SlideShare une entreprise Scribd logo

Infragard HiKit FLASH Alert.

T
Travis

The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely steal high value information from US commercial and government networks through cyber espionage. These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013. This Chinese Government affiliated group previously documented by private sector reports by the names of Operation Deputy Dog, Snowman, Ephemeral Hydra, APT17, the Bit9 and Google security alerts and parts of Hidden Lynx, has heavily targeted the high tech information technology industry including microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple countries and multinational corporations. These actors have deployed at least four zero-day exploits in the attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.

Technologie
1  sur  9
Télécharger pour lire hors ligne
TLP GREEN The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. TLP GREEN 15 October 2014 Alert Number A-000042-MW There is no additional information available on this topic at this time. Please contact the FBI CYWATCH with any questions related to this FLASH Report. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937 TLP GREEN – The information in this product is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share this information with peers and partner organizations within their sector or community, but not via publicly accessible channels. The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. The FBI is providing the following information with HIGH confidence: SUMMARY: The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely steal high value information from US commercial and government networks through cyber espionage. These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013. This Chinese Government affiliated group previously documented by private sector reports by the names of Operation Deputy Dog, Snowman, Ephemeral Hydra, APT17, the Bit9 and Google security alerts and parts of Hidden Lynx, has heavily targeted the high tech information technology industry including microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple countries and multinational corporations. These actors have deployed at least four zero-day exploits in the attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
TLP GREEN The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. TLP GREEN The FBI is providing the following information with HIGH confidence: TECHINICAL DETAILS: This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH, and given highest priority for enhanced mitigation. The presence of such tools is typically part of a comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data. The custom tools used by this group are as follows: HIKIT A first generation version of HiKit uses rootkit functionality to sit between the network interface card and the operating system enabling the malware to sniff all traffic to/from the compromised host. The rootkit driver spawns processes and executes arbitrary commands. Also, the capability to chain multiple HiKit compromised hosts, enables the actors to use multi-homed hosts located within the DMZ to channel traffic from internal hosts to the Internet using the DMZ hosts. Therefore, organizations should also monitor internal traffic to DMZ hosts for indicators of compromise. FEXEL-DEPUTY DOG FBI analysis has indicated that the FEXEL Trojan, used during the Deputy Dog campaign identified in open source reporting, is generally packaged as an x86. A FEXEL beacon contains HTTP Header with the name agtid whose value is a four byte pseudo random number generated using the Windows CryptGenRandom API. The malware generates another four byte pseudorandom number using the same API and prepends it to the body of the HTTP request. The pseudorandom numbers and payload are delimited by the string 08x. The payload is encrypted using &'$%"# !./,-*+() as a static RC4 Key and then Base64 encoded. This group also acquires legitimate credentials and uses commonly available tools as part of their effort to maintain persistent network access. Mitigation efforts should also focus on identifying such access and removing it. FBI has identified the following specific, but not wholly exclusive tools, previously used by this group:  China Chopper lightweight webshell  GhOst  9002  Poison Ivy  Derusbi
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN  Sogu/PlugX  Fexel/Deputy Dog  Zox/ZoxPNG  ZXShell RECOMMENDED STEPS FOR INITIAL MITIGATION The FBI and NSA recommend the following mitigation measures be taken within the first 72 hours of detection: Prepare Your Environment for Incident Response • Establish Out-of-Band Communications methods for dissemination of intrusion response plans and activities, inform NOCs/CERTs according to institutional policy and SOPs • Maintain and actively monitor centralized host and network logging solutions after ensuring that all devices have logging enabled and their logs are being aggregated to those centralized solutions • Disable all remote (including RDP & VPN) access until a password change has been completed • Implement full SSL/TLS inspection capability (on perimeter and proxy devices) • Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts Implement core mitigations to prevent re-exploitation (within 72 hours) Implement a network-wide password reset (preferably with local host access only, no remote changes allowed) to include: • All domain accounts (especially high-privileged administrators) • Local Accounts • Machine and System Accounts Patch all systems for critical vulnerabilities: A patch management process that regularly patches vulnerable software remains a critical component in raising the difficulty of intrusions for cyber operators. While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems. A few of these more widely targeted vulnerabilities are: CVE-2014-0322, CVE-
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN 2013-3893 and 2012-0158. While watching for infections from the malware families detailed above, we also recommend ensuring that you are patched against older vulnerabilities commonly exploited by cyber operators, such as CVE-2012-0158. After initial response activities, deploy and correctly configure Microsoft's Enhanced Mitigation Experience Toolkit (EMET). EMET employs several mitigations techniques to combat memory corruption techniques. It is recommended that all hosts and servers on the network implement EMET, but for recommendations on the best methodology to employ when deploying EMET, please see NSA/IAD's Anti-Exploitation Slicksheet - http://www.nsa.gov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet AntiExploitationFeatures Web.pdf Implement long-term mitigations to further harden systems Implement Pass-the-Hash mitigations. For more information, please see the NSA/IAD Publication Reducing the Effectiveness of Pass-the-Hash at - http://www.nsa.gov/ia/ files/app/Reducing the Effectiveness of Pass-the-Hash.pdf Baseline File Systems and Accounts in preparation for Whitelisting implementation. Consider using a Secure Host Baseline. See NSA/IAD's guidance at - http://www.nsa.gov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet SecureHostBaseline Web.pdf Deploy, configure and monitor Application Whitelisting. For detailed guidance, please see NSA/IAD's Application Whitelisting Slicksheet at - http://www.nsa.Rov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet ApplicationWhitelisting Standard.pdf Please report any compromise believed to be attributable to this group of actors to the calling or emailing FBI CYWATCH. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN APPENDIX A -TECHNICAL INDICATORS HIKIT A: HiKit A has the following characteristics: • The HiKit A configuration file is named to match its malicious DLL or EXE. Therefore, a malicious EXE named netddesrvs.exe will have configuration file named netddesrvs.conf. FBI has observed numerous DLL and EXE names used. The configuration files, which are generally 456 bytes in size, contain command and control (C2) information which is obfuscated using a 4-byte XOR key. The key is the first four bytes of the file which can be viewed using a hex editor. • The HiKit variants that FBI has observed were located in the following folders on compromised hosts: C: Windowscerten vsrv. Exe C:WindowsSystem32netddesrvs.exe C: Windows System32 wbemFVEAPI.dll C: WindowsSystem32 oci. dll NOTE: The presence of 'oci.dll' should only be considered on indicator provided that Oracle Database products are not installed on the system. It should be noted that several HiKit samples were discovered with ".conf" files which contained raw C2 IP addresses as opposed to C2 DNS names. Open source reporting indicates that HiKit A ensures persistence by a chained DLL hijacking attack using the legitimate (signed code) Microsoft Distributed Transaction Coordinator. The legitimate program (msdtc.exe) imports msdtctm.dll which inturn loads mtxoci.dU, a library that supports the Microsoft ODBC Driver for Oracle. This library in turn loads oci.dll which can either be a legitimate Oracle library or a HiKit A DLL. If your organization discovers compromised hosts through network monitoring (either for HiKit DNS resolutions, known HiKit IP addresses or with the below SNORT rule), searching for 456 byte files with extension ".conf" is highly suggested to locate additional infected hosts.
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN HIKIT A - RC4 ENCRYPTED: FBI has observed another subvariant of HiKit A which uses a loader to decrypt and execute the HiKit backdoor on compromised hosts. This HiKit A subvariant has been observed as ACWConCA.inf coupled with loader file named srv.dll. The execution of the loaders depends on the extension of the backdoor as well as one of two conditions below: • If the backdoor file extension is .dll, then the .dll file must be in the same directory as the srv.dll file for a successful loading. • If the backdoor file extension is .inf, then the .inf file must be in the C:windowsinf directory for a successful loading. The location of the srv.dll file in this case does not matter. If the backdoor and the srv.dll file are in the appropriate location, the srv.dll file will decrypt the backdoor file using the RC4 key 'hijkqt' and load the backdoor into memory. After the HiKit backdoor is decrypted and loaded into memory, it has similar functionality to other indentified HiKit A variants.
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN HIKIT B: The HiKit B variants were observed with configuration files (624 bytes in size) named as a random 8 alphanumeric characters (e.g. "2'66C5F4B"). The configuration files contain command and control (C2) information and are obfuscated using a 4-byte XOR key. However, unlike HiKit A, the XOR key is not located in the first four bytes of the file. The 4-byte XOR key can be identified by using a hex editor to locate sections of the file which contain repeating 4-byte sequences. The location of the configuration file also depends on the host's operating system. In Windows Vista and above, the file is located in: C:ProgramDataMicrosoft Corporation{D2423620-51A0-llD2-9CAF-0060B0EC3D39} In Windows XP, the file is located in: C:Documents and SettingsAll UsersApplication DataMicrosoft Corporation{D2423620-51A0-llD2- 9CAF-0060B0EC3D39} The HiKit variants observed were found in the following location: C:WINDOWSsystem32FontCache.exe HIKIT A RC4 ENCRYPTED lOCs: Initial triage of this malware provided the following information: Filename: srv.dll Size (bytes): 71167 MD5 Hash: d2c06fa38c626a6cbe48171e69336a02 File PE Compile Time: 2014-07-08 11:22:12 File Import Hash: CA0873C243F99959507A25AF645824EC (74 imports) Architecture Type: 32 bit Packer: none This is a HiKit loader. It decrypts and executes ACWConCA.dll. Filename: ACWConCa.dll -Pre-decryption- Size (bytes): 182335 MD5 Hash: abc63alb923643659acbd319224fl96e -Post-decryption- Size (bytes): 181271 MD5 Hash:70E87B2898333E11344B16A72183F8E9 File PE Compile Time: 2013-09-19 10:12:10
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN File Import Hash: 9040A3EBC41AF9D148D43892275574F1 (58 imports) Architecture Type: 32 bit Packer: none Fexel/Deputy Dog Snort rule: Alert tcp any any -> any any (content:"agtid="; content:"08x"; msg:"FEXEL/Deputy Malware";)
TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN REPORT REFERENCES: Bit9, Bit9 Security Incident Update, https://blog.bit9.com/2013/02/25/bit9-securitv-incident-update/ FireEye, Operation DeputyDog, http://www.fireeye.com/blog/technical/cyber- exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese- targets.html FireEye, Operation Ephemeral Hydra, http://www.fireeye.com/blog/technical/cyber- exploits/2013/ll/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless- method.html FireEye, Operation Snowman, http://www.fireeye.com/blog/technical/cyber- exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign- wars-website.html Google, Ensuring your information is safe online, http://googleblog.blogspot.com/2011/06/ensuring- your-information-is safe.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+blogspot% 2FMKuf+%280fficial+Google+Blog%29&utm_content=Google+Feedfetcher Symantec, Hidden Lynx, https://www.svmantec.com/content/en/us/enterprise/media/securitv response/whitepapers/ hidden lynx.pdf

Recommandé

Fire and Safety Engineer CV
Fire and Safety Engineer CVFire and Safety Engineer CV
Fire and Safety Engineer CVMohammad Rabah
 
essam nasr cv document controller.DOC
essam nasr cv document controller.DOCessam nasr cv document controller.DOC
essam nasr cv document controller.DOCEssamnasro essam
 
.NET DEVELOPER
.NET DEVELOPER.NET DEVELOPER
.NET DEVELOPERvinaykeith
 
Painting Supervisor / Site Engineer / Material Corrosion Engineer
Painting Supervisor / Site Engineer / Material Corrosion EngineerPainting Supervisor / Site Engineer / Material Corrosion Engineer
Painting Supervisor / Site Engineer / Material Corrosion EngineerStevenHongXunThanh
 
Linking the world with Python and Semantics
Linking the world with Python and SemanticsLinking the world with Python and Semantics
Linking the world with Python and SemanticsTatiana Al-Chueyr
 
MOHAMMED AKBAR Sr MEP Mech_Engr
MOHAMMED AKBAR Sr MEP Mech_EngrMOHAMMED AKBAR Sr MEP Mech_Engr
MOHAMMED AKBAR Sr MEP Mech_EngrMohammed Akbar
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Nana_Rajaram_Karande
Nana_Rajaram_KarandeNana_Rajaram_Karande
Nana_Rajaram_KarandeNana Karande
 

Recommandé

Fire and Safety Engineer CV
Fire and Safety Engineer CVFire and Safety Engineer CV
Fire and Safety Engineer CVMohammad Rabah
 
essam nasr cv document controller.DOC
essam nasr cv document controller.DOCessam nasr cv document controller.DOC
essam nasr cv document controller.DOCEssamnasro essam
 
.NET DEVELOPER
.NET DEVELOPER.NET DEVELOPER
.NET DEVELOPERvinaykeith
 
Painting Supervisor / Site Engineer / Material Corrosion Engineer
Painting Supervisor / Site Engineer / Material Corrosion EngineerPainting Supervisor / Site Engineer / Material Corrosion Engineer
Painting Supervisor / Site Engineer / Material Corrosion EngineerStevenHongXunThanh
 
Linking the world with Python and Semantics
Linking the world with Python and SemanticsLinking the world with Python and Semantics
Linking the world with Python and SemanticsTatiana Al-Chueyr
 
MOHAMMED AKBAR Sr MEP Mech_Engr
MOHAMMED AKBAR Sr MEP Mech_EngrMOHAMMED AKBAR Sr MEP Mech_Engr
MOHAMMED AKBAR Sr MEP Mech_EngrMohammed Akbar
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Nana_Rajaram_Karande
Nana_Rajaram_KarandeNana_Rajaram_Karande
Nana_Rajaram_KarandeNana Karande
 
Ravi Roy_.Net Developer
Ravi Roy_.Net DeveloperRavi Roy_.Net Developer
Ravi Roy_.Net DeveloperRavi Roy
 
Introduce yourself to java 17
Introduce yourself to java 17Introduce yourself to java 17
Introduce yourself to java 17ankitbhandari32
 
Latest HVAC Supervisor
Latest HVAC SupervisorLatest HVAC Supervisor
Latest HVAC Supervisorshaikh haroon
 
The Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary VersionThe Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary VersionPhilip Schwarz
 
Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018Kouji Matsui
 
QC Civil A. Afzal
QC Civil A. AfzalQC Civil A. Afzal
QC Civil A. AfzalAEJAZ AFZAL NAKSHBANDI
 
Functional Programming Fundamentals
Functional Programming FundamentalsFunctional Programming Fundamentals
Functional Programming FundamentalsShahriar Hyder
 
Draftsman Cv (1)
Draftsman Cv (1)Draftsman Cv (1)
Draftsman Cv (1)deepeshchhapola
 
scalar.pdf
scalar.pdfscalar.pdf
scalar.pdfMartin Odersky
 
Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector SYED MUQTAAR AHAMED
 
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressedRESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressedAli alnasser
 
Introduction to Kotlin
Introduction to KotlinIntroduction to Kotlin
Introduction to KotlinT.M. Ishrak Hussain
 
BIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMARBIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMARAnil kumar
 
OOP and FP
OOP and FPOOP and FP
OOP and FPMario Fusco
 
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project ManagerCV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project ManagerDiego Calandrino
 
Mohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CVMohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CVMohamed Diab
 
ihsan CV - structural design engineer
ihsan CV - structural design engineerihsan CV - structural design engineer
ihsan CV - structural design engineerihsan ullah
 
Fbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersFbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersRepentSinner
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _HealthcareDr. Rachael Fisher
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 

Contenu connexe

Tendances

Ravi Roy_.Net Developer
Ravi Roy_.Net DeveloperRavi Roy_.Net Developer
Ravi Roy_.Net DeveloperRavi Roy
 
Introduce yourself to java 17
Introduce yourself to java 17Introduce yourself to java 17
Introduce yourself to java 17ankitbhandari32
 
Latest HVAC Supervisor
Latest HVAC SupervisorLatest HVAC Supervisor
Latest HVAC Supervisorshaikh haroon
 
The Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary VersionThe Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary VersionPhilip Schwarz
 
Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018Kouji Matsui
 
Functional Programming Fundamentals
Functional Programming FundamentalsFunctional Programming Fundamentals
Functional Programming FundamentalsShahriar Hyder
 
Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector SYED MUQTAAR AHAMED
 
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressedRESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressedAli alnasser
 
BIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMARBIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMARAnil kumar
 
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project ManagerCV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project ManagerDiego Calandrino
 
Mohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CVMohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CVMohamed Diab
 
ihsan CV - structural design engineer
ihsan CV - structural design engineerihsan CV - structural design engineer
ihsan CV - structural design engineerihsan ullah
 

Tendances (17)

Ravi Roy_.Net Developer
Ravi Roy_.Net DeveloperRavi Roy_.Net Developer
Ravi Roy_.Net Developer
 
Introduce yourself to java 17
Introduce yourself to java 17Introduce yourself to java 17
Introduce yourself to java 17
 
Latest HVAC Supervisor
Latest HVAC SupervisorLatest HVAC Supervisor
Latest HVAC Supervisor
 
The Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary VersionThe Open-Closed Principle - the Original Version and the Contemporary Version
The Open-Closed Principle - the Original Version and the Contemporary Version
 
Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018Making archive IL2C #6-55 dotnet600 2018
Making archive IL2C #6-55 dotnet600 2018
 
QC Civil A. Afzal
QC Civil A. AfzalQC Civil A. Afzal
QC Civil A. Afzal
 
Functional Programming Fundamentals
Functional Programming FundamentalsFunctional Programming Fundamentals
Functional Programming Fundamentals
 
Draftsman Cv (1)
Draftsman Cv (1)Draftsman Cv (1)
Draftsman Cv (1)
 
scalar.pdf
scalar.pdfscalar.pdf
scalar.pdf
 
Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector Senior HVAC & Plumbing Engineer & QC Inspector
Senior HVAC & Plumbing Engineer & QC Inspector
 
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressedRESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
RESUME OF ALI AL-NASSER, PMT HSE SUPERVISOR.compressed
 
Introduction to Kotlin
Introduction to KotlinIntroduction to Kotlin
Introduction to Kotlin
 
BIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMARBIM MODELER ANIL KUMAR
BIM MODELER ANIL KUMAR
 
OOP and FP
OOP and FPOOP and FP
OOP and FP
 
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project ManagerCV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
CV of Diego Calandrino - Renewable Energy Consultant & Senior Project Manager
 
Mohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CVMohamed Diab-Electrical Engineer CV
Mohamed Diab-Electrical Engineer CV
 
ihsan CV - structural design engineer
ihsan CV - structural design engineerihsan CV - structural design engineer
ihsan CV - structural design engineer
 

Similaire à Infragard HiKit FLASH Alert.

Fbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersFbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersRepentSinner
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14mjos
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
FlexNet Publisher Licensing Security
FlexNet Publisher Licensing SecurityFlexNet Publisher Licensing Security
FlexNet Publisher Licensing SecurityFlexera
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxedgar6wallace88877
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxfathwaitewalter
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An OverviewIRJET Journal
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)DataExchangeAgency
 

Similaire à Infragard HiKit FLASH Alert. (20)

Fbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackersFbi cyber division bulletin on tools reportedly used by opm hackers
Fbi cyber division bulletin on tools reportedly used by opm hackers
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _Healthcare
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
DR FAT
DR FATDR FAT
DR FAT
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
FlexNet Publisher Licensing Security
FlexNet Publisher Licensing SecurityFlexNet Publisher Licensing Security
FlexNet Publisher Licensing Security
 
Assingment 5 - ENSA
Assingment 5 - ENSAAssingment 5 - ENSA
Assingment 5 - ENSA
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
APT - Project
APT - Project APT - Project
APT - Project
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)Cyber Espionage Against Georgia (Georbot)
Cyber Espionage Against Georgia (Georbot)
 

Dernier

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Dernier (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Infragard HiKit FLASH Alert.

  • 1. TLP GREEN The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. TLP GREEN 15 October 2014 Alert Number A-000042-MW There is no additional information available on this topic at this time. Please contact the FBI CYWATCH with any questions related to this FLASH Report. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937 TLP GREEN – The information in this product is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share this information with peers and partner organizations within their sector or community, but not via publicly accessible channels. The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. The FBI is providing the following information with HIGH confidence: SUMMARY: The FBI obtained information regarding a group of Chinese Government affiliated cyber actors who routinely steal high value information from US commercial and government networks through cyber espionage. These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People's Liberation Army Unit 61398 ("APT1") whose activity was publicly disclosed and attributed by security researchers in February 2013. This Chinese Government affiliated group previously documented by private sector reports by the names of Operation Deputy Dog, Snowman, Ephemeral Hydra, APT17, the Bit9 and Google security alerts and parts of Hidden Lynx, has heavily targeted the high tech information technology industry including microchip, digital storage and networking equipment manufacturers, as well as defense contractors in multiple countries and multinational corporations. These actors have deployed at least four zero-day exploits in the attacks which compromised legitimate websites to deliver malicious payloads. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
  • 2. TLP GREEN The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security. TLP GREEN The FBI is providing the following information with HIGH confidence: TECHINICAL DETAILS: This group uses some custom tools that should be immediately flagged if detected, reported to FBI CYWATCH, and given highest priority for enhanced mitigation. The presence of such tools is typically part of a comprehensive, multifaceted effort to maintain persistent network access and exfiltrate data. The custom tools used by this group are as follows: HIKIT A first generation version of HiKit uses rootkit functionality to sit between the network interface card and the operating system enabling the malware to sniff all traffic to/from the compromised host. The rootkit driver spawns processes and executes arbitrary commands. Also, the capability to chain multiple HiKit compromised hosts, enables the actors to use multi-homed hosts located within the DMZ to channel traffic from internal hosts to the Internet using the DMZ hosts. Therefore, organizations should also monitor internal traffic to DMZ hosts for indicators of compromise. FEXEL-DEPUTY DOG FBI analysis has indicated that the FEXEL Trojan, used during the Deputy Dog campaign identified in open source reporting, is generally packaged as an x86. A FEXEL beacon contains HTTP Header with the name agtid whose value is a four byte pseudo random number generated using the Windows CryptGenRandom API. The malware generates another four byte pseudorandom number using the same API and prepends it to the body of the HTTP request. The pseudorandom numbers and payload are delimited by the string 08x. The payload is encrypted using &'$%"# !./,-*+() as a static RC4 Key and then Base64 encoded. This group also acquires legitimate credentials and uses commonly available tools as part of their effort to maintain persistent network access. Mitigation efforts should also focus on identifying such access and removing it. FBI has identified the following specific, but not wholly exclusive tools, previously used by this group:  China Chopper lightweight webshell  GhOst  9002  Poison Ivy  Derusbi
  • 3. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN  Sogu/PlugX  Fexel/Deputy Dog  Zox/ZoxPNG  ZXShell RECOMMENDED STEPS FOR INITIAL MITIGATION The FBI and NSA recommend the following mitigation measures be taken within the first 72 hours of detection: Prepare Your Environment for Incident Response • Establish Out-of-Band Communications methods for dissemination of intrusion response plans and activities, inform NOCs/CERTs according to institutional policy and SOPs • Maintain and actively monitor centralized host and network logging solutions after ensuring that all devices have logging enabled and their logs are being aggregated to those centralized solutions • Disable all remote (including RDP & VPN) access until a password change has been completed • Implement full SSL/TLS inspection capability (on perimeter and proxy devices) • Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts Implement core mitigations to prevent re-exploitation (within 72 hours) Implement a network-wide password reset (preferably with local host access only, no remote changes allowed) to include: • All domain accounts (especially high-privileged administrators) • Local Accounts • Machine and System Accounts Patch all systems for critical vulnerabilities: A patch management process that regularly patches vulnerable software remains a critical component in raising the difficulty of intrusions for cyber operators. While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems. A few of these more widely targeted vulnerabilities are: CVE-2014-0322, CVE-
  • 4. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN 2013-3893 and 2012-0158. While watching for infections from the malware families detailed above, we also recommend ensuring that you are patched against older vulnerabilities commonly exploited by cyber operators, such as CVE-2012-0158. After initial response activities, deploy and correctly configure Microsoft's Enhanced Mitigation Experience Toolkit (EMET). EMET employs several mitigations techniques to combat memory corruption techniques. It is recommended that all hosts and servers on the network implement EMET, but for recommendations on the best methodology to employ when deploying EMET, please see NSA/IAD's Anti-Exploitation Slicksheet - http://www.nsa.gov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet AntiExploitationFeatures Web.pdf Implement long-term mitigations to further harden systems Implement Pass-the-Hash mitigations. For more information, please see the NSA/IAD Publication Reducing the Effectiveness of Pass-the-Hash at - http://www.nsa.gov/ia/ files/app/Reducing the Effectiveness of Pass-the-Hash.pdf Baseline File Systems and Accounts in preparation for Whitelisting implementation. Consider using a Secure Host Baseline. See NSA/IAD's guidance at - http://www.nsa.gov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet SecureHostBaseline Web.pdf Deploy, configure and monitor Application Whitelisting. For detailed guidance, please see NSA/IAD's Application Whitelisting Slicksheet at - http://www.nsa.Rov/ia/ files/factsheets/l43V Slick Sheets/Slicksheet ApplicationWhitelisting Standard.pdf Please report any compromise believed to be attributable to this group of actors to the calling or emailing FBI CYWATCH. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937
  • 5. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN APPENDIX A -TECHNICAL INDICATORS HIKIT A: HiKit A has the following characteristics: • The HiKit A configuration file is named to match its malicious DLL or EXE. Therefore, a malicious EXE named netddesrvs.exe will have configuration file named netddesrvs.conf. FBI has observed numerous DLL and EXE names used. The configuration files, which are generally 456 bytes in size, contain command and control (C2) information which is obfuscated using a 4-byte XOR key. The key is the first four bytes of the file which can be viewed using a hex editor. • The HiKit variants that FBI has observed were located in the following folders on compromised hosts: C: Windowscerten vsrv. Exe C:WindowsSystem32netddesrvs.exe C: Windows System32 wbemFVEAPI.dll C: WindowsSystem32 oci. dll NOTE: The presence of 'oci.dll' should only be considered on indicator provided that Oracle Database products are not installed on the system. It should be noted that several HiKit samples were discovered with ".conf" files which contained raw C2 IP addresses as opposed to C2 DNS names. Open source reporting indicates that HiKit A ensures persistence by a chained DLL hijacking attack using the legitimate (signed code) Microsoft Distributed Transaction Coordinator. The legitimate program (msdtc.exe) imports msdtctm.dll which inturn loads mtxoci.dU, a library that supports the Microsoft ODBC Driver for Oracle. This library in turn loads oci.dll which can either be a legitimate Oracle library or a HiKit A DLL. If your organization discovers compromised hosts through network monitoring (either for HiKit DNS resolutions, known HiKit IP addresses or with the below SNORT rule), searching for 456 byte files with extension ".conf" is highly suggested to locate additional infected hosts.
  • 6. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN HIKIT A - RC4 ENCRYPTED: FBI has observed another subvariant of HiKit A which uses a loader to decrypt and execute the HiKit backdoor on compromised hosts. This HiKit A subvariant has been observed as ACWConCA.inf coupled with loader file named srv.dll. The execution of the loaders depends on the extension of the backdoor as well as one of two conditions below: • If the backdoor file extension is .dll, then the .dll file must be in the same directory as the srv.dll file for a successful loading. • If the backdoor file extension is .inf, then the .inf file must be in the C:windowsinf directory for a successful loading. The location of the srv.dll file in this case does not matter. If the backdoor and the srv.dll file are in the appropriate location, the srv.dll file will decrypt the backdoor file using the RC4 key 'hijkqt' and load the backdoor into memory. After the HiKit backdoor is decrypted and loaded into memory, it has similar functionality to other indentified HiKit A variants.
  • 7. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN HIKIT B: The HiKit B variants were observed with configuration files (624 bytes in size) named as a random 8 alphanumeric characters (e.g. "2'66C5F4B"). The configuration files contain command and control (C2) information and are obfuscated using a 4-byte XOR key. However, unlike HiKit A, the XOR key is not located in the first four bytes of the file. The 4-byte XOR key can be identified by using a hex editor to locate sections of the file which contain repeating 4-byte sequences. The location of the configuration file also depends on the host's operating system. In Windows Vista and above, the file is located in: C:ProgramDataMicrosoft Corporation{D2423620-51A0-llD2-9CAF-0060B0EC3D39} In Windows XP, the file is located in: C:Documents and SettingsAll UsersApplication DataMicrosoft Corporation{D2423620-51A0-llD2- 9CAF-0060B0EC3D39} The HiKit variants observed were found in the following location: C:WINDOWSsystem32FontCache.exe HIKIT A RC4 ENCRYPTED lOCs: Initial triage of this malware provided the following information: Filename: srv.dll Size (bytes): 71167 MD5 Hash: d2c06fa38c626a6cbe48171e69336a02 File PE Compile Time: 2014-07-08 11:22:12 File Import Hash: CA0873C243F99959507A25AF645824EC (74 imports) Architecture Type: 32 bit Packer: none This is a HiKit loader. It decrypts and executes ACWConCA.dll. Filename: ACWConCa.dll -Pre-decryption- Size (bytes): 182335 MD5 Hash: abc63alb923643659acbd319224fl96e -Post-decryption- Size (bytes): 181271 MD5 Hash:70E87B2898333E11344B16A72183F8E9 File PE Compile Time: 2013-09-19 10:12:10
  • 8. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN File Import Hash: 9040A3EBC41AF9D148D43892275574F1 (58 imports) Architecture Type: 32 bit Packer: none Fexel/Deputy Dog Snort rule: Alert tcp any any -> any any (content:"agtid="; content:"08x"; msg:"FEXEL/Deputy Malware";)
  • 9. TLP GREEN Federal Bureau of Investigation, Cyber Division Cyber Flash Alert TLP GREEN REPORT REFERENCES: Bit9, Bit9 Security Incident Update, https://blog.bit9.com/2013/02/25/bit9-securitv-incident-update/ FireEye, Operation DeputyDog, http://www.fireeye.com/blog/technical/cyber- exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese- targets.html FireEye, Operation Ephemeral Hydra, http://www.fireeye.com/blog/technical/cyber- exploits/2013/ll/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless- method.html FireEye, Operation Snowman, http://www.fireeye.com/blog/technical/cyber- exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign- wars-website.html Google, Ensuring your information is safe online, http://googleblog.blogspot.com/2011/06/ensuring- your-information-is safe.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+blogspot% 2FMKuf+%280fficial+Google+Blog%29&utm_content=Google+Feedfetcher Symantec, Hidden Lynx, https://www.svmantec.com/content/en/us/enterprise/media/securitv response/whitepapers/ hidden lynx.pdf