Warning AA20296A

Table of contents

What is warning AA20296A?

Warning (AA20296A) - State-sponsored Russian APT hackers compromise US government targets.

Summary

This cybersecurity advisory, written by the FBI and CISA, provides information on Russian state-sponsored APT hackers actively threatening various networks within the U.S. government and aviation sectors. This advisory is an update to Cybersecurity Advisory AA20-283A, also written by CISA and FBI.

As has now become known, the aforementioned Russian hackers (also known as Berserk Bear, Energetik Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) have been conducting a campaign against various targets in the U.S. since at least September 2020. The hackers have attacked a variety of targets inside the U.S. government sector and the Federal Aviation Administration, attempted to penetrate various SLTT organizations, successfully compromised network infrastructure, and, as of
October 1, 2020, retrieved data from at least two servers.

In the process, the hackers obtained user and admin credentials that would allow them to set up initial access, move around within the network and locate high-value ciles. In at least one attack on a network, they gained access to documents related to the following areas:

  • Sensitive network configurations and passwords
  • Standard operating procedures (SOP), such as information about multi-factor authentication.
  • IT instructions, such as instructions for resetting the password
  • Seller and purchase information
  • The printing of security badges

To date (October 22, 2020), the FBI and CISA have no information that the attackers have targeted aviation, education, election, or government operations. However, the attackers may be attempting to gain access to influence such operations in the future, such as U.S. policy and action, or to sabotage SLTT government agencies.

The latest activities targeted the SLTT network, which is why it can be assumed that election records located on the SLTT network could also have been affected. However, both the FBI and CISA have no evidence that the integrity of election data has been compromised. Due to the heightened scrutiny of everything election-related and the attacks on the SLTT network, the FBI and CISA are on high alert and will continue to monitor all activity.

 

You have a security incident?
Trust our certified IT forensic experts when anomalies occur.
Request Now

Technical details

According to FBI and CISA observations, the ATP attackers compromised SLTT networks and aviation sectors. The APTs use Turkish IP addresses
213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victims' web servers for their attack. (Exploit Public Facing Application [T1190]).

The attackers use 213.74.101[.]65, 213.74.139[.]196 to perform prey force logins, and also in many cases to perform SQL injection on the victim sites (brute force [T1110]; exploit public facing application [T1190]). Furthermore, domains were hosted that targeted the aviation sector, among others columbusairports.microsoftonline[.]host, resolving IP 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; These domains are registered in the U.S. and are likely targets in an attack on the SLTT sector (Drive-By Compromise [T1189]).

The attackers are scanning for vulnerabilities in Citrix and Microsoft Exchange Service and have identified vulnerable systems, likely to compromise them in future attacks. The attackers are exploiting a Citrix Directory vulnerability (CVE-2019-19781) and a Microsoft Exchange remote code execution bug (CVE-2020-0688).

The APTs were observed establishing connections via Cisco AnyConnect SSL VPN to enable remote logins on at least one network, likely by exploiting an SMTP vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, attackers exploited a Fortinet VPN vulnerability (CVE-2018-13379) to gain initial access [TA0001] and a Windows Netlog vulnerability (CVE-2020-1472) to gain access to Windows AD Server to perform privilege escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be used to compromise other devices on the network (Lateral Movement [TA0008]) and Persist [TA0003]).

Between early February and mid-September, the attackers used IPs 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to attack U.S. government networks. Successful authentications - including on Microsoft Office 365 (O365) accounts - were registered on at least one network (Valid Accounts [T1078]).

Containment and mitigation indicators of compromise

The attackers used the following IP addresses and domains for their attacks:

  • 213.74.101[.]65
  • 213.74.139[.]196
  • 212.252.30[.]170
  • 5.196.167[.]184
  • 37.139.7[.]16
  • 149.56.20[.]55
  • 91.227.68[.]97
  • 138.201.186[.]43
  • 5.45.119[.]124
  • 193.37.212[.]43
  • 146.0.77[.]60
  • 51.159.28[.]101
  • columbusairports.microsoft online[.]host
  • microsoftonline[.]host
  • email.microsoftonline[.]services
  • microsoftonline[.]services
  • cityname[.]westus2. cloudapp.azure.com

The IP address 51.159.28[.]101 appears to be configured to receive stolen
credentials from Windows NTLM. FBI and CISA therefore advise companies and
organizations to take measures to prevent the risk of NTLM
credentials leak. Therefore, it is advised to disable the NTLM service, restrict
or outgoing NTLM data. Also, consider blocking the IP address 51.159.28[.]101 (this is not a 100% solution, as it is assumed that the attackers will set up more entry points, or have already done so). Furthermore, SMB or WebDAV activity leaving the network to other IP addresses should also be monitored.

See AA20-296A.stix for a download of IOCs.

Network Defense-in-Depth

Proper network defense-in-depth and adherence to information security policies helps prevent the risk. The following guidance is intended to help make networks more secure from such attacks.

  • It is advised to keep all applications up to date, paying special attention to frontend applications, as well as remote access applications, to counter CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. See Table 1 for patch information about these CVEs.
Patch table

 

VulnerabilityProducts at riskPatch information
CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP
CVE-2020-0688
  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 3
  • Microsoft Exchange Server 2019 Cumulative Update 4
CVE-2019-10149
  • Exim versions 4.87-4.91
CVE-2018-13379
  • FortiOS 6.0: 6.0.0 to 6.0.4
  • FortiOS 5.6: 5.6.3 to 5.6.7
  • FortiOS 5.4: 5.4.6 to 5.4.12
CVE-2020-1472
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)
  • Follow Microsoft's guidance on monitoring activities related to the Netlogon vulnerability (CVE-2020-1472)
  • As far as possible, it is advisable to prevent all external communications running over SMB (or similar protocols) by blocking TCP ports 139 and 445 and UDP port 137. More information in the CISA Guide SMB Security Best Practices
  • Implement prevention, detection, and containment strategies described in more detail below:
    • CISA Alert TA15-314A - Compromised Web Servers and Web Shells - Threat Awareness and Guidance
    • NSA's cybersecurity fact sheet U/OO/134094-20 - Detect and Prevent Web Shells Malware.
  • Isolate outbound services in a DMZ, as they are more exposed to attacks; enable logging and monitor logs for signs of attacks
  • Establish a training mechanism to educate end users on proper email and web usage, highlight current information and analysis, and identify common indicators of phishing. Provide end users with clear instructions on how to report unusual or suspicious emails.
  • Implement application controls to allow execution only from specific application directories. System administrators can implement this using Microsoft Software Restriction Policy, AppLocker, or similar software. Secure defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86) and WINDOWS folders. All other locations should not be allowed.
  • Block RDP connections originating from untrusted external addresses.

Comprehensive account resets

For accounts where NTLM hashes or Kerberos tickets may have already been compromised (e.g., by CVE-2020-1472), a double password reset may be required to prevent further access. For domain admin credentials, a reset of the KRB-TGT "Golden Tickets" may be necessary. Microsoft has already provided a guide for this. Such a reset must be performed with great care.

If there is a compromise of netlogon activities (CVE-2020-1472) or other indicators of credential misuse, then it must be assumed that ATP has compromised the AD admin accounts.
In such a case, the AD forest must not be trusted completely, and therefore a new forest must be used. Existing hosts of the old, compromised forest cannot be migrated without being remounted on the new domain. In this case, through "Creative Destruction", the endpoints in the old forest must be decommissioned, and new ones can be created in the new forest. This must be done both on-premises and in Azure hosted AD instances.

Note that a complete reset of AD Forests is very difficult and complex, it is best to perform this task under the supervision of professionals who already have experience.

It is important that a complete password reset is performed on all users and computer accounts in the AD forest. The following points serve as a guide

  • Create a temporary admin account, and use this account for administrative purposes only.
  • Reset the Kerberos ticket granting ticket (krbtgt). [1] This must be done before any further steps are taken.
  • Wait until the krbtgt reset has arrived at all domain controllers. (The time may vary)
  • Reset all account passwords (passwords should contain at least 15 characters or more):
    • User accounts (enforced, without reusing legacy passwords)
    • Local accounts on hosts (including local accounts not covered by LASP.
    • Official accounts
    • Directory Services Recovery Mode (DSRM) Account
    • Domain Control System
    • Application passwords
  • Reset the krbtgt password again
  • Wait until the krbtgt reset has arrived at all domain controllers. (The time may vary)
  • Restart the domain controller
  • Restart all endpoints

The following accounts should be reset:

  • AD Kerberos Authenticator Master (2x)
  • All Active Directory accounts
  • All AD Admin accounts
  • All AD Servie accounts
  • All AD user accounts
  • DSRM account of the domain controller
  • Non-AD Privileged Accounts
  • Non-AD Unprivileged Application Accounts
  • Non-Windows Privileged Accounts
  • Non-Windows user accounts
  • Windows Computer Accounts
  • Windows Local Admin

VPN vulnerabilities

Implement the following recommendations for VPN security:

  • Update VPNs, network infrastructure devices, and devices used to remotely access work environments with the latest software patches and security configurations. See the CISA tip Understanding Patches and Software Updates and Securing Network Infrastructure Devices. If possible, enable automatic updates.
  • Implement MFA on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by MFA based on authentication applications. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require strong passwords from affected employees.

Turn off unused VPN servers. Reduce your organization's attack surface by turning off unused VP servers that can serve as entry points for attackers. Protect your organization from VPN vulnerabilities:

  • Audit configuration and patch management programs
  • Monitor network traffic for unexpected and unauthorized protocols, especially outbound protocols to the Internet (e.g., SSH, SMB, RDP). Implement MFA, especially for privileged accounts.
  • Use of separate management accounts on separate management workstations
  • Keep software up to date. If possible, enable Automatic Updates.
OTHER CONTRIBUTIONS
ProSec Kerberos Attacks
Kerberos Attacks

Kerberos ist das überwiegend genutzte Authentifizierung-Protokoll im Microsoft Active Directory und hat dort in der alltäglichen Verwendung den New Technology

Read more "

Table of contents

Do you want to be part of our team?