![\"\"](\"https:\/\/new.thepinetree.net\/wp-content\/uploads\/2015\/07\/FBI-logo.jpg\"){kind=logo}
<\/a><\/p>\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of US targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of 1 October 2020, exfiltrated data from at least two victim servers.<\/p>\n
The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
\n\uf0b7 Sensitive network configurations and passwords.
\n\uf0b7 Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
\n\uf0b7 IT instructions, such as requesting password resets.
\n\uf0b7 Vendors and purchasing information.
\n\uf0b7 Printing access badges.<\/p>\n
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT
\ngovernment entities.<\/p>\n
As this recent malicious activity has been directed at SLTT government networks, there may be some
\nrisk to elections information housed on SLTT government networks. However, the FBI and CISA have
\nno evidence to date that integrity of elections data has been compromised. Due to the heightened
\nawareness surrounding elections infrastructure and the targeting of SLTT government networks, the
\nFBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.<\/p>\n
TECHNICAL DETAILS
\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting US SLTT
\ngovernment networks, as well as aviation networks. The APT actor is using Turkish IP addresses
\n213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victim web servers
\n(Exploit Public Facing Application [T1190]).<\/p>\n
The actor is using 213.74.101[.]65 and 213.74.139[.]196 to attempt brute force logins and, in
\nseveral instances, attempted Structured Query Language (SQL) injections on victim websites (Brute
\nForce [T1110]; Exploit Public Facing Application [T1190]). The APT actor also hosted malicious
\ndomains, including possible aviation sector target columbusairports.microsoftonline[.]host,
\nwhich resolved to 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; these
\ndomains are US registered and are likely SLTT government targets (Drive-By Compromise [T1189]).
\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified
\nvulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory
\nTraversal Bug (CVE-2019-19781), and a Microsoft Exchange remote code execution flaw (CVE-2020-
\n0688).<\/p>\n
The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private
\nnetwork (VPN) connections to enable remote logins on at least one victim network, possibly enabled
\nby an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote
\nServices [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN
\nvulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability
\n(CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation
\n[TA004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to
\ncompromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence
\n[TA0003]).
\nBetween early February and mid-September, these APT actors used 213.74.101[.]65,
\n212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and
\n5.45.119[.]124 to target US SLTT government networks. Successful authentications\u2014including the
\ncompromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim
\nnetwork (Valid Accounts [T1078]).
\nMITIGATIONS<\/p>\n
Indicators of Compromise
\nThe APT actor used the following IP addresses and domains to carry out its objectives:
\n\uf0b7 213.74.101[.]65
\n\uf0b7 213.74.139[.]196
\n\uf0b7 212.252.30[.]170
\n\uf0b7 5.196.167[.]184
\n\uf0b7 37.139.7[.]16
\n\uf0b7 149.56.20[.]55
\n\uf0b7 91.227.68[.]97
\n\uf0b7 138.201.186[.]43
\n\uf0b7 5.45.119[.]124
\n\uf0b7 193.37.212[.]43
\n\uf0b7 146.0.77[.]60
\n\uf0b7 51.159.28[.]101
\n\uf0b7 columbusairports.microsoftonline[.]host
\n\uf0b7 microsoftonline[.]host
\n\uf0b7 email.microsoftonline[.]services
\n\uf0b7 microsoftonline[.]services
\n\uf0b7 [cityname].westus2.cloudapp.azure.com<\/p>\n
IP address 51.159.28[.]101 appears to have been configured to receive stolen Windows New
\nTechnology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend
\norganizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically,
\norganizations should disable NTLM or restrict outgoing NTLM. Organizations should consider
\nblocking IP address 51.159.28[.]101 (although this action alone may not mitigate the threat, as the
\nAPT actor has likely established, or will establish, additional infrastructure points).
\nOrganizations should check available logs for traffic to\/from IP address 51.159.28[.]101 for
\nindications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish
\nadditional infrastructure points, organizations should also monitor for Server Message Block (SMB) or
\nWebDAV activity leaving the network to other IP addresses.
\nRefer to AA20-296A.stix for a downloadable copy of IOCs.<\/p>\n
Network Defense-in-Depth
\nProper network defense-in-depth and adherence to information security best practices can assist in
\nmitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist
\norganizations in developing network defense procedures.
\n\uf0b7 Keep all applications updated according to vendor recommendations, and especially prioritize
\nupdates for external facing applications and remote access services to address CVE-2019-
\n19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to
\nTable 1 for patch information on these CVEs.
\nTable 1: Patch information for CVEs
\nVulnerability Vulnerable Products Patch Information
\nCVE-2019-19781 \uf0b7 Citrix Application Delivery
\nController
\n\uf0b7 Citrix Gateway
\n\uf0b7 Citrix SDWAN WANOP
\nCitrix blog post: firmware
\nupdates for Citrix ADC and
\nCitrix Gateway versions 11.1
\nand 12.0
\nCitrix blog post: security
\nupdates for Citrix SD-WAN
\nWANOP release 10.2.6 and
\n11.0.3
\nCitrix blog post: firmware
\nupdates for Citrix ADC and
\nCitrix Gateway versions 12.1
\nand 13.0
\nCitrix blog post: firmware
\nupdates for Citrix ADC and
\nCitrix Gateway version 10.5<\/p>\n
Vulnerability Vulnerable Products Patch Information
\nCVE-2020-0688 \uf0b7 Microsoft Exchange Server 2010
\nService Pack 3 Update Rollup 30
\n\uf0b7 Microsoft Exchange Server 2013
\nCumulative Update 23
\n\uf0b7 Microsoft Exchange Server 2016
\nCumulative Update 14
\n\uf0b7 Microsoft Exchange Server 2016
\nCumulative Update 15
\n\uf0b7 Microsoft Exchange Server 2019
\nCumulative Update 3
\n\uf0b7 Microsoft Exchange Server 2019
\nCumulative Update 4
\nMicrosoft Security Advisory for
\nCVE-2020-0688
\nCVE-2019-10149 \uf0b7 Exim versions 4.87\u20134.91 Exim page for CVE-2019-
\n10149
\nCVE-2018-13379 \uf0b7 FortiOS 6.0: 6.0.0 to 6.0.4
\n\uf0b7 FortiOS 5.6: 5.6.3 to 5.6.7
\n\uf0b7 FortiOS 5.4: 5.4.6 to 5.4.12
\nFortinet Security Advisory:
\nFG-IR-18-384
\nCVE-2020-1472 \uf0b7 Windows Server 2008 R2 for x64-
\nbased Systems Service Pack 1
\n\uf0b7 Windows Server 2008 R2 for x64-
\nbased Systems Service Pack 1
\n(Server Core installation)
\n\uf0b7 Windows Server 2012
\n\uf0b7 Windows Server 2012 (Server
\nCore installation)
\n\uf0b7 Windows Server 2012 R2
\n\uf0b7 Windows Server 2016
\n\uf0b7 Windows Server 2019
\n\uf0b7 Windows Server 2019 (Server
\nCore installation)
\n\uf0b7 Windows Server, version 1903
\n(Server Core installation)
\n\uf0b7 Windows Server, version 1909
\n(Server Core installation)
\n\uf0b7 Windows Server, version 2004
\n(Server Core installation)
\nMicrosoft Security Advisory for
\nCVE-2020-1472
\n\uf0b7 Follow Microsoft\u2019s guidance on monitoring logs for activity related to the Netlogon vulnerability,
\nCVE-2020-1472.
\n\uf0b7 If appropriate for your organization\u2019s network, prevent external communication of all versions
\nof SMB and related protocols at the network boundary by blocking Transmission Control
\nProtocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA
\npublication on SMB Security Best Practices for more information.
\n\uf0b7 Implement the prevention, detection, and mitigation strategies outlined in:
\no CISA Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat
\nAwareness and Guidance
\no National Security Agency Cybersecurity Information Sheet U\/OO\/134094-20 \u2013 Detect
\nand Prevent Web Shells Malware.
\n\uf0b7 Isolate external facing services in a network demilitarized zone (DMZ) since they are more
\nexposed to malicious activity; enable robust logging, and monitor the logs for signs of
\ncompromise.
\n\uf0b7 Establish a training mechanism to inform end users on proper email and web usage,
\nhighlighting current information and analysis and including common indicators of phishing.
\nEnd users should have clear instructions on how to report unusual or suspicious emails.
\n\uf0b7 Implement application controls to only allow execution from specified application directories.
\nSystem administrators may implement this through Microsoft Software Restriction Policy,
\nAppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES,
\nPROGRAMFILES(X86), and WINDOWS folders. All other locations should be disallowed unless an
\nexception is granted.
\n\uf0b7 Block Remote Desktop Protocol (RDP) connections originating from untrusted external
\naddresses unless an exception exists; routinely review exceptions on a regular basis for
\nvalidity.
\nComprehensive Account Resets
\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g.,
\nthrough CVE-2020-1472), a double-password-reset may be required in order to prevent continued
\nexploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden
\nTickets\u201d may be required and, for this, Microsoft has released specialized guidance. Such a reset
\nshould be performed very carefully if needed.
\nIf there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential
\nabuse, it should be assumed the APT actors have compromised AD administrative accounts. In such
\ncases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed.
\nExisting hosts from the old compromised forest cannot be migrated in without being rebuilt and
\nrejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as
\nendpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will
\nneed to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.<\/p>\n
Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of
\npersonnel who have successfully completed the task previously.<\/p>\n
It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use
\nthe following steps as a guide.
\n1. Create a temporary administrator account, and use this account only for all administrative
\nactions
\n2. Reset the Kerberos Ticket Granting Ticket (krbtgt) password;1 this must be completed before
\nany additional actions (a second reset will take place in step 5)
\n3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
\n4. Reset all account passwords (passwords should be 15 characters or more and randomly
\nassigned):
\na. User accounts (forced reset with no legacy password reuse)
\nb. Local accounts on hosts (including local accounts not covered by Local Administrator
\nPassword Solution [LAPS])
\nc. Service accounts
\nd. Directory Services Restore Mode (DSRM) account
\ne. Domain Controller machine account
\nf. Application passwords
\n5. Reset the krbtgt password again
\n6. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)
\n7. Reboot domain controllers
\n8. Reboot all endpoints
\nThe following accounts should be reset:
\n\uf0b7 AD Kerberos Authentication Master (2x)
\n\uf0b7 All Active Directory Accounts
\n\uf0b7 All Active Directory Admin Accounts
\n\uf0b7 All Active Directory Service Accounts
\n\uf0b7 All Active Directory User Accounts
\n\uf0b7 DSRM Account on Domain Controllers
\n\uf0b7 Non-AD Privileged Application Accounts
\n\uf0b7 Non-AD Unprivileged Application Accounts
\n\uf0b7 Non-Windows Privileged Accounts
\n\uf0b7 Non-Windows User Accounts
\n\uf0b7 Windows Computer Accounts
\n\uf0b7 Windows Local Admin
\n1 https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/ad-forest-recovery-resetting-thekrbtgt-
\npassword
\nVPN Vulnerabilities
\nImplement the following recommendations to secure your organization\u2019s VPNs:
\n\uf0b7 Update VPNs, network infrastructure devices, and devices being used to remote into work
\nenvironments with the latest software patches and security configurations. See CISA
\nTips Understanding Patches and Software Updates and Securing Network Infrastructure
\nDevices. Wherever possible, enable automatic updates.
\n\uf0b7 Implement MFA on all VPN connections to increase security. Physical security tokens are
\nthe most secure form of MFA, followed by authenticator app-based MFA. SMS and emailbased
\nMFA should only be used when no other forms are available. If MFA is not
\nimplemented, require teleworkers to use strong passwords. See CISA Tips Choosing and
\nProtecting Passwords and Supplementing Passwords for more information.
\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused
\nVPN servers, which may act as a point of entry for attackers. To protect your organization against
\nVPN vulnerabilities:
\n\uf0b7 Audit configuration and patch management programs.
\n\uf0b7 Monitor network traffic for unexpected and unapproved protocols, especially outbound to the
\nInternet (e.g., Secure Shell [SSH], SMB, RDP).
\n\uf0b7 Implement MFA, especially for privileged accounts.
\n\uf0b7 Use separate administrative accounts on separate administration workstations.
\n\uf0b7 Keep software up to date. Enable automatic updates, if available.
\nREFERENCES
\n\uf0b7 APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections
\nOrganizations \u2013 https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-283a
\n\uf0b7 CISA Activity Alert CVE-2019-19781 \u2013 https:\/\/us-cert\/cisa.gov\/ncas\/alerts\/aa20-031a
\n\uf0b7 CISA Vulnerability Bulletin \u2013 https:\/\/us-cert\/cisa.gov\/ncas\/bulletins\/SB19-161
\n\uf0b7 CISA Current Activity \u2013 https:\/\/us-cert.cisa\/ncas\/current-activity\/2020\/03\/10\/unpatchedmicrosoft-
\nexchange-servers-vulnerable-cve-2020-0688
\n\uf0b7 Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-
\n19781
\n\uf0b7 Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013
\nhttps:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-0688
\n\uf0b7 CVE-2018-13379 \u2013 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-13379
\n\uf0b7 CVE-2020-1472 \u2013 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-1472
\n\uf0b7 CVE 2019-10149 \u2013 https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-10149
\n\uf0b7 NCCIC\/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat
\nAwareness and Guidance \u2013 https:\/\/us-cert.cisa.gov\/ncas\/alerts\/TA15-314A
\n\uf0b7 NCCIC\/US-CERT publication on SMB Security Best Practices \u2013 https:\/\/uscert.
\ncisa.gov\/ncas\/current-activity\/2017\/01\/16\/SMB-Security-Best-Practices<\/p>\n","protected":false},"excerpt":{"rendered":"
Washington, DC…This joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT […]<\/p>\n","protected":false},"author":1,"featured_media":6954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_cbd_carousel_blocks":"[]","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[20,5,16,1],"tags":[],"class_list":["post-108953","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-government","category-law-enforcement","category-news","last_archivepost"],"jetpack_featured_media_url":"https:\/\/new.thepinetree.net\/wp-content\/uploads\/2015\/07\/FBI-logo.jpg","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/posts\/108953","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=108953"}],"version-history":[{"count":0,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/posts\/108953\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=\/wp\/v2\/media\/6954"}],"wp:attachment":[{"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=108953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=108953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/new.thepinetree.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=108953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}