News Listing
December 07, 2023
The Apache Software Foundation has released the security bulletins to address the vulnerability in Apache Struts.
December 07, 2023
The Russia-based actor is targeting organizations and individuals in the UK and other geographical areas of interest.
OVERVIEW
The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.
TARGETING PROFILE
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.
During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.
OUTLINE OF THE ATTACKS
The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.
Research and Preparation
Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].
Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.
Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.
To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].
Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.
Preference for Personal Email Addresses
Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.
Building a Rapport
Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.
Delivery of Malicious Link
Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.
The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms.
Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].
Exploitation and Further Activity
Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.
Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].
The actor has also used their access to a victim email account to access mailing-list data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].
CONCLUSION
Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.
Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.
In the UK you can report related suspicious activity to the NCSC.
Information on effective defense against spear-phishing is included in the Mitigations section below.
MITRE ATT&CK®
This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Tactic
ID
Technique
Procedure
Reconnaissance
T1593
Search Open Websites/Domains
Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.
Reconnaissance
T1589
Gather Victim Identity Information
Star Blizzard uses online data sets and open-source resources to gather information about their targets.
Resource Development
T1585.001
Establish Accounts: Social Media Accounts
Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.
Resource Development
T1585.002
Establish Accounts: Email Accounts
Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.
Resource Development
T1583.001
Acquire Infrastructure: Domains
Star Blizzard registers domains to host their phishing framework.
Resource Development
T1586.002
Compromise Accounts: Email Accounts
Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.
Initial Access
T1078
Valid Accounts
Star Blizzard uses compromised credentials, captured from fake log- in pages, to log in to valid victim user accounts.
Initial Access
T1566.001
Phishing: Spear-phishing Attachment
Star Blizzard uses malicious links embedded in email attachments to direct victims to their credential-stealing sites.
Initial Access
T1566.002
Phishing: Spear-phishing Link
Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites.
Defense Evasion
T1550.004
Use Alternate Authentication Material: Web Session Cookie
Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.
Credential Access
T1539
Steal Web Session Cookie
Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.
Collection
T1114.002
Email Collection: Remote Email Collection
Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.
Collection
T1114.003
Email Collection: Email Forwarding Rule
Star Blizzard abuses email- forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim's emails, even after compromised credentials are reset.
MITIGATIONS
A number of mitigations will be useful in defending against the activity described in this advisory.
Use strong passwords. Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: Top Tips for Staying Secure Online.
Use multi-factor authentication (2-factor authentication/two-step authentication) to reduce the impact of password compromises. See NCSC guidance: Multi-factor Authentication for Online Services and Setting Up 2-Step Verification (2SV).
Protect your devices and networks by keeping them up to date: Use the latest supported versions, apply security updates promptly, use anti-virus and scan regularly to guard against known malware threats. See NCSC guidance: Device Security Guidance.
Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: Phishing attacks: Defending Your Organization and Internet Crime Complaint Center(IC3) | Industry Alerts.
Enable your email providers’ automated email scanning features. These are turned on by default for consumer mail providers. See NCSC guidance: Telling Users to "Avoid Clicking Bad Links" Still Isn’t Working.
Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.
DISCLAIMER
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.
All material is UK Crown Copyright©.
OVERVIEW
The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.
TARGETING PROFILE
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Targets in the UK and US appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia.
During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.
OUTLINE OF THE ATTACKS
The activity is typical of spear-phishing campaigns, where an actor targets a specific individual or group using information known to be of interest to the targets. In a spear-phishing campaign, an actor perceives their target to have direct access to information of interest, be an access vector to another target, or both.
Research and Preparation
Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts [T1589], [T1593].
Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts [T1585.001] and have used supposed conference or event invitations as lures.
Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector.
To appear authentic, the actor also creates malicious domains resembling legitimate organizations [T1583.001].
Microsoft Threat Intelligence Center (MSTIC) provides a list of observed Indicators of Compromise (IOCs) in their SEABORGIUM blog, but this is not exhaustive.
Preference for Personal Email Addresses
Star Blizzard has predominantly sent spear-phishing emails to targets’ personal email addresses, although they have also used targets’ corporate or business email addresses. The actors may intentionally use personal emails to circumvent security controls in place on corporate networks.
Building a Rapport
Having taken the time to research their targets’ interests and contacts to create a believable approach, Star Blizzard now starts to build trust. They often begin by establishing benign contact on a topic they hope will engage their targets. There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport.
Delivery of Malicious Link
Once trust is established, the attacker uses typical phishing tradecraft and shares a link [T1566.002], apparently to a document or website of interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.
The malicious link may be a URL in an email message, or the actor may embed a link in a document [T1566.001] on OneDrive, Google Drive, or other file-sharing platforms.
Star Blizzard uses the open-source framework EvilGinx in their spear- phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication [T1539], [T1550.004].
Exploitation and Further Activity
Whichever delivery method is used, once the target clicks on the malicious URL, they are directed to an actor-controlled server that mirrors the sign-in page for a legitimate service. Any credentials entered at this point are now compromised.
Star Blizzard then uses the stolen credentials to log in to a target’s email account [T1078], where they are known to access and steal emails and attachments from the victim’s inbox [T1114.002]. They have also set up mail- forwarding rules, giving them ongoing visibility of victim correspondence [T1114.003].
The actor has also used their access to a victim email account to access mailing-list data and a victim’s contacts list, which they then use for follow- on targeting. They have also used compromised email accounts for further phishing activity [T1586.002].
CONCLUSION
Spear-phishing is an established technique used by many actors, and Star Blizzard uses it successfully, evolving the technique to maintain their success.
Individuals and organizations from previously targeted sectors should be vigilant of the techniques described in this advisory.
In the UK you can report related suspicious activity to the NCSC.
Information on effective defense against spear-phishing is included in the Mitigations section below.
MITRE ATT&CK®
This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Tactic
ID
Technique
Procedure
Reconnaissance
T1593
Search Open Websites/Domains
Star Blizzard uses open-source research and social media to identify information about victims to use in targeting.
Reconnaissance
T1589
Gather Victim Identity Information
Star Blizzard uses online data sets and open-source resources to gather information about their targets.
Resource Development
T1585.001
Establish Accounts: Social Media Accounts
Star Blizzard has been observed establishing fraudulent profiles on professional networking sites to conduct reconnaissance.
Resource Development
T1585.002
Establish Accounts: Email Accounts
Star Blizzard registers consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.
Resource Development
T1583.001
Acquire Infrastructure: Domains
Star Blizzard registers domains to host their phishing framework.
Resource Development
T1586.002
Compromise Accounts: Email Accounts
Star Blizzard has been observed using compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.
Initial Access
T1078
Valid Accounts
Star Blizzard uses compromised credentials, captured from fake log- in pages, to log in to valid victim user accounts.
Initial Access
T1566.001
Phishing: Spear-phishing Attachment
Star Blizzard uses malicious links embedded in email attachments to direct victims to their credential-stealing sites.
Initial Access
T1566.002
Phishing: Spear-phishing Link
Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites.
Defense Evasion
T1550.004
Use Alternate Authentication Material: Web Session Cookie
Star Blizzard bypasses multi-factor authentication on victim email accounts by using session cookies stolen using EvilGinx.
Credential Access
T1539
Steal Web Session Cookie
Star Blizzard uses EvilGinx to steal the session cookies of victims directed to their fake log-in domains.
Collection
T1114.002
Email Collection: Remote Email Collection
Star Blizzard interacts directly with externally facing Exchange services, Office 365 and Google Workspace to access email and steal information using compromised credentials or access tokens.
Collection
T1114.003
Email Collection: Email Forwarding Rule
Star Blizzard abuses email- forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim's emails, even after compromised credentials are reset.
MITIGATIONS
A number of mitigations will be useful in defending against the activity described in this advisory.
Use strong passwords. Use a separate password for email accounts and avoid password re-use across multiple services. See NCSC guidance: Top Tips for Staying Secure Online.
Use multi-factor authentication (2-factor authentication/two-step authentication) to reduce the impact of password compromises. See NCSC guidance: Multi-factor Authentication for Online Services and Setting Up 2-Step Verification (2SV).
Protect your devices and networks by keeping them up to date: Use the latest supported versions, apply security updates promptly, use anti-virus and scan regularly to guard against known malware threats. See NCSC guidance: Device Security Guidance.
Exercise vigilance. Spear-phishing emails are tailored to avoid suspicion. You may recognize the sender’s name, but has the email come from an address that you recognize? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address rather than your corporate one? Can you verify that the email is legitimate via another means? See NCSC guidance: Phishing attacks: Defending Your Organization and Internet Crime Complaint Center(IC3) | Industry Alerts.
Enable your email providers’ automated email scanning features. These are turned on by default for consumer mail providers. See NCSC guidance: Telling Users to "Avoid Clicking Bad Links" Still Isn’t Working.
Disable mail-forwarding. Attackers have been observed to set up mail-forwarding rules to maintain visibility of target emails. If you cannot disable mail-forwarding, then monitor settings regularly to ensure that a forwarding rule has not been set up by an external malicious actor.
DISCLAIMER
This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.
Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.
All material is UK Crown Copyright©.
December 06, 2023
Cisco released a security advisory to address a vulnerability in Cisco software.
December 06, 2023
Google released a security update to address multiple vulnerabilities in Google Chrome.
December 05, 2023
SonicWall has released a security advisory to address multiple vulnerabilities in SMA 100 series products.
December 05, 2023
Google has released Android Security Bulletin December 2023 to fix multiple security vulnerabilities in Android operating system.
December 05, 2023
SUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
AA23-339A Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
(PDF, 449.49 KB
)
For a downloadable copy of IOCs, see:
AA23-339A STIX XML
(XML, 23.83 KB
)
AA23-339A STIX JSON
(JSON, 23.29 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.
Overview
Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.
Incident 1
As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.
The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.
Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.
Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:
Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection.Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.
Threat actors created various files (see Table 1 below) in the C:\IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:\IBM directory as a staging folder to support threat actors’ malicious operations.
Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.
Table 1: Threat Actor Tools
File Name
Hash (SHA-1)
Description
eee.exe
b6818d2d5cbd902ce23461f24fc47e24937250e6
VirusTotal[3] flags this file as malicious. This was located in D:\$RECYCLE.BIN.
edge.exe
75a8ceded496269e9877c2d55f6ce13551d93ff4
The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error.
Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.
fscan.exe
be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656
Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:\IBM directory [T1046].
RC.exe
9126b8320d18a52b1315d5ada08e1c380d18806b
RCDLL.dll attempted to execute via RC.exe but received an error.
Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.
Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.
Incident 2
As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.
Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.
Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file (sys.zip) was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.
Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.
As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]
Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file. Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Table 2: Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.
Table 3: Execution
Technique Title
ID
Use
Command and Scripting Interpreter: JavaScript
T1059.007
In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.
Table 4: Persistence
Technique Title
ID
Use
Server Software Component: Web Shell
T1505.003
Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.
Table 5: Privilege Escalation
Technique Title
ID
Use
Domain Policy Modification: Group Policy Modification
T1484.001
Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.
Table 6: Defense Evasion
Technique Title
ID
Use
Masquerading: Match Legitimate Name or Location
T1036.005
Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.
Masquerading: Masquerade File Type
T1036.008
Threat actors used the .txt file extension to disguise malware files.
Indicator Removal: File Deletion
T1070.004
Threat actors deleted files following upload to remove malicious indicators.
Deobfuscate/Decode Files or Information
T1140
Threat actors used certutil to decode web shells hidden inside .txt files.
Hide Artifacts: Hidden Files and Directories
T1564.001
Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.
Table 7: Credential Access
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
Threat actors attempted to harvest user account credentials through LSASS memory dumping.
OS Credential Dumping: Security Account Manager
T1003.002
Threat actors saved and compressed SAM information to .zip files.
Table 8: Discovery
Technique Title
ID
Use
System Network Configuration Discovery: Internet Connection Discovery
T1016.001
Threat actors periodically tested network connectivity by pinging Google’s DNS.
Network Service Discovery
T1046
Threat actors scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.
System Information Discovery
T1082
Threat actors collected information about the web server and its operating system.
File and Directory Discovery
T1083
Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.
Account Discovery: Local Account
T1087.001
Threat actors collected information about local user accounts.
Account Discovery: Domain Account
T1087.002
Threat actors collected information about domain users, including identification of domain admin accounts.
Domain Trust Discovery
T1482
Threat actors enumerated domain trusts to identify lateral movement opportunities.
Software Discovery
T1518
Following initial access and enumeration, threat actors checked for the presence of ColdFusion version 2018 on the victim web server.
Table 9: Command and Control
Technique Title
ID
Use
Application Layer Protocol: Web Protocols
T1071.001
Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.
Ingress Tool Transfer
T1105
Threat actors were able to upload malicious artifacts to the victim web server.
MITIGATIONS
CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.
Manage Vulnerabilities and Configurations
Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.
Segment Networks
Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.
Application Control
Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.
Manage Accounts, Permissions, and Workstations
Require phishing-resistant multifactor authentication (MFA) [2.H] for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
Restrict file and directory permissions. Use file system access controls to protect folders such as C:\Windows\System32.
Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 2-9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
NIST: CVE-2023-26360
CISA: KEV Catalog
CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
CISA: Decider Tool
CISA: Cross-Sector Cybersecurity Performance Goals
CISA: Secure by Design and Default
CISA: Layering Network Security Through Segmentation
NSA: Segment Networks and Deploy Application-Aware Defenses
NSA: Enforce Signed Software Execution Policies
CISA: Implementing Phishing-Resistant MFA
REFERENCES
[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code Execution
[2] MITRE: certutil
[3] VirusTotal: File - a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs
[5] GitHub: Tas9er/ByPassGodzilla
[6] MITRE: esentutl
[7] Microsoft: Active Directory - SYSVOL
[8] Microsoft: Restrict NTLM - Incoming NTLM Traffic
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
VERSION HISTORY
December 5, 2023: Initial version.
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
AA23-339A Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
(PDF, 449.49 KB
)
For a downloadable copy of IOCs, see:
AA23-339A STIX XML
(XML, 23.83 KB
)
AA23-339A STIX JSON
(JSON, 23.29 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for tables mapped to the threat actors’ activity.
Overview
Adobe ColdFusion is a commercial application server used for rapid web-application development. ColdFusion supports proprietary markup languages for building web applications and integrates external components like databases and other third-party libraries. ColdFusion uses a proprietary language, ColdFusion Markup Language (CFML), for development but the application itself is built using JAVA.
In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident. Note: It is unknown if the same or different threat actors were behind each incident.
Incident 1
As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360. Threat actors successfully connected from malicious IP address 158.101.73[.]241. Disclaimer: CISA recommends organizations investigate or vet this IP address prior to taking action, such as blocking. This IP resolves to a public cloud service provider and possibly hosts a large volume of legitimate traffic.
The agency’s correlation of Internet Information Services (IIS) logs against open source[1] information indicates that the identified uniform resource identifier (URI) /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc was used to exploit CVE-2023-26360. The agency removed the asset from the network within 24 hours of the MDE alert.
Threat actors started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful. Following additional enumeration efforts to obtain information about the web server and its operating system [T1082], the threat actors checked for the presence of ColdFusion version 2018 [T1518]—previous checks were also conducted against version 2016.
Threat actors were observed traversing the filesystem [T1083] and uploading various artifacts to the web server [T1105], to include deleting the file tat.cfm [T1070.004]. Note: This file was deleted prior to the victim locating it on the host for analysis. Its characteristics and functionality are unknown. In addition:
Certutil[2] was run against conf.txt [T1140] and decoded as a web shell (config.jsp) [T1505.003],[T1036.008]. Conf.txt was subsequently deleted, likely to evade detection.Note: Threat actors were only observed interacting with the config.jsp web shell from this point on.
HTTP POST requests [T1071.001] were made to config.cfm, an expected configuration file in a standard installation of ColdFusion [T1036.005]. Code review of config.cfm indicated malicious code—intended to execute on versions of ColdFusion 9 or less—was inserted with the intent to extract username, password, and data source uniform resource locators (URLs). According to analysis, this code insertion could be used in future malicious activity by the threat actors (e.g., by using the valid credentials that were compromised). This file also contained code used to upload additional files by the threat actors; however, the agency was unable to identify the source of their origin.
Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell [T1564.001]. Analysis of this phase found no indication of successful execution.
A small subset of events generated from various ColdFusion application logs identified that tat.cfm, config.jsp, and system.cfm failed to execute on the host due to syntax errors.
Threat actors created various files (see Table 1 below) in the C:\IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:\IBM directory as a staging folder to support threat actors’ malicious operations.
Disclaimer: Organizations are encouraged to investigate the use of these files for related signs of compromise prior to performing remediation actions. Two artifacts are legitimate Microsoft files; threat actors were observed using these files following initial compromise for intended malicious purposes.
Table 1: Threat Actor Tools
File Name
Hash (SHA-1)
Description
eee.exe
b6818d2d5cbd902ce23461f24fc47e24937250e6
VirusTotal[3] flags this file as malicious. This was located in D:\$RECYCLE.BIN.
edge.exe
75a8ceded496269e9877c2d55f6ce13551d93ff4
The dynamic-link library (DLL) file msedge.dll attempted to execute via edge.exe but received an error.
Note: This file is part of the official Microsoft Edge browser and is a cookie exporter.
fscan.exe
be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656
Analysis confirmed at least three subnets were scanned using fscan.exe, which was launched from the C:\IBM directory [T1046].
RC.exe
9126b8320d18a52b1315d5ada08e1c380d18806b
RCDLL.dll attempted to execute via RC.exe but received an error.
Note: This file is part of the official Windows operating system and is called Microsoft Resource Compiler.
Note: The malicious code found on the system during this incident contained code that, when executed, would attempt to decrypt passwords for ColdFusion data sources. The seed value included in the code is a known value for ColdFusion version 8 or older—where the seed value was hard-coded. A threat actor who has control over the database server can use the values to decrypt the data source passwords in ColdFusion version 8 or older. The victim’s servers were running a newer version at the time of compromise; thus, the malicious code failed to decrypt passwords using the default hard-coded seed value for the older versions.
Incident 2
As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Threat actors further enumerated domain trusts to identify lateral movement opportunities [T1482] by using nltest commands. The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup, net user, net user /domain, and ID. Host and network reconnaissance efforts were further conducted to discover network configuration, time logs, and query user information.
Threat actors were observed dropping the file d.txt—decoded as d.jsp—via POST command in addition to eight malicious artifacts (hiddenfield.jsp, hiddenfield_jsp.class, hiddenfield_jsp.java, Connection.jsp, Connection_jsp.class, Connection_jsp.java, d_jsp.class, and d_jsp.java/). According to open source information, d.jsp is a remote access trojan (RAT) that utilizes a JavaScript loader [T1059.007] to infect the device and requires communication with the actor-controlled server to perform actions.[4] The agency’s analysis identified the trojan as a modified version of a publicly available web shell code.[5] After maintaining persistence, threat actors periodically tested network connectivity by pinging Google’s domain name system (DNS) [T1016.001]. The threat actors conducted additional reconnaissance efforts via searching for the .jsp files that were uploaded.
Threat actors attempted to exfiltrate the (Registry) files sam.zip, sec.zip, blank.jsp, and cf-bootstrap.jar. Windows event logs identified the actors were not successful due to the malicious activity being detected and quarantined. An additional file (sys.zip) was created on the system; however, there were no indications of any attempt to exfiltrate it. Analysis identified these files resulted from executed save and compress data processes from the HKEY_LOCAL_MACHINE (HKLM) Registry key, as well as save security account manager (SAM) [T1003.002] information to .zip files. The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive.
Windows event logs show that a malicious file (1.dat) was detected and quarantined. Analysis determined this file was a local security authority subsystem service (LSASS) dump [T1003.001] file that contained user accounts—to include multiple disabled credentials—and Windows new technology LAN manager (NTLM) passwords. The accounts were found on multiple servers across the victim’s network and were not successfully used for lateral movement.
As efforts for reconnaissance continued, the threat actors changed their approach to using security tools that were present on the victim server. Esentutl.exe[6] was used to attempt this registry dump. Attempts to download data from the threat actors’ command and control (C2) server were also observed but blocked and logged by the victim server. Threat actors further attempted to access SYSVOL, which is used to deliver policy and logon scripts to domain members on an agency domain controller [T1484.001]. The attempt was unsuccessful. Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7]
Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file. Versions of ColdFusion 9 or greater use the seed.properties file, which contains unique seed values that can only be used on a single server.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2-9 for all referenced threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Table 2: Initial Access
Technique Title
ID
Use
Exploit Public-Facing Application
T1190
Threat actors exploited two public-facing web servers running outdated versions of Adobe ColdFusion.
Table 3: Execution
Technique Title
ID
Use
Command and Scripting Interpreter: JavaScript
T1059.007
In correlation with open source information, analysis determined d.jsp is a RAT that utilizes a JavaScript loader to infect the device and requires communication with the actor-controlled server to perform actions.
Table 4: Persistence
Technique Title
ID
Use
Server Software Component: Web Shell
T1505.003
Threat actors uploaded various web shells to enable remote code execution and to execute commands on compromised web servers.
Table 5: Privilege Escalation
Technique Title
ID
Use
Domain Policy Modification: Group Policy Modification
T1484.001
Threat actors attempted to edit SYSVOL on an agency domain controller to change policies.
Table 6: Defense Evasion
Technique Title
ID
Use
Masquerading: Match Legitimate Name or Location
T1036.005
Threat actors inserted malicious code with the intent to extract username, password, and data source URLs into config.cfm—an expected configuration file in a standard installation of ColdFusion.
Masquerading: Masquerade File Type
T1036.008
Threat actors used the .txt file extension to disguise malware files.
Indicator Removal: File Deletion
T1070.004
Threat actors deleted files following upload to remove malicious indicators.
Deobfuscate/Decode Files or Information
T1140
Threat actors used certutil to decode web shells hidden inside .txt files.
Hide Artifacts: Hidden Files and Directories
T1564.001
Threat actors attempted to run attrib.exe to hide the newly created config.jsp web shell.
Table 7: Credential Access
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
Threat actors attempted to harvest user account credentials through LSASS memory dumping.
OS Credential Dumping: Security Account Manager
T1003.002
Threat actors saved and compressed SAM information to .zip files.
Table 8: Discovery
Technique Title
ID
Use
System Network Configuration Discovery: Internet Connection Discovery
T1016.001
Threat actors periodically tested network connectivity by pinging Google’s DNS.
Network Service Discovery
T1046
Threat actors scanned at least three subnets to gather network information using fscan.exe, to include administrative data for future exfiltration.
System Information Discovery
T1082
Threat actors collected information about the web server and its operating system.
File and Directory Discovery
T1083
Threat actors traversed and were able to search through folders on the victim’s web server filesystem. Additional reconnaissance efforts were conducted via searching for the .jsp files that were uploaded.
Account Discovery: Local Account
T1087.001
Threat actors collected information about local user accounts.
Account Discovery: Domain Account
T1087.002
Threat actors collected information about domain users, including identification of domain admin accounts.
Domain Trust Discovery
T1482
Threat actors enumerated domain trusts to identify lateral movement opportunities.
Software Discovery
T1518
Following initial access and enumeration, threat actors checked for the presence of ColdFusion version 2018 on the victim web server.
Table 9: Command and Control
Technique Title
ID
Use
Application Layer Protocol: Web Protocols
T1071.001
Threat actors used HTTP POST requests to config.cfm, an expected configuration file in a standard installation of ColdFusion.
Ingress Tool Transfer
T1105
Threat actors were able to upload malicious artifacts to the victim web server.
MITIGATIONS
CISA recommends organizations implement the mitigations below to improve your organization’s cybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices, limiting the impact of threat actor techniques and strengthening the security posture for their customers. For more information on secure by design, see CISA’s Secure by Design webpage.
Manage Vulnerabilities and Configurations
Upgrade all versions affected by this vulnerability. Keep all software up to date and prioritize patching according to CISA’s Known Exploited Vulnerabilities Catalog [1.E].
Prioritize remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans.
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards. This also includes disabling default credentials.
Segment Networks
Employ proper network segmentation, such as a demilitarized zone (DMZ) [2.F]. The end goal of a DMZ network is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or local area network (LAN) remains secure. Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.
Use a firewall or web-application firewall (WAF) and enable logging [2.G, 2.T] to prevent/detect potential exploitation attempts. Review ingress and egress firewall rules and block all unapproved protocols. Limit risky (but approved) protocols through rules.
Implement network segmentation to separate network segments based on role and functionality [2.E]. Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. See CISA’s Layering Network Security Through Segmentation infographic and the National Security Agency’s (NSA’s) Segment Networks and Deploy Application-Aware Defenses.
Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations. Traditional intrusion detection systems (IDS) based on known-bad signatures are quickly decreasing in effectiveness due to encryption and obfuscation techniques. Threat actors hide malicious actions and remove data over common protocols, making the need for sophisticated, application-aware defensive mechanisms critical for modern network defenses.
Application Control
Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables. Execution policies, when used in conjunction with a secure boot capability, can assure system integrity.
Application control should be used with signed software execution policies to provide greater control. Allowing unsigned software enables threat actors to gain a foothold and establish persistence through embedded malicious code. See NSA’s Enforce Signed Software Execution Policies.
Manage Accounts, Permissions, and Workstations
Require phishing-resistant multifactor authentication (MFA) [2.H] for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
Implement the principle of least privilege to decrease threat actors’ abilities to access key network resources.
Restrict file and directory permissions. Use file system access controls to protect folders such as C:\Windows\System32.
Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8]
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 2-9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
NIST: CVE-2023-26360
CISA: KEV Catalog
CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
CISA: Decider Tool
CISA: Cross-Sector Cybersecurity Performance Goals
CISA: Secure by Design and Default
CISA: Layering Network Security Through Segmentation
NSA: Segment Networks and Deploy Application-Aware Defenses
NSA: Enforce Signed Software Execution Policies
CISA: Implementing Phishing-Resistant MFA
REFERENCES
[1] Packet Storm Security: Adobe ColdFusion Unauthenticated Remote Code Execution
[2] MITRE: certutil
[3] VirusTotal: File - a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
[4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs
[5] GitHub: Tas9er/ByPassGodzilla
[6] MITRE: esentutl
[7] Microsoft: Active Directory - SYSVOL
[8] Microsoft: Restrict NTLM - Incoming NTLM Traffic
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
VERSION HISTORY
December 5, 2023: Initial version.
December 03, 2023
Affected country: Indonesia
Glide: VO-2023-000247-IDN
Volcanic activity on Mount Merapi, characterised by ash emission and volcanic rocks, has affected West Sumatra, on Sumatra Island, since 3 December. (ECHO, 5 Dec 2023) The Indonesian National Board for Disaster Management (BNPB) reported that, as of 7 December, there were 23 fatalities following that main eruption. (ECHO, 8 Dec 2023)
Since 12 January, the alert level of the volcano is at level 3. According to media reports, about 100 people have been evacuated. On the 14th, Mount Merapi erupted again and an ash column reached up to 1,500 metres above the crater. (ECHO, 15 Jan 2024)
Mount Marapi (West Sumatra) and Mount Lewotobi laki-laki (Nusa Tenggara Timor) experienced eruptions and status upgrades, affecting 395 families and displacing 6,648 people. As of January 9, 2024, the status of Mount Lewotobi laki-laki has been raised to Level IV from Level III and Mount Marapi to Level III from Level II. (Level IV is the highest level of alert). The National Disaster Management Agency BPBD together with local government agencies supported by several humanitarian organizations responded with public kitchens, setting up tents, distributing logistics, establishing emergency schools, opening health posts and distributing masks, assessment and data collection. (OCHA, 17 Jan 2024)
December 02, 2023
Affected country: Philippines
Glide: EQ-2023-000245-PHL
The magnitude 7.4 earthquake that occurred off the coast of Hinatuan in Surigao del Sur on Saturday, 2 December, 10:37 p.m. local time was caused by movements in the Philippine trench, according to the Philippine Institute of Volcanology and Seismology (PHIVOLCS). The quake, initially reported by PHIVOLCS with 7.5 magnitude, was changed to 6.9, eventually to 7.4, raised a tsunami alert, which was lifted on Sunday morning, 3 December local time. Movements of the 1,320 km long Philippine trench on the Eastern seaboard of the country have generated 10 earthquakes with magnitude 7 or more in the last 100 years, with last one of 7.6 magnitude in 2012.
Since the earthquake, PHIVOLCS recorded over 660 aftershocks, ranging from magnitudes 1.4 to 6.5; which are expected to continue over the coming days.
The tsunami alert caused an immediate evacuation to higher grounds of over 26,000 people living in coastal areas of the provinces of Surigao del Sur and Davao Oriental. Most have returned home after the tsunami alert was lifted by PHIVOLCS. (OCHA, 3 Dec 2023)
December 02, 2023
SUMMARY
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.
For a PDF version of this CSA, see:
AA23-335A IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
(PDF, 594.03 KB
)
For a downloadable copy of IOCs, see:
AA23-335A STIX XML
(XML, 15.50 KB
)
AA23-335A STIX JSON
(JSON, 10.84 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See Table 1 for threat actor activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.[1],[2],[3],[4],[5] The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel.[2] CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon.
(Updated December 14, 2023) Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.[1] The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. On December 11, 2023, CVE-2023-6448 was assigned to address the default passwords [CWE-798: Use of Hard Coded Credentials], and CISA added the CVE to its Known Exploited Vulnerabilities Catalog. On December 12, Unitronics released VisiLogic version 9.9.00 software to address this CVE; the update requires users to change default passwords.
These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.
Threat Actor Activity
The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password. Observed activity includes the following:
Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001.
Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”
INDICATORS OF COMPROMISE
See Table 1 for observed IOCs related to CyberAv3nger operations.
(Updated December 14, 2023)
Table 1: CyberAv3nger IOCs
Indicator
Type
Fidelity
Description
BA284A4B508A7ABD8070A427386E93E0
MD5
Suspected
MD5 hash associated with Crucio Ransomware
66AE21571FAEE1E258549078144325DC9DD60303
SHA1
Suspected
SHA1 hash associated with Crucio Ransomware
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
SHA256
Suspected
SHA256 hash associated with Crucio Ransomware
178.162.227[.]180
IP address
Suspected
IP address associated with Crucio Ransomware
185.162.235[.]206
IP address
IP address associated with Crucio Ransomware
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 2 for referenced threat actor tactics and techniques in this advisory.
Table 2: Initial Access
Technique Title
ID
Use
Brute Force Techniques
T1110
Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.
MITIGATIONS
The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization’s cybersecurity posture to defend against CyberAv3ngers activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Note: The below mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs.
Network Defenders
The cyber threat actors likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the authoring agencies urge organizations to consider the following:
Immediate steps to prevent attack:
(Updated December 14, 2023) Upgrade devices to 9.9.00 VisiLogic software, which requires users to change the default passwords on PLCs and HMIs. Use a strong password. For more information, see Unitronics’ blog Unitronics Cybersecurity for Vision and Samba PLC Series and Release notes for VisiLogic 9.9.00.
Disconnect the PLC from the public-facing internet.
Follow-on steps to strengthen your security posture:
Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.
In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by cyber threat actors:
Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can help provide additional review of organizations’ internet-accessible assets. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
Device Manufacturers
Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of the security outcomes of their customers by following the principles in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, primarily:
Do not ship products with default passwords. Instead, either ship products with random initial passwords or require users to change the password upon first use.
Do not expose administrative interfaces to the internet by default, and take steps to introduce friction should a device be placed in an insecure state.
Do not charge extra for basic security features needed to operate the product securely.
Support multifactor authentication, including via phishing-resistant methods.
By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 2).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
EPA: Cybersecurity for the Water Sector
CISA: Water and Wastewater Systems Sector
CISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems
CISA: Iran Cyber Threat Overview and Advisories
FBI: The Iran Threat - Web Page
CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
CISA: Decider Tool
CISA: Cross-Sector Cybersecurity Performance Goals
CISA: Cyber Hygiene Services
CISA: Shifting the Balance of Cybersecurity Risk - Principles and Approaches for Secure by Design Software
CISA: Secure by Design Alert - How Software Manufacturers Can Shield Web Management Interfaces from Malicious Cyber Activity
CISA, NSA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
CISA: Secure by Design and Default
REPORTING
All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Additionally, the WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
REFERENCES
CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
Industrial Cyber: Digital Battlegrounds - Evolving Hybrid Kinetic Warfare
Bleeping Computer: Israel's Largest Oil Refinery Website Offline After DDoS Attack
Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers
X: @CyberAveng3rs
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
VERSION HISTORY
December 1, 2023: Initial version.
December 14, 2023: Added CVE, patch information, and IOC descriptions.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.
This advisory provides observed IOCs and TTPs the authoring agencies assess are likely associated with this IRGC-affiliated APT. For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.
For a PDF version of this CSA, see:
AA23-335A IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
(PDF, 594.03 KB
)
For a downloadable copy of IOCs, see:
AA23-335A STIX XML
(XML, 15.50 KB
)
AA23-335A STIX JSON
(JSON, 10.84 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See Table 1 for threat actor activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations.[1],[2],[3],[4],[5] The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel.[2] CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon.
(Updated December 14, 2023) Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.[1] The threat actors compromised Unitronics Vision Series PLCs with human machine interfaces (HMI). These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256. On December 11, 2023, CVE-2023-6448 was assigned to address the default passwords [CWE-798: Use of Hard Coded Credentials], and CISA added the CVE to its Known Exploited Vulnerabilities Catalog. On December 12, Unitronics released VisiLogic version 9.9.00 software to address this CVE; the update requires users to change default passwords.
These PLC and related controllers are often exposed to outside internet connectivity due to the remote nature of their control and monitoring functionalities. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. It is not known if additional cyber activities deeper into these PLCs or related control networks and components were intended or achieved. Organizations should consider and evaluate their systems for these possibilities.
Threat Actor Activity
The authoring agencies have observed the IRGC-affiliated activity since at least October 2023, when the actors claimed credit for the cyberattacks against Israeli PLCs on their Telegram channel. Since November 2023, the authoring agencies have observed the IRGC-affiliated actors target multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs. Cyber threat actors likely compromised these PLCs since the PLCs were internet-facing and used Unitronics’ default password. Observed activity includes the following:
Between September 13 and October 30, 2023, the CyberAv3ngers Telegram channel displayed both legitimate and false claims of multiple cyberattacks against Israel. CyberAv3ngers targeted Israeli PLCs in the water, energy, shipping, and distribution sectors.
On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. The group claimed to use a ransomware named “Crucio” against servers where the webcams camera software operated on port 7001.
Beginning on November 22, 2023, IRGC cyber actors accessed multiple U.S.-based WWS facilities that operate Unitronics Vision Series PLCs with an HMI likely by compromising internet-accessible devices with default passwords. The targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is Cyberav3ngers legal target.”
INDICATORS OF COMPROMISE
See Table 1 for observed IOCs related to CyberAv3nger operations.
(Updated December 14, 2023)
Table 1: CyberAv3nger IOCs
Indicator
Type
Fidelity
Description
BA284A4B508A7ABD8070A427386E93E0
MD5
Suspected
MD5 hash associated with Crucio Ransomware
66AE21571FAEE1E258549078144325DC9DD60303
SHA1
Suspected
SHA1 hash associated with Crucio Ransomware
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
SHA256
Suspected
SHA256 hash associated with Crucio Ransomware
178.162.227[.]180
IP address
Suspected
IP address associated with Crucio Ransomware
185.162.235[.]206
IP address
IP address associated with Crucio Ransomware
MITRE ATT&CK TACTICS AND TECHNIQUES
See Table 2 for referenced threat actor tactics and techniques in this advisory.
Table 2: Initial Access
Technique Title
ID
Use
Brute Force Techniques
T1110
Threat actors obtained login credentials, which they used to successfully log into Unitronics devices and provide root-level access.
MITIGATIONS
The authoring agencies recommend critical infrastructure organizations, including WWS sector facilities, implement the following mitigations to improve your organization’s cybersecurity posture to defend against CyberAv3ngers activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Note: The below mitigations are based on threat actor activity against Unitronics PLCs but apply to all internet-facing PLCs.
Network Defenders
The cyber threat actors likely accessed the affected devices—Unitronics Vision Series PLCs with HMI—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. To safeguard against this threat, the authoring agencies urge organizations to consider the following:
Immediate steps to prevent attack:
(Updated December 14, 2023) Upgrade devices to 9.9.00 VisiLogic software, which requires users to change the default passwords on PLCs and HMIs. Use a strong password. For more information, see Unitronics’ blog Unitronics Cybersecurity for Vision and Samba PLC Series and Release notes for VisiLogic 9.9.00.
Disconnect the PLC from the public-facing internet.
Follow-on steps to strengthen your security posture:
Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment.
In addition, the authoring agencies recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by cyber threat actors:
Reduce risk exposure. CISA offers a range of services at no cost, including scanning and testing to help organizations reduce exposure to threats via mitigating attack vectors. CISA Cyber Hygiene services can help provide additional review of organizations’ internet-accessible assets. Email vulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services” to get started.
Device Manufacturers
Although critical infrastructure organizations using Unitronics (including rebranded Unitronics) PLC devices can take steps to mitigate the risks, it is ultimately the responsibility of the device manufacturer to build products that are secure by design and default. The authoring agencies urge device manufacturers to take ownership of the security outcomes of their customers by following the principles in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, primarily:
Do not ship products with default passwords. Instead, either ship products with random initial passwords or require users to change the password upon first use.
Do not expose administrative interfaces to the internet by default, and take steps to introduce friction should a device be placed in an insecure state.
Do not charge extra for basic security features needed to operate the product securely.
Support multifactor authentication, including via phishing-resistant methods.
By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
For more information on common misconfigurations and guidance on reducing their prevalence, see joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. For more information on secure by design, see CISA’s Secure by Design and Default webpage and joint guide.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 2).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
EPA: Cybersecurity for the Water Sector
CISA: Water and Wastewater Systems Sector
CISA Alert: Exploitation of Unitronics PLCs used in Water and Wastewater Systems
CISA: Iran Cyber Threat Overview and Advisories
FBI: The Iran Threat - Web Page
CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
CISA: Decider Tool
CISA: Cross-Sector Cybersecurity Performance Goals
CISA: Cyber Hygiene Services
CISA: Shifting the Balance of Cybersecurity Risk - Principles and Approaches for Secure by Design Software
CISA: Secure by Design Alert - How Software Manufacturers Can Shield Web Management Interfaces from Malicious Cyber Activity
CISA, NSA: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
CISA: Secure by Design and Default
REPORTING
All organizations should report suspicious or criminal activity related to information in this CSA to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or IC3.gov. For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov.
Additionally, the WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form. State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
REFERENCES
CBS News: Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group
Industrial Cyber: Digital Battlegrounds - Evolving Hybrid Kinetic Warfare
Bleeping Computer: Israel's Largest Oil Refinery Website Offline After DDoS Attack
Dark Reading: Website of Israeli Oil Refinery Taken Offline by Pro-Iranian Attackers
X: @CyberAveng3rs
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
VERSION HISTORY
December 1, 2023: Initial version.
December 14, 2023: Added CVE, patch information, and IOC descriptions.