Today, CISA—in partnership with the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS)—released a joint Cybersecurity Advisory, #StopRansomware: RansomHub Ransomware. This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with RansomHub activity identified through FBI investigations and third-party reporting as recently as August 2024.
RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—which has recently attracted high-profile affiliates from other prominent variants such as LockBit and ALPHV.
CISA encourages network defenders to review this advisory and apply the recommended mitigations. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including added recommended baseline protections.
Delta Electronics DTN Soft version 2.0.1 and prior are vulnerable to an attacker achieving remote code execution through a deserialization of untrusted data vulnerability.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.
The authoring organizations encourage network defenders to implement the recommendations in the Mitigations section of this cybersecurity advisory to reduce the likelihood and impact of ransomware incidents.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Initial Access
RansomHub affiliates typically compromise internet facing systems and user endpoints by using methods such as phishing emails [T1566], exploitation of known vulnerabilities [T1190], and password spraying [T1110.003]. Password spraying targets accounts compromised through data breaches. Proof-of-concept exploits are obtained from sources such as ExploitDB and GitHub [T1588.005]. Exploits based on the following CVEs have been observed:
Citrix ADC (NetScaler) Remote Code Execution. A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the NSPPE (NetScaler Packet Processing Engine) process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
The Java OpenWire protocol marshaller, such as in Apache ActiveMQ, is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to open either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Upgrading both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 fixes this issue.
A vulnerability in publicly accessible Confluence Data Center and Server instances that allows the creation of unauthorized Confluence administrator accounts and access to Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
An improper neutralization of special elements used in an SQL command (SQL injection’) in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, also known as “Windows SMB Remote Code Execution Vulnerability” [T1210].
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
This vulnerability was also potentially exploited along with the Zerologon privilege escalation vulnerability.
Discovery
RansomHub affiliates conduct network scanning with tools such as AngryIPScanner, Nmap, and PowerShell-based living off the land methods with PowerShell to conduct network scanning [T1018][T1046][T1059.001].
Defense Evasion
Cybersecurity researchers have observed affiliates renaming the ransomware executable with innocuous file names, such as Windows.exe, left on the user’s desktop (C:Users%USERNAME%Desktop) or downloads (C:Users%USERNAME%Downloads) [T1036]. The affiliates have also cleared Windows and Linux system logs to inhibit any potential incident response [T1070]. Affiliates used Windows Management Instrumentation [T1047] to disable antivirus products. In some instances, RansomHub-specific tools were deployed to disable endpoint detection and response (EDR) tooling [T1562.001].
Privilege Escalation and Lateral Movement
Following initial access, RansomHub affiliates created user accounts for persistence [T1136], reenabled disabled accounts [T1098], and used Mimikatz [S0002] on Windows systems to gather credentials [T1003] and escalate privileges to SYSTEM [T1068]. Affiliates then moved laterally inside the network through methods including Remote Desktop Protocol (RDP) [T1021.001], PsExec [S0029], Anydesk [T1219], Connectwise, N-Able, Cobalt Strike [S0154], Metasploit, or other widely used command-and-control (C2) methods.
Data Exfiltration
Data exfiltration methods depend heavily on the affiliate conducting the network compromise. The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.
Encryption
RansomHub ransomware has typically leveraged an Elliptic Curve Encryption algorithm called Curve 25519 to encrypt user accessible files on the system [T1486]. Curve 25519 uses a public/private key that is unique to each victim organization. To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes:
“vmms.exe”
“msaccess.exe”
“mspub.exe”
“svchost.exe”
“vmcompute.exe”
“notepad.exe”
“ocautoupds.exe”
“ocomm.exe”
“ocssd.exe”
“oracle.exe”
“onenote.exe”
“outlook.exe”
“powerpnt.exe”
“explorer.exe”
“sql.exe”
“steam.exe”
“synctime.exe”
“vmwp.exe”
“thebat.exe”
“thunderbird.exe”
“visio.exe”
“winword.exe”
“wordpad.exe”
“xfssvccon.exe”
“TeamViewer.exe”
“agntsvc.exe”
“dbsnmp.exe”
“dbeng50.exe”
“encsvc.exe”
The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares.
RansomHub implements intermittent encryption, encrypting files in 0x100000 byte chunks and skipping every 0x200000 bytes of data in between encrypted chunks. Files smaller than 0x100000 bytes in size are completely encrypted. Files are appended with 58 (0x3A) bytes of data at the end. This data contains a value which is likely part of an encryption/decryption key. The structure of the appended 0x3A bytes is listed below with images from three different encrypted files.
Figure 1: The first eight bytes are the size of the encrypted file.
The next eight bytes are the size of encrypted blocks. If the entire file is encrypted, this section is all zeros. In this example, each encrypted section is 0x100000 bytes long, with 0x100000 bytes between each encrypted block. This number was observed changing based on the size of the encrypted file.
Figure 2: The size of encrypted blocks.
The next two bytes were always seen to be 0x0001.
Figure 3: The next two bytes are always 0x0001.
The next 32 bytes are the public encryption key for the file.
Figure 4: Public encryption key for the file.
The next four bytes are a checksum value.
Figure 5: Checksum value.
The last four bytes are always seen to be the sequence 0x00ABCDEF.
Figure 6: The last four bytes.
The ransomware executable does not typically encrypt executable files. A random file extension is added to file names and a ransom note generally titled How To Restore Your Files.txt is left on the compromised system. To further inhibit system recovery, the ransomware executable typically leverages the vssadmin.exe program to delete volume shadow copies [T1490].
Leveraged Tools
See Table 1 for publicly available tools and applications used by RansomHub affiliates. This includes legitimate tools repurposed for their operations.
Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.
Table 1: Tools Used by RansomHub Affiliates
Tool Name
Description
BITSAdmin
A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
A penetration testing tool used by security professionals to test the security of networks and systems. RansomHub affiliates have used it to assist with lateral movement and file execution.
A tool that allows users to view and save authentication credentials such as Kerberos tickets. RansomHub affiliates have used it to aid privilege escalation.
A tool designed to run programs and execute commands on remote systems.
PowerShell
Cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone
A command line program used to sync files with cloud storage services.
Sliver
A penetration testing toolset which allows for remote command and control of systems.
SMBExec
A tool designed to manipulate SMB services for remote code execution.
WinSCP
Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Affiliates have used it to transfer data from a compromised network to actor-controlled accounts.
CrackMapExec
Pentest Toolset
Kerberoast
Kerberos Brute force and Exploitation Tool
AngryIPScanner
Network Scanner
Indicators of Compromise
Disclaimer: Several of these IP addresses were first observed as early as 2020, although most date from 2022 or 2023 and have been historically linked to QakBot. The authoring organizations recommend organizations investigate or vet these IP addresses prior to taking action (such as blocking).
See Table 2–Table 5 for IOCs obtained from FBI investigations.
Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking. Many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.
Table 3: Known IPs Related to Malicious Activity (2023-2024)
See Table 6–Table 17 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
RansomHub affiliates may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
RansomHub affiliates may use Anydesk, a legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
Table 16: Exfiltration
Technique Title
ID
Use
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
RansomHub affiliates may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel.
RansomHub affiliates may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Unencrypted Non-C2 Protocol
RansomHub affiliates may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
RansomHub ransomware deleted volume shadow copies and affiliates removed backups for ransomware operations.
Incident Response
If compromise is detected, organizations should:
Quarantine or take potentially affected hosts offline.
Reimage compromised hosts.
Provision new account credentials.
Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial government entities can also report to the Multi-State Information Sharing and Analysis Center (MS-ISAC) (SOC@cisecurity.org or 866-787-4722).
Mitigations
Network Defenders
The authoring organizations recommend organizations implement the mitigations below to improve cybersecurity posture based on RansomHub’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Keep all operating systems, software, and firmware up to date [CPG 1.E]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Require Phishing-Resistant multifactor authentication to administrator accounts [CPG 2.H] and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems).
Segment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool [CPG 3.A]. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Install, regularly update, and enable real time detection for antivirussoftware on all hosts.
Implement Secure Logging Collection and Storage Practices [CPG 2.T].Learn more about logging best practices by referencing CISA’s Logging Made Easy resources.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Implement and enforce email security policies [CPG 2.M].
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Software Manufacturers
The above mitigations apply to enterprises and critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of identified or exploited issues (e.g., misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team):
Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.
These mitigations align with tactics provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving the security outcomes of their customers by applying these and other secure by design tactics. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
Validate Security Controls
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 6–Table 17).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, MS-ISAC, and HHS recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Resources
#StopRansomware is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The authoring organizations do not encourage paying a ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).
This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.
The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity.
If organizations believe they have been targeted or compromised by the Iranian cyber actors, the FBI and CISA recommend immediately contacting your local FBI field office for assistance and/or reporting the incident via CISA’s Incident Reporting Form (see the Reporting section of this advisory for more details and contact methods).
For more information on Iran state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat webpage.
This advisory outlines activity by a specific group of Iranian cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. organizations since 2017 and as recently as August 2024. Compromised organizations include U.S.-based schools, municipal governments, financial institutions, and healthcare facilities. This group is known in the private sector by the names Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm.[1][2] The actors also refer to themselves by the moniker Br0k3r, and as of 2024, they have been operating under the moniker “xplfinder” in their channels. FBI analysis and investigation indicate the group’s activity is consistent with a cyber actor with Iranian state-sponsorship.
The FBI previously observed these actors attempt to monetize their access to victim organizations on cyber marketplaces. A significant percentage of the group’s US-focused cyber activity is in furtherance of obtaining and maintaining technical access to victim networks to enable future ransomware attacks. The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide. More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments. These actors have collaborated with the ransomware affiliates NoEscape[3], Ransomhouse[4], and ALPHV (aka BlackCat) (#StopRansomware: ALPHV Blackcat). The Iranian cyber actors’ involvement in these ransomware attacks goes beyond providing access; they work closely with ransomware affiliates to lock victim networks and strategize on approaches to extort victims. The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin.
Furthermore, the FBI has historically observed this actor conduct hack-and-leak campaigns, such as the late 2020 campaign known as Pay2Key.[5],[6] The actors operated a .onion site (reachable through the Tor browser) hosted on cloud infrastructure registered to an organization previously compromised by the actors. (The actors created the server leveraging their prior access to this victim.) Following the compromise and the subsequent unauthorized acquisition of victim data, the actors publicized news of their compromise (including on social media), tagging accounts of victim and media organizations, and leaking victim data on their .onion site. While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments. Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.
Attribution Details
FBI investigation identified that the Iranian cyber actors conduct malicious cyber activity, which FBI assessed to be in support of the GOI. The FBI judges this activity to be separate from the previously referenced ransomware-enabling activity. This group directs their activity towards countries and organizations consistent with Iranian state interests, and typically not of interest to the group’s ransomware affiliate contacts, such as U.S. defense sector networks, and those in Israel, Azerbaijan, United Arab Emirates. Instead, it is intended to steal sensitive information from these networks, suggesting the group maintains an association with the GOI. However, the group’s ransomware activities are likely not sanctioned by the GOI, as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity.
The group uses the Iranian company name Danesh Novin Sahand (identification number 14007585836), likely as a cover IT entity for the group’s malicious cyber activities.
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 15.1. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview of Observed Tactics, Techniques, and Procedures
The Iranian cyber actors’ initial intrusions rely upon exploits of remote external services on internet-facing assets to gain initial access to victim networks. As of July 2024, these actors have been observed scanning IP addresses hosting Check Point Security Gateways, probing for devices potentially vulnerable to CVE-2024-24919. As of April 2024, these actors have conducted mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. The actors were likely conducting reconnaissance and probing for devices vulnerable to CVE-2024-3400. Historically, this group has exploited organizations by leveraging CVE-2019-19781 and CVE-2023-3519 related to Citrix Netscaler, and CVE-2022-1388 related to BIG-IP F5 devices.
Reconnaissance, Initial Access, Persistence, and Credential Access
The actors have been observed using the Shodan search engine to identify and enumerate IP addresses that host devices vulnerable to a particular CVE. The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) [T1596][T1190].
Following exploitation of vulnerable devices, the actors use the following techniques:
Capture login credentials using webshells on compromised Netscaler devices and append to file named netscaler.1 in the same directory as the webshell [T1505.003][T1056].
Create the directory /var/vpn/themes/imgs/ on Citrix Netscaler devices to deploy a webshell [T1505.003]. Malicious files deployed to this directory include:
netscaler.1
netscaler.php
ctxHeaderLogon.php
Specifically related to Netscaler, place additional webshells on compromised devices immediately after system owners patch the exploited vulnerability [T1505.003]. The following file locations and filenames have been observed on devices:
/netscaler/logon/LogonPoint/uiareas/ui_style.php
/netscaler/logon/sanpdebug.php
Create the directory /xui/common/images/ on targeted IP addresses [T1133].
Create accounts on victim networks; observed names include “sqladmin$,” “adfsservice,” “IIS_Admin,” “iis-admin,” and “John McCain” [T1136.001].
Request exemptions to the zero-trust application and security policies for tools they intend to deploy on a victim network [T1098].
Create malicious scheduled task SpaceAgentTaskMgrSHR in Windows/Spaceport/ task folder. This task uses a DLL side-loading technique against the signed Microsoft SysInternals executable contig.exe, which may be renamed to dllhost.ext, to load a payload from version.dll. This file has been observed being executed from the Windows Downloads directory [T1053].
Place a malicious backdoor version.dll in C:WindowsADFS directory [T1505.003].
Use a scheduled task to load malware through installed backdoors [T1053].
Deployment of Meshcentral to connect with compromised servers for remote access [T1219].
For persistence and as detection and mitigation occurs, the actors create a daily Windows service task with random eight characters and attempt execution of a similarly named DLL contained in the C:Windowssystem32drivers directory. For example, a service named “test” was observed attempting to load a file located at C:WINDOWSsystem32driverstest.sys [T1505].
Execution, Privilege Escalation, and Defense Evasion
Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) [T1078.003].
Repurpose administrative credentials of network administrators to log into domain controllers and other infrastructure on victim networks [T1078.002].
Use administrator credentials to disable antivirus and security software, and lower PowerShell policies to a less secure level [T1562.001][T1562.010].
Attempt to enter security exemption tickets to the network security device or contractor to get the actor’s tools allowlisted [T1562.001].
Use a compromised administrator account to initiate a remote desktop session to another server on the network. In one instance, the FBI observed this technique being used to attempt to start Microsoft Windows PowerShell Integrated Scripted Environment (ISE) to run the command “Invoke-WebRequest” with a URI including files.catbox[.]moe. Catbox is a free, online file hosting site the actors use as a repository/hosting mechanism [T1059.001].
Discovery
Export system registry hives and network firewall configurations on compromised servers [T1012].
Exfiltrate account usernames from the victim domain controller, as well as access configuration files and logs—presumably to gather network and user account information for use in further exploitation efforts [T1482].
Command and Control
Install “AnyDesk” remote access program as a backup access method [T1219].
Enable servers to use Windows PowerShell Web Access [T1059.001].
Use the open source tunneling tool Ligolo (ligolo/ligolo-ng) [T1572].
Use NGROK (ngrok[.]io) deployment to create outbound connections to a random subdomain [T1572].
Exfiltration and Impact
After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657]. The actors also conduct what is assessed to be separate set of malicious activity—stealing sensitive data from victims [TA0010], likely in support of the GOI.
MITRE ATT&CK Tactics and Techniques
See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory.
Iranian cyber actors capture login credentials on compromised Netscaler devices via deployed webshell; create a directory on Netscaler devices for webshell deployment; deploy webshells on compromised Netscaler devices in two directories (observed closely after system owning patching); and place the malicious backdoor version.dll.
Iranian cyber actors use ligolo / ligolo-ng for open source tunneling and ngrok[.]io NGROK to create outbound connections to a random subdomain.
Indicators of Compromise
IP Address and Domain Identifiers
Disclaimer: The IP addresses and domains listed in Table 10 were observed in use by the actors in the specified timeframes in 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
Comment: In addition to the infrastructure provided in the table below, the FBI and CISA warn that these actors are known to leverage information obtained through intrusions into cloud-computing resources associated with victim organizations. The actors have used this cloud infrastructure to conduct further cyber operations targeting other organizations. The FBI observed use of this tradecraft against U.S. academic and defense sectors, but it could theoretically be used against any organization. The FBI and CISA warn that if these actors compromised your organization, they may be leveraging your cloud services accounts to conduct malicious cyber activity and target other victims. The FBI has observed instances of the actors using compromised cloud service accounts to transmit data stolen from other compromised organizations.
Table 10. Indicators of Compromise – Recent
Indicator
First Seen
Most Recently Observed Date
138.68.90[.]19
January 2024
August 2024
167.99.202[.]130
January 2024
August 2024
78.141.238[.]182
July 2024
August 2024
51.16.51[.]81
January 2024
August 2024
51.20.138[.]134
February 2024
August 2024
134.209.30[.]220
March 2024
August 2024
13.53.124[.]246
February 2024
August 2024
api.gupdate[.]net
September 2022
August 2024
githubapp[.]net
February 2024
August 2024
Disclaimer: The infrastructure in Table 11 reflects historical IP addresses and domains associated with these actors. This data is being provided for informational purposes and to enable better tracking and attribution of these actors. The FBI and CISA do not recommend blocking of the indicators in Table 11 based solely on their inclusion in this CSA.
Disclaimer: The FBI observed the following identifiers associated with the Iranian cyber group and their ransomware affiliates. The FBI is providing this information to enable improved threat actor identification and tracking of malicious cyber activity. Please see Appendix A for list of TOX identifiers.
The FBI observed the threat actors to be associated with the following bitcoin address values:
bc1q8n7jjgdepuym825zwwftr3qpem3tnjx3m50ku0
bc1qlwd94gf5uhdpu4gynk6znc5j3rwk9s53c0dhjs
bc1q2egjjzmchtm3q3h3een37zsvpph86hwgq4xskh
bc1qjzw7sh3pd5msgehdaurzv04pm40hm9ajpwjqky
bc1qn5tla384qxpl6zt7kd068hvl7y4a6rt684ufqp
bc1ql837eewad47zn0uzzjfgqjhsnf2yhkyxvxyjjc
bc1qy8pnttrfmyu4l3qcy59gmllzqq66gmr446ppcr
bc1q6620fmev7cvkfu82z43vwjtec6mzgcp5hjrdne
bc1qr6h2zcxlntpcjystxdf7qy2755p25yrwucm4lq
bc1qx9tteqhama2x2w9vwqsyny6hldh8my8udx5jlm
bc1qz75atxj4dvgezyuspw8yz9khtkuk5jpdgfauq8
bc1q6w2an66vrje747scecrgzucw9ksha66x9zt980
bc1qsn4l6h3mhyhmr72vw4ajxf2gr74hwpalks2tp9
bc1qtjhvqkun4uxtr4qmq6s3f7j49nr4sp0wywp489
Mitigations
The FBI and CISA recommend all organizations implement the mitigations listed below to improve their cybersecurity posture based on the Iranian cyber group’s activity. The FBI judges the group’s targeting is primarily based on the identification of devices vulnerable to CVEs named in this notification (see Technical Details section for a list of CVEs). As such, any U.S. organization deploying software with these vulnerabilities may be targeted for further exploitation and should follow this guidance to defend against exploitation by this group.
These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
The FBI and CISA recommend all organizations implement the following mitigations:
Review available logs for IP addresses in Table 10 for indications of traffic with your organization’s network in the provided timeframes [CPG 3.A]. The indicators in Table 11 should also be reviewed to identify historical activity or incidents which may have previously been identified by your organization.
Apply patches and/or mitigations for CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519 [CPG 1.E].
Be advised, patching for the above referenced CVEs may be insufficient to mitigate malicious activity if your network has already been compromised by these actors while the network device was vulnerable. Additional investigation into the use of stolen credentials (e.g., via the webshell on Netscaler devices) is strongly encouraged to identify threat actor attempts to establish footholds on other parts of the network [CPG 3.A].
Check your systems for the unique identifiers and TTPs used by the actors when operating on compromised networks, including creation of specific usernames, use of NGROK and Ligolo, and deployment of webshells in specific directories [CPG 3.A].
Check your systems for outbound web requests to files.catbox[.]moe and ***.ngrok[.]io [CPG 3.A].
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 2 to Table 10).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
Ransomware Incidents
The FBI and CISA are interested in any information that can be shared in the case of a ransomware incident, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), your local FBI Field Office, or CISA via the agency’s Incident Reporting Form or its 24/7 Operations Center (report@cisa.gov), or by calling 1-844-Say-CISA (1-844-729-2472).
Other Incidents
U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to the FBI’s Internet IC3 or your local FBI Field Office. Report suspicious or malicious cyber activity to CISA via the agency’s Incident Reporting Form or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
CVE-2024-39717 Versa Director Dangerous File Type Upload Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Jonathan Fournier of Field Effect reported these vulnerabilities to CISA.
4. MITIGATIONS
Avtec recommends users update to Outpost v5.0 to resolve.
When upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec’s Outpost Uploader Utility User Guide for more information.
Restrict access to port 80 or disable web interface if possible.
Additionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit Scout Release Notes.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
A vulnerability exists in Rockwell Automation Emulate3D, which could be leveraged to execute a DLL hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious DLL and perform a remote code execution attack.
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation encourages users the affected software to apply the risk mitigations, if possible.
Update to the corrected software version, 17.00.00.13348.
For information on how to mitigate security risks on industrial automation control systems, we encourage users to implement Rockwell Automation suggested security best practices to minimize the risk of the vulnerability.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
