><i>System Network Connections Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1049">T1049</a>]</li> <li><i>Process Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1057">T1057</a>]</li> <li><i>Permission Groups Discovery: Local Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/001">T1069.001</a>]</li> <li><i>Permission Groups Discovery: Domain Groups</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1069/002">T1069.002</a>]</li> <li><i>System Information Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1082">T1082</a>]</li> <li><i>File and Directory Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1083">T1083</a>]</li> <li><i>Account Discovery: Local Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/001">T1087.001</a>]</li> <li><i>Account Discovery: Domain Account</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1087/002">T1087.002</a>]</li> <li><i>Peripheral Device Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1120">T1120</a>]</li> <li><i>Network Share Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1135">T1135</a>]</li> <li><i>Password Policy Discovery </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1201/">T1201</a>]</li> <li><i>Software Discovery: Security Software Discovery</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1518/001">T1518.001</a>]</li> </ul> </li> <li><i><em><strong>Lateral Movement </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0008">TA0008</a>] <ul> <li><i>Remote Services: Remote Desktop Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001</a>]</li> <li><i>Remote Services: SSH </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1021/004">T1021.004</a>]</li> <li><i>Taint Shared Content </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1080/">T1080</a>]</li> <li><i>Replication Through Removable Media </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1091">T1091</a>]</li> <li><i>Exploitation of Remote Services</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1210">T1210</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1550/002">T1550.002</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1550/003">T1550.003</a>]</li> </ul> </li> <li><i><em><strong>Collection</strong></em></i> [<a href="https://attack.mitre.org/versions/v7/tactics/TA0009">TA0009</a>] <ul> <li><i>Data from Local System</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1005">T1005</a>]</li> <li><i>Data from Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1025">T1025</a>]</li> <li><i>Data Staged: Local Data Staging</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1074/001">T1074.001</a>]</li> <li><i>Screen Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1113">T1113</a>]</li> <li><i>Email Collection: Local Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/001">T1114.001</a>]</li> <li><i>Email Collection: Remote Email Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1114/002">T1114.002</a>]</li> <li><i>Automated Collection</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1119">T1119</a>]</li> <li><i>Audio Capture</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1123">T1123</a>]</li> <li><i>Data from Information Repositories: SharePoint </i>[<a href="https://attack.mitre.org/versions/v7/techniques/T1213/002">T1213.002</a>]</li> <li><i>Archive Collected Data: Archive via Utility</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/001">T1560.001</a>]</li> <li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1560/003">T1560.003</a>]</li> </ul> </li> <li><i><em><strong>Command and Control</strong></em> </i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0011">TA0011</a>] <ul> <li><i>Data Obfuscation: Junk Data</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1001/001/">T1001.001</a>]</li> <li><i>Fallback Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1008">T1008</a>]</li> <li><i>Application Layer Protocol: Web Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/001">T1071.001</a>]</li> <li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/002">T1071.002</a>]</li> <li><i>Application Layer Protocol: Mail Protocols</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/003">T1071.003</a>]</li> <li><i>Application Layer Protocol: DNS</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1071/004">T1071.004</a>]</li> <li><i>Proxy: External Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/002">T1090.002</a>]</li> <li><i>Proxy: Multi-hop Proxy</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/003">T1090.003</a>]</li> <li><i>Proxy: Domain Fronting</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1090/004">T1090.004</a>]</li> <li><i>Communication Through Removable Media</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1092">T1092</a>]</li> <li><i>Non-Application Layer Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1095">T1095</a>]</li> <li><i>Web Service: Dead Drop Resolver</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/001">T1102.001</a>]</li> <li><i>Web Service: Bidirectional Communication</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1102/002">T1102.002</a>]</li> <li><i>Multi-Stage Channels</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1104">T1104</a>]</li> <li><i>Ingress Tool Transfer</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1105">T1105</a>]</li> <li><i>Data Encoding: Standard Encoding</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1132/001">T1132.001</a>]</li> <li><i>Remote Access Software</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1219">T1219</a>]</li> <li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1568/002">T1568.002</a>]</li> <li><i>Non-Standard Port</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1571">T1571</a>]</li> <li><i>Protocol Tunneling</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1572">T1572</a>]</li> <li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/001">T1573.001</a>]</li> <li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1573/002">T1573.002</a>]</li> </ul> </li> <li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0010">TA0010</a>] <ul> <li><i>Exfiltration Over C2 Channel</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1041">T1041</a>]</li> <li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1048/003">T1048.003</a>]</li> </ul> </li> <li><i><em><strong>Impact </strong></em></i>[<a href="https://attack.mitre.org/versions/v7/tactics/TA0040">TA0040</a>] <ul> <li><i>Data Encrypted for Impact</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1486">T1486</a>]</li> <li><i>Resource Hijacking</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1496">T1496</a>]</li> <li><i>System Shutdown/Reboot</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1529">T1529</a>]</li> <li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="https://attack.mitre.org/versions/v7/techniques/T1561/002">T1561.002</a>]</li> </ul> </li> </ul> <h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p> <h4>Leaders</h4> <ul> <li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li> </ul> <h4>Users/Staff</h4> <ul> <li>Log off remote connections when not in use.</li> <li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li> <li>Use different passwords for corporate and personal accounts.</li> <li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li> <li>Employ strong multi-factor authentication for personal accounts, if available.</li> <li>Exercise caution when: <ul> <li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="https://www.us-cert.gov/ncas/tips/ST04-010">Using Caution with Email Attachments</a>.</li> <li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li> </ul> </li> </ul> <h4>IT Staff/Cybersecurity Personnel</h4> <ul> <li>Segment and segregate networks and functions.</li> <li>Change the default username and password of applications and appliances.</li> <li>Employ strong multi-factor authentication for corporate accounts.</li> <li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li> <li>Apply encryption to data at rest and data in transit.</li> <li>Use email security appliances to scan and remove malicious email attachments or links.</li> <li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li> <li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-183a">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li> <li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-133a">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li> <li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li> <li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li> <li>Disable or block unnecessary remote services.</li> <li>Limit access to remote services through centrally managed concentrators.</li> <li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li> <li>Ensure applications do not store sensitive data or credentials insecurely.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li> <li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="http://www.fbi.gov/contact-us/field">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>References</h3> <ul> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-120a">CISA Alert: Microsoft Office 365 Security Recommendations</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/telework">CISA Webpage: Telework Guidance</a></li> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA Webpage: VPN-Related Guidance</a></li> <li><a href="http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf">FBI Private Industry Notification: PIN 20200409-001</a></li> </ul> <h3>References</h3> <ul> <li><a href="https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 1, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Categories: US-CERT Feed

Fortinet FortiOS System File Leak

US-Cert Current Activity - Fri, 11/27/2020 - 11:00am
Original release date: November 27, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the possible exposure of passwords on Fortinet devices that are vulnerable to CVE 2018-13379. Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States.

Fortinet has released a security advisory to highlight mitigation of this vulnerability. CISA encourages users and administrators to review the advisory and apply the necessary updates immediately. Additionally, CISA recommends Fortinet users conduct a thorough review of logs on any connected networks to detect any additional threat actor activity.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Drupal Releases Security Updates

US-Cert Current Activity - Fri, 11/27/2020 - 10:53am
Original release date: November 27, 2020

Drupal has released security updates to address vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Drupal Advisory SA-CORE-2020-013 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Online Holiday Shopping Scams

US-Cert Current Activity - Tue, 11/24/2020 - 7:08am
Original release date: November 24, 2020

With more commerce occurring online this year, and with the holiday season upon us, the Cybersecurity and Infrastructure Security Agency (CISA) reminds shoppers to remain vigilant. Be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.

CISA encourages online holiday shoppers to review the following resources.

If you believe you are a victim of a scam, consider the following actions.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Workarounds for CVE-2020-4006

US-Cert Current Activity - Mon, 11/23/2020 - 2:14pm
Original release date: November 23, 2020

VMware has released workarounds to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review VMware Security Advisory VMSA-2020-0027 and apply the necessary workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Security Updates for VMware SD-WAN Orchestrator

US-Cert Current Activity - Thu, 11/19/2020 - 10:18am
Original release date: November 19, 2020

VMware has released security updates to address multiple vulnerabilities in VMware SD-WAN Orchestrator. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0025 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

US-Cert Current Activity - Thu, 11/19/2020 - 10:12am
Original release date: November 19, 2020

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Thu, 11/19/2020 - 10:10am
Original release date: November 19, 2020

Google has released Chrome version 87.0.4280.66 for Windows, Mac, and Linux to address multiple vulnerabilities. Some of these vulnerabilities could allow an attacker to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Drupal Releases Security Updates

US-Cert Current Activity - Thu, 11/19/2020 - 10:09am
Original release date: November 19, 2020

Drupal has released security updates to address a critical vulnerability in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Drupal Advisory SA-CORE-2020-012, apply the necessary updates, and follow the additional recommendation.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates for Multiple Products

US-Cert Current Activity - Thu, 11/19/2020 - 10:04am
Original release date: November 19, 2020

Cisco has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates.

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates for Security Manager

US-Cert Current Activity - Tue, 11/17/2020 - 11:42am
Original release date: November 17, 2020

Cisco has released security updates to address vulnerabilities in Cisco Security Manager. A remote attacker could exploit these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Apple Releases Security Updates for Multiple Products

US-Cert Current Activity - Fri, 11/13/2020 - 11:46am
Original release date: November 13, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for macOS Big Sur 11.0, 11.0.1 and for macOS High Sierra 10.13.6, macOS Mojave 10.14.6 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Thu, 11/12/2020 - 11:39am
Original release date: November 12, 2020

Google has released Chrome version 86.0.4240.198 for Windows, Mac, and Linux. This version addresses CVE-2020-16013 and CVE-2020-16017. An attacker could exploit one of these vulnerabilities to take control of an affected system. These vulnerabilities have been detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Adobe Releases Security Updates for Multiple Products

US-Cert Current Activity - Tue, 11/10/2020 - 4:55pm
Original release date: November 10, 2020

Adobe has released security updates to address vulnerabilities in multiple products.  An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Adobe security advisories for Adobe Connect and Adobe Reader for Android and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Update for IOS XR Software

US-Cert Current Activity - Tue, 11/10/2020 - 4:31pm
Original release date: November 10, 2020

Cisco has released a security update to address a vulnerability in IOS XR Software for ASR 9000 Series Aggregation Services Routers. An unauthenticated, remote attacker could exploit this vulnerability to cause a denial-of-service condition.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco security advisory and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases November 2020 Security Updates

US-Cert Current Activity - Tue, 11/10/2020 - 1:18pm
Original release date: November 10, 2020

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s November 2020 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

SAP Releases November 2020 Security Updates

US-Cert Current Activity - Tue, 11/10/2020 - 11:37am
Original release date: November 10, 2020

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include missing authentication check vulnerabilities affecting SAP Solution Manager (JAVA stack).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for November 2020 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

US-Cert Current Activity - Tue, 11/10/2020 - 11:00am
Original release date: November 10, 2020

Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Apple Releases Security Updates for Multiple Products

US-Cert Current Activity - Fri, 11/06/2020 - 12:06pm
Original release date: November 6, 2020

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates for Multiple Products

US-Cert Current Activity - Thu, 11/05/2020 - 12:01pm
Original release date: November 5, 2020

Cisco has released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Pages