[PLUG-TALK] Grizzly Steppe
Paul Heinlein
heinlein at madboa.com
Fri Dec 30 19:02:19 UTC 2016
On Fri, 30 Dec 2016, Keith Lofstrom wrote:
> https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf
>
> [....]
>
> Could someone with more security skills than I download those files
> to a test machine and look for security exploits, then post the
> tested copies with checksums on a trustworthy download site? While
> I don't trust the Russians much, I don't trust US intelligence
> agencies at all, under past, current, or future figureheads. I would
> trust most of their extraordinary individuals with my life, but
> policy can thwart personal integrity.
>
> I also don't trust that identical content will be served to every IP
> address requesting those files.
[~]$ for N in 224 256 512; do sha${N}sum JAR_16-20296.pdf; done
bd9485eb19a5ca5a4d23de0bdd093efa8dbd29c11edb064d66120ab5 JAR_16-20296.pdf
982523e4d3ea03d3e507bd1c733dc795411c04b6c39b21e3be32e22dc1029863 JAR_16-20296.pdf
4ba613f3d951d04109b01c9fdf543e5425e3a2b6469afcfd87d25fc58f6320a464e3849363bfe625eb648bd2cac8288f31e1654d2d522710129ce80e4612e948 JAR_16-20296.pdf
FWIW
Below my sig is the content of the JAR run through pdftotext and then
through fmt. No other editing or reformatting was done, so whitespace
and line breaks don't always lend themselves to clarity. Plus, any
embedded images have been dropped.
--
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
TL P: WHI TE
J O I N T AN AL Y S I S R E P O R T DISCLAIMER: This report is provided
“as is” for informational purposes only. The Department of Homeland
Security (DHS) does not provide any warranties of any kind regarding any
information contained within. DHS does not endorse any commercial product
or service referenced in this advisory or otherwise. This document is
distributed as TLP:WHITE: Subject to standard copyright rules, TLP:WHITE
information may be distributed without restriction. For more information
on the Traffic Light Protocol, see https://www.us-cert.gov/tlp.
Reference Number: JAR-16-20296
December 29, 2016
GRIZZLY STEPPE – Russian Malicious Cyber Activity Summary This
Joint Analysis Report (JAR) is the result of analytic efforts between
the Department of Homeland Security (DHS) and the Federal Bureau
of Investigation (FBI). This document provides technical details
regarding the tools and infrastructure used by the Russian civilian
and military intelligence Services (RIS) to compromise and exploit
networks and endpoints associated with the U.S. election, as well as a
range of U.S. Government, political, and private sector entities. The
U.S. Government is referring to this malicious cyber activity by RIS
as GRIZZLY STEPPE. Previous JARs have not attributed malicious cyber
activity to specific countries or threat actors. However, public
attribution of these activities to RIS is supported by technical
indicators from the U.S. Intelligence Community, DHS, FBI, the private
sector, and other entities. This determination expands upon the Joint
Statement released October 7, 2016, from the Department of Homeland
Security and the Director of National Intelligence on Election Security.
This activity by RIS is part of an ongoing campaign of cyber-enabled
operations directed at the U.S. government and its citizens. These
cyber operations have included spearphishing campaigns targeting
government organizations, critical infrastructure entities, think tanks,
universities, political organizations, and corporations leading to
the theft of information. In foreign countries, RIS actors conducted
damaging and/or disruptive cyber-attacks, including attacks on critical
infrastructure networks. In some cases, RIS actors masqueraded as third
parties, hiding behind false online personas designed to cause the victim
to misattribute the source of the attack. This JAR provides technical
indicators related to many of these operations, recommended mitigations,
suggested actions to take in response to the indicators provided, and
information on how to report such incidents to the U.S. Government.
1 of 13
TL P: WHI TE
TL P: WHI TE
Description The U.S. Government confirms that two different RIS actors
participated in the intrusion into a U.S. political party. The first
actor group, known as Advanced Persistent Threat (APT) 29, entered into
the party’s systems in summer 2015, while the second, known as APT28,
entered in spring 2016.
Figure 1: The tactics and techniques used by APT29 and APT 28 to conduct
cyber intrusions against target systems
Both groups have historically targeted government organizations, think
tanks, universities, and corporations around the world. APT29 has been
observed crafting targeted spearphishing campaigns leveraging web links
to a malicious dropper; once executed, the code delivers Remote Access
Tools (RATs) and evades detection using a range of techniques. APT28
is known for leveraging domains that closely mimic those of targeted
organizations and tricking potential victims into entering legitimate
credentials. APT28 actors relied heavily on shortened URLs in their
spearphishing email campaigns. Once APT28 and APT29 have access
to victims, both groups exfiltrate and analyze information to gain
intelligence value. These groups use this information to craft highly
targeted spearphishing campaigns. These actors set up operational
infrastructure to obfuscate their source infrastructure, host domains
and malware for targeting organizations, establish command and control
nodes, and harvest credentials and other valuable information from
their targets. In summer 2015, an APT29 spearphishing campaign directed
emails containing a malicious link to over 1,000 recipients, including
multiple U.S. Government victims. APT29 used legitimate
2 of 13
TL P: WHI TE
TL P: WHI TE
domains, to include domains associated with U.S. organizations and
educational institutions, to host malware and send spearphishing
emails. In the course of that campaign, APT29 successfully compromised a
U.S. political party. At least one targeted individual activated links
to malware hosted on operational infrastructure of opened attachments
containing malware. APT29 delivered malware to the political party’s
systems, established persistence, escalated privileges, enumerated active
directory accounts, and exfiltrated email from several accounts through
encrypted connections back through operational infrastructure. In spring
2016, APT28 compromised the same political party, again via targeted
spearphishing. This time, the spearphishing email tricked recipients into
changing their passwords through a fake webmail domain hosted on APT28
operational infrastructure. Using the harvested credentials, APT28 was
able to gain access and steal content, likely leading to the exfiltration
of information from multiple senior party members. The U.S. Government
assesses that information was leaked to the press and publicly disclosed.
Figure 2: APT28's Use of Spearphishing and Stolen Credentials
Actors likely associated with RIS are continuing to engage in
spearphishing campaigns, including one launched as recently as November
2016, just days after the U.S. election.
3 of 13
TL P: WHI TE
TL P: WHI TE
Reported Russian Military and Civilian Intelligence Services (RIS)
Alternate Names APT28 APT29 Agent.btz BlackEnergy V3 BlackEnergy2 APT
CakeDuke Carberp CHOPSTICK CloudDuke CORESHELL CosmicDuke COZYBEAR COZYCAR
COZYDUKE CrouchingYeti DIONIS Dragonfly Energetic Bear EVILTOSS Fancy Bear
GeminiDuke GREY CLOUD HammerDuke HAMMERTOSS Havex MiniDionis MiniDuke
OLDBAIT OnionDuke Operation Pawn Storm PinchDuke Powershell backdoor
Quedagh Sandworm SEADADDY Seaduke SEDKIT SEDNIT Skipper Sofacy SOURFACE
SYNful Knock Tiny Baron Tsar Team twain_64.dll (64-bit X-Agent implant)
VmUpgradeHelper.exe (X-Tunnel implant) Waterbug X-Agent
4 of 13
TL P: WHI TE
TL P: WHI TE
Technical Details Indicators of Compromise (IOCs) IOCs associated with
RIS cyber actors are provided within the accompanying .csv and .stix
files of JAR-16-20296. Yara Signature rule PAS_TOOL_PHP_WEB_KIT {
meta: description = "PAS TOOL PHP WEB KIT FOUND" strings: $php = "<?php"
$base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ $strreplace =
"(str_replace(" $md5 = ".substr(md5(strrev(" $gzinflate = "gzinflate"
$cookie = "_COOKIE" $isset = "isset" condition: (filesize > 20KB and
filesize < 22KB) and #cookie == 2 and #isset == 3 and all of them }
Actions to Take Using Indicators DHS recommends that network
administrators review the IP addresses, file hashes, and Yara signature
provided and add the IPs to their watchlist to determine whether malicious
activity has been observed within their organizations. The review of
network perimeter netflow or firewall logs will assist in determining
whether your network has experienced suspicious activity.
When reviewing network perimeter logs for the IP addresses, organizations
may find numerous instances of these IPs attempting to connect to their
systems. Upon reviewing the traffic from these IPs, some traffic may
correspond to malicious activity, and some may correspond to legitimate
activity. Some traffic that may appear legitimate is actually malicious,
such as vulnerability scanning or browsing of legitimate public facing
services (e.g., HTTP, HTTPS, FTP). Connections from these IPs may be
performing vulnerability scans attempting to identify websites that are
vulnerable to cross-site scripting (XSS) or Structured Query Language
(SQL) injection attacks. If scanning identified vulnerable sites,
attempts to exploit the vulnerabilities may be experienced.
5 of 13
TL P: WHI TE
TL P: WHI TE
Network administrators are encouraged to check their public-facing
websites for the malicious file hashes. System owners are also advised
to run the Yara signature on any system that is suspected to have been
targeted by RIS actors. Threats from IOCs Malicious actors may use a
variety of methods to interfere with information systems. Some methods
of attack are listed below. Guidance provided is applicable to many
other computer networks. •
•
•
Injection Flaws are broad web application attack techniques that
attempt to send commands to a browser, database, or other system,
allowing a regular user to control behavior. The most common example is
SQL injection, which subverts the relationship between a webpage and its
supporting database, typically to obtain information contained inside the
database. Another form is command injection, where an untrusted user is
able to send commands to operating systems supporting a web application
or database. See the United States Computer Emergency Readiness
Team (US-CERT) Publication on SQL Injection for more information.
Cross-site scripting (XSS) vulnerabilities allow threat actors to
insert and execute unauthorized code in web applications. Successful XSS
attacks on websites can provide the attacker unauthorized access. For
prevention and mitigation strategies against XSS, see US-CERT’s Alert
on Compromised Web Servers and Web Shells. Server vulnerabilities may
be exploited to allow unauthorized access to sensitive information. An
attack against a poorly configured server may allow an adversary access
to critical information including any websites or databases hosted on the
server. See USCERT’s Tip on Website Security for additional information.
Recommended Mitigations Commit to Cybersecurity Best Practices A
commitment to good cybersecurity and best practices is critical to
protecting networks and systems. Here are some questions you may want
to ask your organization to help prevent and mitigate against attacks.
1. Backups: Do we backup all critical information? Are the backups
stored offline? Have we tested our ability to revert to backups during
an incident? 2. Risk Analysis: Have we conducted a cybersecurity risk
analysis of the organization? 3. Staff Training: Have we trained staff on
cybersecurity best practices? 4. Vulnerability Scanning & Patching: Have
we implemented regular scans of our network and systems and appropriate
patching of known system vulnerabilities? 5. Application Whitelisting:
Do we allow only approved programs to run on our networks? 6. Incident
Response: Do we have an incident response plan and have we practiced it?
6 of 13
TL P: WHI TE
TL P: WHI TE
7. Business Continuity: Are we able to sustain business operations
without access to certain systems? For how long? Have we tested this?
8. Penetration Testing: Have we attempted to hack into our own
systems to test the security of our systems and our ability to defend
against attacks? Top Seven Mitigation Strategies DHS encourages network
administrators to implement the recommendations below, which can prevent
as many as 85 percent of targeted cyber-attacks. These strategies
are common sense to many, but DHS continues to see intrusions because
organizations fail to use these basic measures. 1. Patch applications
and operating systems – Vulnerable applications and operating systems
are the targets of most attacks. Ensuring these are patched with the
latest updates greatly reduces the number of exploitable entry points
available to an attacker. Use best practices when updating software and
patches by only downloading updates from authenticated vendor sites.
2. Application whitelisting – Whitelisting is one of the best security
strategies because it allows only specified programs to run while blocking
all others, including malicious software. 3. Restrict administrative
privileges – Threat actors are increasingly focused on gaining control
of legitimate credentials, especially those associated with highly
privileged accounts. Reduce privileges to only those needed for a user’s
duties. Separate administrators into privilege tiers with limited access
to other tiers. 4. Network Segmentation and Segregation into Security
Zones – Segment networks into logical enclaves and restrict host-to-host
communications paths. This helps protect sensitive information and
critical services and limits damage from network perimeter breaches.
5. Input validation – Input validation is a method of sanitizing
untrusted user input provided by users of a web application, and may
prevent many types of web application security flaws, such as SQLi,
XSS, and command injection. 6. File Reputation – Tune Anti-Virus file
reputation systems to the most aggressive setting possible; some products
can limit execution to only the highest reputation files, stopping a
wide range of untrustworthy code from gaining control. 7. Understanding
firewalls – When anyone or anything can access your network at any
time, your network is more susceptible to being attacked. Firewalls can
be configured to block data from certain locations (IP whitelisting)
or applications while allowing relevant and necessary data through.
7 of 13
TL P: WHI TE
TL P: WHI TE
Responding to Unauthorized Access to Networks Implement your security
incident response and business continuity plan. It may take time for
your organization’s IT professionals to isolate and remove threats to
your systems and restore normal operations. Meanwhile, you should take
steps to maintain your organization’s essential functions according
to your business continuity plan. Organizations should maintain and
regularly test backup plans, disaster recovery plans, and business
continuity procedures. Contact DHS or law enforcement immediately. We
encourage you to contact DHS NCCIC (NCCICCustomerService at hq.dhs.gov or
888-282-0870), the FBI through a local field office or the FBI’s Cyber
Division (CyWatch at ic.fbi.gov or 855-292-3937) to report an intrusion
and to request incident response resources or technical assistance.
Detailed Mitigation Strategies Protect Against SQL Injection and
Other Attacks on Web Services Routinely evaluate known and published
vulnerabilities, perform software updates and technology refreshes
periodically, and audit external-facing systems for known Web application
vulnerabilities. Take steps to harden both Web applications and the
servers hosting them to reduce the risk of network intrusion via this
vector. 1 • • • •
• • • • • • • • • • 1
Use and configure available firewalls to block attacks. Take steps
to further secure Windows systems such as installing and configuring
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and
Microsoft AppLocker. Monitor and remove any unauthorized code present
in any www directories. Disable, discontinue, or disallow the use of
Internet Control Message Protocol (ICMP) and Simple Network Management
Protocol (SNMP) and response to these protocols as much as possible.
Remove non-required HTTP verbs from Web servers as typical Web servers
and applications only require GET, POST, and HEAD. Where possible,
minimize server fingerprinting by configuring Web servers to avoid
responding with banners identifying the server software and version
number. Secure both the operating system and the application.
Update and patch production servers regularly. Disable potentially
harmful SQL-stored procedure calls. Sanitize and validate input to
ensure that it is properly typed and does not contain escaped code.
Consider using type-safe stored procedures and prepared statements.
Perform regular audits of transaction logs for suspicious activity.
Perform penetration testing against Web services. Ensure error messages
are generic and do not expose too much information.
http://msdn.microsoft.com/en-us/library/ff648653.aspx. Web site last
accessed April 11, 2016.
8 of 13
TL P: WHI TE
TL P: WHI TE
Phishing and Spearphishing • Implement a Sender Policy Framework
(SPF) record for your organization’s Domain Name System (DNS) zone
file to minimize risks relating to the receipt of spoofed messages.
• Educate users to be suspicious of unsolicited phone calls, social
media interactions, or email messages from individuals asking about
employees or other internal information. If an unknown individual claims
to be from a legitimate organization, try to verify his or her identity
directly with the company. • Do not provide personal information or
information about your organization, including its structure or networks,
unless you are certain of a person’s authority to have the information.
• Do not reveal personal or financial information in social media or
email, and do not respond to solicitations for this information. This
includes following links sent in email. • Pay attention to the URL of
a website. Malicious websites may look identical to a legitimate site,
but the URL often includes a variation in spelling or a different domain
than the valid website (e.g., .com vs. .net). • If you are unsure
whether an email request is legitimate, try to verify it by contacting
the company directly. Do not use contact information provided on a
website connected to the request; instead, check previous statements for
contact information. Information about known phishing attacks is also
available online from groups such as the Anti-Phishing Working Group
(http://www.antiphishing.org). • Take advantage of anti-phishing
features offered by your email client and web browser. • Patch all
systems for critical vulnerabilities, prioritizing timely patching of
software that processes Internet data, such as web browsers, browser
plugins, and document readers.
Permissions, Privileges, and Access Controls • Reduce privileges to
only those needed for a user’s duties. • Restrict users’ ability
(permissions) to install and run unwanted software applications,
and apply the principle of “Least Privilege” to all systems and
services. Restricting these privileges may prevent malware from running
or limit its capability to spread through the network. • Carefully
consider the risks before granting administrative rights to users on their
own machines. • Scrub and verify all administrator accounts regularly.
• Configure Group Policy to restrict all users to only one login
session, where possible. • Enforce secure network authentication
where possible. • Instruct administrators to use non-privileged
accounts for standard functions such as Web browsing or checking Web mail.
9 of 13
TL P: WHI TE
TL P: WHI TE
• •
•
• • •
Segment networks into logical enclaves and restrict host-to-host
communication paths. Containment provided by enclaving also makes
incident cleanup significantly less costly. Configure firewalls to
disallow RDP traffic coming from outside of the network boundary,
except for in specific configurations such as when tunneled through a
secondary VPN with lower privileges. Audit existing firewall rules
and close all ports that are not explicitly needed for business.
Specifically, carefully consider which ports should be connecting
outbound versus inbound. Enforce a strict lockout policy for network
users and closely monitor logs for failed login activity. This can
be indicative of failed intrusion activity. If remote access between
zones is an unavoidable business need, log and monitor these connections
closely. In environments with a high risk of interception or intrusion,
organizations should consider supplementing password authentication with
other forms of authentication such as challenge/response or multifactor
authentication using biometric or physical tokens.
Credentials • Enforce a tiered administrative model with dedicated
administrator workstations and separate administrative accounts that are
used exclusively for each tier to prevent tools, such as Mimikatz, for
credential theft from harvesting domain-level credentials. • Implement
multi-factor authentication (e.g., smart cards) or at minimum ensure
users choose complex passwords that change regularly. • Be aware that
some services (e.g., FTP, telnet, and .rlogin) transmit user credentials
in clear text. Minimize the use of these services where possible or
consider more secure alternatives. • Properly secure password files
by making hashed passwords more difficult to acquire. Password hashes
can be cracked within seconds using freely available tools. Consider
restricting access to sensitive password hashes by using a shadow
password file or equivalent on UNIX systems. • Replace or modify
services so that all user credentials are passed through an encrypted
channel. • Avoid password policies that reduce the overall strength of
credentials. Policies to avoid include lack of password expiration date,
lack of lockout policy, low or disabled password complexity requirements,
and password history set to zero. • Ensure that users are not re-using
passwords between zones by setting policies and conducting regular audits.
• Use unique passwords for local accounts for each device.
10 of 13
TL P: WHI TE
TL P: WHI TE
Logging Practices • Ensure event logging (applications, events,
login activities, security attributes, etc.) is turned on or monitored
for identification of security issues. • Configure network logs to
provide enough information to assist in quickly developing an accurate
determination of a security incident. • Upgrade PowerShell to
new versions with enhanced logging features and monitor the logs to
detect usage of PowerShell commands, which are often malware-related.
• Secure logs, potentially in a centralized location, and protect them
from modification. • Prepare an incident response plan that can be
rapidly implemented in case of a cyber intrusion.
How to Enhance Your Organization’s Cybersecurity Posture DHS offers
a variety of resources for organizations to help recognize and address
their cybersecurity risks. Resources include discussion points, steps
to start evaluating a cybersecurity program, and a list of hands-on
resources available to organizations. For a list of services, visit
https://www.us-cert.gov/ccubedvp. Other resources include: •
•
•
•
The Cyber Security Advisors (CSA) program bolsters cybersecurity
preparedness, risk mitigation, and incident response capabilities of
critical infrastructure entities and more closely aligns them with
the Federal Government. CSAs are DHS personnel assigned to districts
throughout the country and territories, with at least one advisor in each
of the 10 CSA regions, which mirror the Federal Emergency Management
Agency regions. For more information, email cyberadvisor at hq.dhs.gov.
Cyber Resilience Review (CRR) is a no-cost, voluntary assessment to
evaluate and enhance cybersecurity within critical infrastructure sectors,
as well as state, local, tribal, and territorial governments. The
goal of the CRR is to develop an understanding and measurement of
key cybersecurity capabilities to provide meaningful indicators of an
entity’s operational resilience and ability to manage cyber risk to
critical services during normal operations and times of operational
stress and crisis. Visit https://www.cert.org/resilience/rmm.html
to learn more about the CERT Resilience Management Model. Enhanced
Cybersecurity Services (ECS) helps critical infrastructure owners and
operators protect their systems by sharing sensitive and classified
cyber threat information with Commercial Service Providers (CSPs) and
Operational Implementers (OIs). CSPs then use the cyber threat information
to protect CI customers. OIs use the threat information to protect
internal networks. For more information, email ECS_Program at hq.dhs.gov.
The Cybersecurity Information Sharing and Collaboration Program (CISCP)
is a voluntary information-sharing and collaboration program between
and among critical
11 of 13
TL P: WHI TE
TL P: WHI TE
•
•
infrastructure partners and the Federal Government. For more information,
email CISCP at us-cert.gov. The Automated Indicator Sharing (AIS)
initiative is a DHS effort to create a system where as soon as a company
or federal agency observes an attempted compromise, the indicator will be
shared in real time with all of our partners, protecting them from that
particular threat. That means adversaries can only use an attack once,
which increases their costs and ultimately reduces the prevalence of
cyber-attacks. While AIS will not eliminate sophisticated cyber threats,
it will allow companies and federal agencies to concentrate more on them
by clearing away less sophisticated attacks. AIS participants connect
to a DHS-managed system in the NCCIC that allows bidirectional sharing of
cyber threat indicators. A server housed at each participant’s location
allows each to exchange indicators with the NCCIC. Participants will
not only receive DHS-developed indicators, but can share indicators
they have observed in their own network defense efforts, which DHS
will then share with all AIS participants. For more information, visit
https://www.dhs.gov/ais. The Cybersecurity Framework (Framework),
developed by the National Institute of Standards and Technology (NIST)
in collaboration with the public and private sectors, is a tool that
can improve the cybersecurity readiness of entities. The Framework
enables entities, regardless of size, degree of cyber risk, or cyber
sophistication, to apply principles and best practices of risk management
to improve the security and resiliency of critical infrastructure. The
Framework provides standards, guidelines, and practices that are working
effectively today. It consists of three parts—the Framework Core, the
Framework Profile, and Framework Implementation Tiers—and emphasizes
five functions: Identify, Protect, Detect, Respond, and Recover. Use
of the Framework is strictly voluntary. For more information, visit
https://www.nist.gov/cyberframework or email cyberframework at nist.gov.
12 of 13
TL P: WHI TE
TL P: WHI TE
Contact Information Recipients of this report are encouraged to
contribute any additional information that they may have related to this
threat. Include the JAR reference number (JAR-16-20296) in the subject
line of all email correspondence. For any questions related to this
report, please contact NCCIC or the FBI. NCCIC: Phone: +1-888-282-0870
Email: NCCICCustomerService at hq.dhs.gov FBI: Phone: +1-855-292-3937 Email:
cywatch at ic.fbi.gov
Feedback NCCIC continuously strives to improve its products and
services. You can help by answering a few short questions about this
product at the following URL: https://www.us-cert.gov/forms/feedback.
13 of 13
TL P: WHI TE
More information about the PLUG-talk
mailing list