Increased Threats to Managed Service Providers

May 17, 2022

Increased Threats to Managed Service Providers

Industry: Technology | Level: Strategic | Source: CISA

A warning was issued to managed service providers (MSPs) by Five Eyes, a collective intelligence alliance from the United States, United Kingdom, Australia, Canada, and New Zealand. As stated in the advisory, “Whether the customer’s network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.” The intelligence agencies have not provided any specific targets, only mentioning reports of an increase in cyber activity against MSPs. Recommendations provided by the agencies urge hardening defenses including reinforcing public-facing applications, enabling and improving logging, implementing MFA, segregating networks, utilizing the principle of least privilege, ensuring obsoleted accounts and systems are deprecated, updating systems, and creating regular backups of data.

Vigilance for Critical Infrastructure Defense

April 26, 2022

Vigilance for Critical Infrastructure Defense

Industry: Critical Infrastructure | Level: Strategic | Source: Defense.gov

A joint advisory provided by the Cybersecurity and Infrastructure Security Agency (CISA) along with Australia, Canada, New Zealand, and the United Kingdom, urges critical infrastructure operators to remain alert to cyber activity from Russia. As the conflict continues to impact Russia’s economy, intelligence continues to point towards the Russian government exploring options for cyberattacks. As provided in the advisory, government agencies are urging vigilance, “U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.”

CISA Warns of Cybercriminals Targeting Industrial Control Systems

April 19, 2022

Multiple United State government agencies including The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have provided an advisory warning of potential attacks from advanced persistent threat (APT) groups targeting industrial control systems.

North Korean APT Groups Target Blockchain and Cryptocurrency Companies

April 19, 2022

North Korean APT Groups Target Blockchain and Cryptocurrency Companies

Industry: Blockchain, Cryptocurrency | Level: Tactical | Source: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) in a joint advisory with the Federal Bureau of Investigation (FBI) and the U.S. Treasury Department (Treasury) warns that state-sponsored advanced persistent threat (APT) groups from North Korea are targeting various organizations in blockchain technology and cryptocurrency. The APT groups include Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. The threat group’s campaigns have involved using social engineering tactics to lure victims on Windows or macOS platforms to download trojanized cryptocurrency applications. The phishing themes used by the APT groups have involved lucrative job opportunities to entice victims. Once the malicious application is executed the cyber actors are able to infiltrate the victim’s host to propagate within their environment to steal credentials, exploit additional security gaps, and/or initiate fraudulent transactions. The United States government has referred to the campaigns with malicious cryptocurrency applications as “TradeTraitor,” as “The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”

  • Anvilogic Use Cases:
    • AVL_UC1053 – Web Application File Upload
    • AVL_UC1029 – Wscript/Cscript Execution
    • AVL_UC1040 – Executable File Written to Disk
    • AVL_UC1043 – Command and Control Detection

Energy Sector Targeted by Russian Cyber Actors

March 29, 2022

Energy Sector Targeted by Russian Cyber Actors

Industry: Energy | Level: Tactical | Source: Justice.Gov

Efforts from Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) shares information of Russian-state sponsored hackers conducting various threat campaigns against the energy sector from 2011 to 2018. The responsible threat actor, FSB (also known as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) initiated the attacks, targeting energy sectors in the United States and internationally. The United States Department of Justice (DOJ) has indicted four Russian nationals, employed by the Russian government, for their involvement in hack campaigns against the global energy sector between 2021 and 2018. One of the primary malware used in the campaign was Havex. The threat actor’s tactics shifted from conducting spear-phishing campaigns in 2013, to compromising third-party entities associated with their target in 2016. A summarized attack chain shared by CISA states, “after obtaining access to the U.S. Energy Sector networks, the actor conducted network discovery, moved laterally, gained persistence, then collected and exfiltrated information pertaining to ICS from the enterprise, and possibly operational technology (OT), environments. Exfiltrated information included: vendor information, reference documents, ICS architecture, and layout diagrams.” Various tactics, techniques and procedures are referenced in the CISA advisory with applicable detections from Anvilogic provided below.

  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Document Execution
    • Common Reconnaissance Commands
    • Common Active Directory Commands
    • Potential Web Shell
    • New AutoRun Registry Key
    • Rare remote thread
    • Create/Modify Schtasks
    • RDP Connection
    • RDP Enabled
    • Windows External Remote Login
    • Windows Firewall Disabled
    • Remote Admin Tools
    • Common LSASS Memory Dump Behavior
    • Command Line lsass request
    • Locate Credentials
    • NTDSUtil.exe execution
    • Clear Windows Event Logs
    • Suspicious Registry Key Deleted
    • Native Archive Commands
    • Utility Archive Data

White House Statement to Harden Cybersecurity

March 25, 2022

March 22nd, 2022: White House Statement to Harden Cybersecurity

Industry: Critical Infrastructure Security | Level: Strategic | Source: WhiteHouse.gov

United States President, Joe Biden, continues to emphasize the importance of active vigilance for cyber activity given the ongoing conflict between Russia and Ukraine. The warning is provided from a White House statement, “I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” Actions taken to secure cyber defenses have included the implementation of additional cybersecurity measures for the Federal Government and various critical infrastructure sectors. Follow alerts and guidance from agencies for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to best be kept organized and informed.

Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”

March 22, 2022

Russian State-Sponsored Cyber Actors Exploit “PrintNightmare”

Industry: N/A | Level: Tactical | Source: CISA

A joint advisory was released by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) identifying Russian state-sponsored actors compromising a non-governmental organization (NGO) in May 2021. The threat actors were able to abuse a default MFA configuration in Duo with a compromised account that was inactive but not disabled in Active Directory. A problematic flaw in Duo’s configuration is the “re-enrollment of a new device for dormant accounts,” which threat actors were able to take advantage of. Threat actors were able to run arbitrary code with system privileges by exploiting Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527). Another notable technique observed was, “the actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to ‘Fail open’ if the MFA server is unreachable.” Following, threat actors largely used internal windows tools to conduct reconnaissance, modify the registry, collect files, and steal credentials.

  • Anvilogic Use Cases:
    • Rare dll called by Spoolsv.exe
    • Suspicious Spool Authentication
    • Windows External Remote Login
    • Utility Archive Data
    • Locate Credentials
    • NTDSUtil.exe execution
    • Tunnel connection on local host

Cyber Incident Reporting Bill

March 15, 2022

Cyber Incident Reporting Bill

Industry: Critical Infrastructure | Level: Strategic | Source: TheRecord

As reported by TheRecord, the United States Senate has approved legislation requiring “critical infrastructure operations alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization pays a ransom.” The bill was passed to United States President Joe Biden and it is expected to be signed. The legislation, as stated by CISA Director Jen Easterly, would provide intelligence advantages “these reports from our private sector partners [will be used] to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

CISA Advisory – BlackByte Ransomware

February 22, 2022

CISA Advisory – BlackByte Ransomware

Industry: Financial, Food and Government | Level: Tactical | Source: IC3

Cybersecurity & Infrastructure Security Agency (CISA) provides an advisory for BlackByte Ransomware as a Service (RaaS) group. The group’s activities, since November 2021, have been disruptive and highly impacting as “BlackByte ransomware has compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).” Various techniques are used by the group including webshells, scheduled tasks, modifying registry keys, manipulating services including Windows Defender, shadow copies and services.

  • Anvilogic Scenario: BlackByte Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Create/Modify Schtasks
    • Encoded Powershell Command
    • Registry key added with reg.exe
    • Service Stop Commands