<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xxxxxxmsonormal, li.xxxxxxmsonormal, div.xxxxxxmsonormal
{mso-style-name:x_x_x_x_x_x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xxmsonospacing, li.xxmsonospacing, div.xxmsonospacing
{mso-style-name:x_xmsonospacing;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xxmsonormal, li.xxmsonormal, div.xxmsonormal
{mso-style-name:x_xmsonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xxnormaltextrun
{mso-style-name:x_xnormaltextrun;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:694814729;
mso-list-template-ids:30557766;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1297566760;
mso-list-template-ids:-1008190886;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div style="margin-bottom:6.0pt">
<div>
<p class="xxxxxxmsonormal"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency
(NSA) released a </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-277a">joint Cybersecurity Advisory</a><span style="color:black"> (CSA) with details on advanced persistent
threat (APT) actors using an open-source toolkit and custom data exfiltration tool to steal sensitive data from a defense industrial base (DIB) sector organization’s enterprise network. </span> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">APT actors used the open-source toolkit, Impacket, to gain their foothold within the environment and further compromise the network and also used
a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data. The analysis of available data showed APT actors were active in the victim’s enterprise network at least as early as January 2021 and gained access to the organization’s
share drives, Microsoft Exchange server, and Exchange Web Services (EWS). The actors used the account of a former employee to access the EWS, which enables access to mailbox items such as email messages, meetings, and contacts. </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonormal"><span class="xxnormaltextrun"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif">In March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, and CVE-2021-26868, and CVE-2021-27065 to install China Chopper
webshells and HyperBro on the victim’s systems</span></span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">. In the CSA there are links to malware analysis reports with additional technical details for network defenders,
including indicators of compromise (IOCs) and detection signatures, on the webshells and on HyperBro.</span><span class="xxnormaltextrun"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonormal"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonormal"><span class="xxnormaltextrun"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif">APT actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive
contract-related information from share drives, for eventual exfiltration. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.
Some threat actors likely maintained persistent access for several months by relying on legitimate credentials. </span></span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<p class="xxmsonospacing"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Some of the actions that can help protect against APT cyber activity include: </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="xmsonormal" style="mso-list:l0 level1 lfo3"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Enforce multi-factor authentication (MFA) on all user accounts; </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></li><li class="xmsonormal" style="mso-list:l0 level1 lfo3"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Implement network segmentation to separate network segments based on role and functionality; </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></li><li class="xmsonormal" style="mso-list:l0 level1 lfo3"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Update software, including operating systems, applications, and firmware, on network assets; and </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></li><li class="xmsonormal" style="mso-list:l0 level1 lfo3"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">Audit account usage. </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></li></ul>
<p class="xmsonormal"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black">The DIB sector and other critical infrastructure organizations are encouraged to implement effective, mature cybersecurity programs, such as the recommended
actions in the </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-277a">CSA</a><span style="color:black">, to ensure they are managing and mitigating the impact of APT threats
to their networks. Also, organizations are recommended to validate or test their existing security controls to assess how they perform against the adversarial behavior (i.e., MITRE ATT&CK techniques) described in this advisory. </span> <o:p></o:p></span></p>
<p class="xmsonormal"><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cyber Security Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image003.png@01D8D89A.BDB30960"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="xmsonormal"><o:p> </o:p></p>
</div>
</body>
</html>