Blog

What GAO Found The 24 reviewed federal agencies generally assigned work roles to filled and vacant positions that performed information technology (IT), cybersecurity, or cyber-related functions as required by the Federal Cybersecurity Workforce Assessment Act of 2015 (the act). However, six of the 24 agencies reported that they had not completed assigning the associated work role codes to their vacant positions, although they were required to do so by April 2018. In addition, most agencies had likely miscategorized the work roles of many positions. Specifically, 22 of the 24 agencies assigned a “non-IT” work role code to 15,779 (about 19 percent) of their IT positions within the 2210 occupational series. Further, the six agencies that GAO selected for additional review had assigned work role codes that were not consistent with the work roles and duties described in corresponding position descriptions for 63 of 120 positions within the 2210 occupational series that GAO examined (see figure). Consistency of Assigned Work Role Codes with Position Descriptions for Random Sample of IT Positions Within the 2210 Occupational Series at Six Selected Agencies Human resource and IT officials from the 24 agencies generally reported that they had not completely or accurately categorized work roles for IT positions within the 2210 occupational series, in part, because they may have assigned the associated codes in error or had not completed validating the accuracy of the assigned codes. By assigning work roles that are inconsistent with the IT, cybersecurity, and cyber-related positions, the agencies are diminishing the reliability of the information they need to improve workforce planning. The act also required agencies to identify work roles of critical need by April 2019. To aid agencies with identifying their critical needs, the Office of Personnel Management (OPM) developed guidance and required agencies to provide a preliminary report by August 2018. The 24 agencies have begun to identify critical needs and submitted a preliminary report to OPM that identified information systems security manager, IT project manager, and systems security analyst as the top three work roles of critical need. Nevertheless, until agencies accurately categorize their positions, their ability to effectively identify critical staffing needs will be impaired. Why GAO Did This Study A key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce. The act requires OPM and federal agencies to take several actions related to cybersecurity workforce planning. These actions include categorizing all IT, cybersecurity, and cyber-related positions using OPM personnel codes for specific work roles, and identifying critical staffing needs. The act contains a provision for GAO to analyze and monitor agencies' workforce planning. GAO's objectives were to (1) determine the extent to which federal agencies have assigned work roles for positions performing IT, cybersecurity, or cyber-related functions and (2) describe the steps federal agencies took to identify work roles of critical need. GAO administered a questionnaire to 24 agencies, analyzed coding data from personnel systems, and examined preliminary reports on critical needs. GAO selected six of the 24 agencies based on cybersecurity spending levels to determine the accuracy of codes assigned to a random sample of IT positions. GAO also interviewed relevant OPM and agency officials. What GAO Recommends GAO is making 28 recommendations to 22 agencies to review and assign the appropriate codes to their IT, cybersecurity, and cyber-related positions. Of the 22 agencies to which GAO made recommendations, 20 agreed with the recommendations, one partially agreed, and one did not agree with one of two recommendations. GAO continues to believe that all of the recommendations are warranted. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Joomla 3.9.4 is now available. This is a security fix release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains 28 bug fixes and improvements.

What GAO Found The United States does not have a comprehensive Internet privacy law governing the collection, use, and sale or other disclosure of consumers' personal information. At the federal level, the Federal Trade Commission (FTC) currently has the lead in overseeing Internet privacy, using its statutory authority under the FTC Act to protect consumers from unfair and deceptive trade practices. However, to date FTC has not issued regulations for Internet privacy other than those protecting financial privacy and the Internet privacy of children, which were required by law. For FTC Act violations, FTC may promulgate regulations but is required to use procedures that differ from traditional notice-and-comment processes and that FTC staff said add time and complexity. In the last decade, FTC has filed 101 enforcement actions regarding Internet privacy; nearly all actions resulted in settlement agreements requiring action by the companies. In most of these cases, FTC did not levy civil penalties because it lacked such authority for those particular violations. The Federal Communications Commission (FCC) has had a limited role in overseeing Internet privacy. From 2015 to 2017, FCC asserted jurisdiction over the privacy practices of Internet service providers. In 2016, FCC promulgated privacy rules for Internet service providers that Congress later repealed. FTC resumed privacy oversight of Internet service providers in June 2018. Stakeholders GAO interviewed had varied views on the current Internet privacy enforcement approach and how it could be enhanced. Most Internet industry stakeholders said they favored FTC's current approach—direct enforcement of its unfair and deceptive practices statutory authority, rather than promulgating and enforcing regulations implementing that authority. These stakeholders said that the current approach allows for flexibility and that regulations could hinder innovation. Other stakeholders, including consumer advocates and most former FTC and FCC commissioners GAO interviewed, favored having FTC issue and enforce regulations. Some stakeholders said a new data-protection agency was needed to oversee consumer privacy. Stakeholders identified three main areas in which Internet privacy oversight could be enhanced: Statute. Some stakeholders told GAO that an overarching Internet privacy statute could enhance consumer protection by clearly articulating to consumers, industry, and agencies what behaviors are prohibited. Rulemaking. Some stakeholders said that regulations can provide clarity, enforcement fairness, and flexibility. Officials from two other consumer protection agencies said their rulemaking authority assists in their oversight efforts and works together with enforcement actions. Civil penalty authority. Some stakeholders said FTC's Internet privacy enforcement could be more effective with authority to levy civil penalties for first-time violations of the FTC Act. Comprehensive Internet privacy legislation that establishes specific standards and includes traditional notice-and-comment rulemaking and broader civil penalty authority could enhance the federal government's ability to protect consumer privacy. Why GAO Did This Study This testimony summarizes the information contained in GAO's January 2019 report, entitled Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility (GAO-19-52). For more information, contact Alicia Puente Cackley at (202) 512-8678 or This email address is being protected from spambots. You need JavaScript enabled to view it. or Mark Goldstein at (202) 512-2834 or This email address is being protected from spambots. You need JavaScript enabled to view it..  

A report by Check Point Research has been brought to our attention relating to a security vulnerability that was patched back in December 2015. This report has also been picked up by Threat Post.

Both reports contain a great deal of inaccuracies and intimate that the vulnerability detailed is a current one.
This statement serves to clarify the facts surrounding this issue. Furthermore we would like to assure our user base that, much as these posts attempt to state that this is a current issue, the truth of the matter is far from that.

Original release date: January 24, 2019 | Last revised: February 13, 2019

Summary

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

IOCs (.csv)IOCs (.stix)

Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:

107.161.23.204192.161.187.200209.141.38.71

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:

Original release date: January 24, 2019 | Last revised: February 13, 2019

Summary

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

IOCs (.csv)IOCs (.stix)

Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:

107.161.23.204192.161.187.200209.141.38.71

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:

What GAO Found As GAO reported in June 2018, the Centers for Disease Control and Prevention (CDC) implemented technical controls and an information security program that were intended to safeguard the confidentiality, integrity, and availability of its information systems and information. However, GAO identified control and program deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations (see table below). GAO made 195 recommendations to address these deficiencies. Number of GAO-Identified Technical Control and Information Security Program Deficiencies at the Centers for Disease Control and Prevention and Associated Recommendations by Core Security Function   Core security function Number of technical control deficiencies Number of technical control recommendations Number of information security program deficiencies Number of information security program recommendations Identify 0 0 5 5 Protect 85 161 1 1 Detect 8 18 3 3 Respond 1 5 1 1 Recover 0 0 1 1 Total 94 184 11 11 Source: GAO. | GAO-19-70 As of August 2018, CDC had made significant progress in resolving many of the security deficiencies by implementing 102 of 184 (about 55 percent) technical control recommendations, and partially implementing 1 of 11 information security program recommendations made in the June 2018 report. The figure shows the status of CDC's efforts to implement the 195 recommendations. Status of GAO Recommendations to the Centers for Disease Control and Prevention Additionally, CDC has created remedial action plans to implement the majority of the remaining open recommendations by September 2019. Until CDC implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and destruction. Why GAO Did This Study CDC is responsible for detecting and responding to emerging health threats and controlling dangerous substances. In carrying out its mission, CDC relies on information technology systems to receive, process, and maintain sensitive data. Accordingly, effective information security controls are essential to ensure that the agency's systems and information are protected from misuse and modification. GAO was asked to examine information security at CDC. In June 2018, GAO issued a limited official use only report on the extent to which CDC had effectively implemented technical controls and an information security program to protect the confidentiality, integrity, and availability of its information on selected information systems. This current report is a public version of the June 2018 report. In addition, for this public report, GAO determined the extent to which CDC has taken corrective actions to address the previously identified security program and technical control deficiencies and related recommendations for improvement. For this report, GAO reviewed supporting documents regarding CDC's actions on previously identified recommendations and interviewed personnel at CDC. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or This email address is being protected from spambots. You need JavaScript enabled to view it., or Dr. Nabajyoti Barkakati at (202) 512-4499 or This email address is being protected from spambots. You need JavaScript enabled to view it..

Original release date: December 3, 2018

Summary

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.

Original release date: December 3, 2018

Summary

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.

The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Original release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Original release date: October 11, 2018

Summary

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]

In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

Remote Access Trojan: JBiFrostWebshell: China ChopperCredential Stealer: MimikatzLateral Movement Framework: PowerShell EmpireC2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

Original release date: October 11, 2018

Summary

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]

In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:

Remote Access Trojan: JBiFrostWebshell: China ChopperCredential Stealer: MimikatzLateral Movement Framework: PowerShell EmpireC2 Obfuscation and Exfiltration: HUC Packet Transmitter

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.

Original release date: October 3, 2018

Systems Affected

Network Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.

This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.

Description

MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.

Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.

Original release date: October 3, 2018

Systems Affected

Network Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.

This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents.

Description

MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.

Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.

Original release date: October 3, 2018

Systems Affected

Network Systems

Overview

This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.

Description

APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.

Impact

APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.

Solution

Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.

Original release date: October 3, 2018

Systems Affected

Network Systems

Overview

This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.

Description

APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.

Impact

APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.

Solution

Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.

Original release date: October 2, 2018 | Last revised: December 21, 2018

Systems Affected

Retail Payment Systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.

NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs.

Original release date: October 2, 2018 | Last revised: December 21, 2018

Systems Affected

Retail Payment Systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.

NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs.

Original release date: July 20, 2018

Systems Affected

Network Systems

Overview

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).

Description

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.