Warning (AA20296A) – State-sponsored Russian APT hackers compromise U.S. government targets
This cybersecurity advisory, written by the FBI and CISA, provides information on Russian state-sponsored APT hackers actively threatening various networks within the U.S. government and aviation sectors. This advisory is an update to Cybersecurity Advisory AA20-283A, also written by CISA and the FBI.
It is now known that the Russian hackers discussed earlier (also known as Berserk Bear, Energetik Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) have been conducting a campaign against various targets in the United States since at least September 2020. The hackers have attacked a variety of targets inside the U.S. government sector and the Federal Aviation Administration, attempted to penetrate various SLTT organizations, successfully compromised network infrastructure, and, as became known on
October 1, 2020, data was retrieved from at least two servers.
In the process, the hackers obtained user and admin credentials that would allow them to establish initial access, move within the network, and locate high-value files. In at least one attack on a network, they gained access to documents related to the following areas:
- Sensitive network configurations and passwords
- Standard operating procedures (SOP), such as information about multi-factor authentication
- IT instructions, such as password reset instructions
- Vendor and purchase information
- Printing security badges
To date (October 22, 2020), the FBI and CISA have no information that the attackers targeted aviation, education, election, or government operations. However, the attackers may be attempting to gain access to influence such operations in the future, such as U.S. policy and action, or to sabotage SLTT government agencies.
The latest activities targeted the SLTT network, which is why it can be assumed that election records located on the SLTT network could also be affected. However, both the FBI and CISA have no evidence that election data integrity has been compromised. Due to the heightened scrutiny of everything election-related and the attacks on the SLTT network, the FBI and CISA are on high alert and will continue to monitor all activity.
According to FBI and CISA observations, the ATP attackers compromised SLTT networks and aviation sectors. The APTs use Turkish IP addresses for their attack.
213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170 to connect to victims’ web servers. (Exploit Public Facing Application [T1190]).
The attackers use 213.74.101[.]65, 213.74.139[.]196 to perform prey force logins, and also in many cases to perform SQL injection on the victim sites (Brute Force [T1110]; Exploit Public Facing Application [T1190]). Furthermore, domains hosted included those targeting the aviation sector columbusairports.microsoftonline[.]host resolving IP 108.177.235[.]92 and [cityname].westus2.cloudapp.azure.com; These domains are registered in the U.S. and are likely targets in an attack on the SLTT sector (Drive-By Compromise [T1189]).
The attackers are scanning for vulnerabilities in Citrix and Microsoft Exchange Service and have identified vulnerable systems, likely to compromise them in future attacks. The attackers are exploiting a Citrix Directory vulnerability (CVE-2019-19781) and a Microsoft Exchange remote code execution bug (CVE-2020-0688).
The APTs were observed establishing connections via Cisco AnyConnect SSL VPN to enable remote logins on at least one network, likely by exploiting an SMTP vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, attackers exploited a Fortinet VPN vulnerability (CVE-2018-13379) to gain initial access [TA0001] and a Windows Netlog vulnerability (CVE-2020-1472) to gain access to Windows AD Server to perform privilege escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be used to compromise other devices on the network (Lateral Movement [TA0008]) and Persistent [TA0003]).
Between early February and mid-September, attackers used IPs 213.74.101[.]65, 212.252.30[.]170, 5.196.167[.]184, 37.139.7[.]16, 149.56.20[.]55, 91.227.68[.]97, and 5.45.119[.]124 to attack U.S. government networks. Successful authentications – including on Microsoft Office 365 (O365) accounts – were registered on at least one network (Valid Accounts [T1078]).
Containment and mitigation indicators of compromise.
The attackers used the following IP addresses and domains for their attacks:
- 213.74.101 [.] 65
- 213.74.139 [.] 196
- 212.252.30 [.] 170
- 5,196,167 [.] 184
- 37.139.7 [.] 16
- 149.56.20 [.] 55
- 91.227.68 [.] 97
- 138.201.186 [.] 43
- 5.45.119 [.] 124
- 193.37.212 [.] 43
- 146.0.77 [.] 60
- 51.159.28 [.] 101
- columbusairports.microsoftonline [.] host
- microsoftonline [.] host
- email.microsoftonline [.] services
- microsoftonline [.] services
- cityname [.] westus2.cloudapp.azure.com
The IP address 51.159.28[.]101 seems to be configured to receive stolen
Windows NTLM credentials. The FBI and CISA, therefore, advise companies and
organizations to take steps to prevent the risk of NTLM credentials.
Therefore, they are advised to disable the NTLM service,
or restrict outgoing NTLM data. Also, consider blocking the IP address 51.159.28[.]101 (this is not a 100% solution, as it is assumed that the attackers will set up more entry points, or have already done so). Furthermore, SMB or WebDAV activity leaving the network to other IP addresses should also be monitored.
See AA20-296A.stix for a download of IOCs.
Proper network defense-in-depth and adherence to information security policies help prevent the risk. The following guidance is intended to help make networks more secure from such attacks.
- It is advised to keep all applications up to date, paying special attention to front-end applications, as well as remote access applications, to counter CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. See Table 1 for patch information about these CVEs.
|Vulnerability||Products at risk||Patch information|
- Follow Microsoft’s guidance on monitoring activity related to the Netlogon vulnerability (CVE-2020-1472).
- As far as possible, it is advisable to prevent all external communications from running over SMB (or similar protocols) by blocking TCP ports 139 and 445 and UDP port 137. More information in the CISA Guide SMB Security Best Practices
- Implement the prevention, detection, and containment strategies described in more detail below:
- CISA Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.
- NSA’s cybersecurity fact sheet U/OO/134094-20 – Detect and Prevent Web Shells Malware.
- Isolate outbound services in a DMZ, as they are more exposed to attacks; enable logging and monitor logs for signs of attack
- Establish a training mechanism to educate end-users on proper email and web usage, highlight up-to-date information and analysis, and identify common indicators of phishing.
- Provide end-users with clear instructions on how to report unusual or suspicious emails.
- Implement application controls to allow execution only from specific application directories. System administrators can implement this via Microsoft Software Restriction Policy, AppLocker, or similar software. Secure defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86) and WINDOWS folders. All other locations should not be allowed.
- Block RDP connections originating from untrusted external addresses.
Comprehensive account resets
For accounts where NTLM hashes or Kerberos tickets may have already been compromised (e.g., by CVE-2020-1472), a double password reset may be required to prevent further access. For domain admin credentials, a reset of the KRB-TGT “Golden Tickets” may be necessary. Microsoft has already provided a guide for this. Such a reset must be done with great care.
If there is a compromise of the Netlogon activities (CVE-2020-1472) or other indicators for a misuse of credentials, then it must be assumed that ATP has compromised the AD Admin accounts.
In such a case, the AD forest must not be trusted completely, and therefore a new forest must be used. Existing hosts of the old, compromised forest cannot be migrated without being remounted on the new domain. In this case, through “Creative Destruction”, the endpoints in the old forest must be decommissioned, and new ones can be created in the new forest. This must be done both on-premises and in Azure hosted AD instances.
Note that a complete reset of AD forests is very difficult and complex, it is best to perform this task under the supervision of skilled personnel who already have experience.
It is important that a complete password reset is performed on all users and computer accounts in the AD forest. The following points serve as a guide
- Create a temporary admin account, and use this account for administrative purposes only.
- Reset the Kerberos ticket granting ticket (krbtgt).  This must be done before taking any further steps.
- Wait until the krbtgt reset has arrived at all domain controllers. (The time may vary)
- Reset all account passwords (passwords should contain at least 15 characters or more):
- User accounts (enforced, without reusing legacy passwords)
- Local accounts on hosts (including local accounts not covered by LASP)
- Service accounts
- Directory services recovery mode account (DSRM)
- Domain control system
- Application passwords
- Reset the krbtgt password again
- Wait until the krbtgt reset has arrived at all domain controllers. (The time may vary)
- Restart the domain controllers
- Restart all endpoints
The following accounts should be reset:
- AD Kerberos Authenticator Master (2x)
- All Active Directory accounts
- All AD Admin accounts
- All AD Service Accounts
- All AD user accounts
- DSRM account of the domain controller
- Non-AD privileged accounts
- Non-AD Unprivileged Application Accounts
- Non-Windows Privileged Accounts
- Non-Windows user accounts
- Windows Computer Accounts
- Windows local admin
Implement the following recommendations for VPN security:
- Update VPNs, network infrastructure devices, and devices used to remotely access work environments with the latest software patches and security configurations. See the CISA tip Understanding Patches and Software Updates and Securing Network Infrastructure Devices. If possible, enable automatic updates.
- Implement MFA on all VPN connections to increase security. Physical security tokens are the most secure form of MFA, followed by MFA based on authentication applications. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require strong passwords from affected employees.
Turn off unused VPN servers. Reduce your organization’s attack surface by turning off unused VP servers that can serve as entry points for attackers. Protect your organization from VPN vulnerabilities:
- Audit configuration and patch management tools.
- Monitor network traffic for unexpected and unauthorized protocols, especially outbound protocols to the Internet (e.g., SSH, SMB, RDP).
- Implement MFA, especially for privileged accounts.
- Use separate management accounts on separate management workstations.
- Keep software up to date. Enable Automatic Updates if possible.