AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks


Extraordinary Robot
News Feed
Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="Techniques - Enterprise | MITRE ATT&CK®">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="Microsoft warns of Fancy Bear attacks on democratic think tanks - CyberScoop">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p> <p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p> <p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p> <p><a href="https://us-cert.cisa.gov/sites/defa...0-336A-APT_Actors_Targeting_US_ThinkTanks.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4> <p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p> <ul> <li><em><strong>Initial Access</strong></em> [<a href="Initial Access, Tactic TA0001 - Enterprise | MITRE ATT&CK®">TA0001</a>] <ul> <li><i>Valid Accounts </i>[<a href="Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK®">T1078</a>]</li> <li><i>Valid Accounts: Cloud Accounts </i>[<a href="Valid Accounts: Cloud Accounts, Sub-technique T1078.004 - Enterprise | MITRE ATT&CK®">T1078.004</a>]</li> <li><i>External Remote Services </i>[<a href="External Remote Services, Technique T1133 - Enterprise | MITRE ATT&CK®">T1133</a>]</li> <li><i>Drive-by Compromise</i> [<a href="Drive-by Compromise, Technique T1189 - Enterprise | MITRE ATT&CK®">T1189</a>]</li> <li><i>Exploit Public-Facing Application</i> [<a href="Exploit Public-Facing Application, Technique T1190 - Enterprise | MITRE ATT&CK®">T1190</a>] <ul> <li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="Supply Chain Compromise: Compromise Software Supply Chain, Sub-technique T1195.002 - Enterprise | MITRE ATT&CK®">T1195.002</a>]</li> <li><i>Trusted Relationship</i> [<a href="Trusted Relationship, Technique T1199 - Enterprise | MITRE ATT&CK®">T1199</a>]</li> <li><i>Phishing: Spearphishing Attachment</i> [<a href="Phishing: Spearphishing Attachment, Sub-technique T1566.001 - Enterprise | MITRE ATT&CK®">T1566.001</a>]</li> <li><i>Phishing: Spearphishing Link</i> [<a href="Phishing: Spearphishing Link, Sub-technique T1566.002 - Enterprise | MITRE ATT&CK®">T1566.002</a>]</li> <li><i>Phishing: Spearphishing via Service</i> [<a href="Phishing: Spearphishing via Service, Sub-technique T1566.003 - Enterprise | MITRE ATT&CK®">T1566.003</a>]</li> </ul> </li> </ul> </li> <li><i><em><strong>Execution</strong></em></i> [<a href="Execution, Tactic TA0002 - Enterprise | MITRE ATT&CK®">TA0002</a>] <ul> <li><i>Windows Management Instrumentation </i>[<a href="Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK®">T1047</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 - Enterprise | MITRE ATT&CK®">T1053.005</a>]</li> <li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="Command and Scripting Interpreter: PowerShell, Sub-technique T1059.001 - Enterprise | MITRE ATT&CK®">T1059.001</a>]</li> <li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="Command and Scripting Interpreter: Windows Command Shell, Sub-technique T1059.003 - Enterprise | MITRE ATT&CK®">T1059.003</a>]</li> <li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="Command and Scripting Interpreter: Unix Shell, Sub-technique T1059.004 - Enterprise | MITRE ATT&CK®">T1059.004</a>]</li> <li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="Command and Scripting Interpreter: Visual Basic, Sub-technique T1059.005 - Enterprise | MITRE ATT&CK®">T1059.005</a>]</li> <li><i>Command and Scripting Interpreter: Python </i>[<a href="Command and Scripting Interpreter: Python, Sub-technique T1059.006 - Enterprise | MITRE ATT&CK®">T1059.006</a>]</li> <li><i>Native API </i>[<a href="Native API, Technique T1106 - Enterprise | MITRE ATT&CK®">T1106</a>]</li> <li><i>Exploitation for Client Execution</i> [<a href="Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®">T1203</a>]</li> <li><i>User Execution: Malicious Link </i>[<a href="User Execution: Malicious Link, Sub-technique T1204.001 - Enterprise | MITRE ATT&CK®">T1204.001</a>]</li> <li><i>User Execution: Malicious File</i> [<a href="User Execution: Malicious File, Sub-technique T1204.002 - Enterprise | MITRE ATT&CK®">T1204.002</a>]</li> <li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="Inter-Process Communication: Dynamic Data Exchange, Sub-technique T1559.002 - Enterprise | MITRE ATT&CK®">T1559.002</a>]</li> <li><i>System Services: Service Execution </i>[<a href="System Services: Service Execution, Sub-technique T1569.002 - Enterprise | MITRE ATT&CK®">T1569.002</a>]</li> </ul> </li> <li><i><em><strong>Persistence</strong></em></i> [<a href="Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®">TA0003</a>] <ul> <li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="Boot or Logon Initialization Scripts: Logon Script (Windows), Sub-technique T1037.001 - Enterprise | MITRE ATT&CK®">T1037.001</a>]</li> <li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 - Enterprise | MITRE ATT&CK®">T1053.005</a>]</li> <li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="Account Manipulation: Exchange Email Delegate Permissions, Sub-technique T1098.002 - Enterprise | MITRE ATT&CK®">T1098.002</a>]</li> <li><i>Create Account: Local Account</i> [<a href="Create Account: Local Account, Sub-technique T1136.001 - Enterprise | MITRE ATT&CK®">T1136.001</a>]</li> <li><i>Office Application Startup: Office Test </i>[<a href="Office Application Startup: Office Test, Sub-technique T1137.002 - Enterprise | MITRE ATT&CK®">T1137.002</a>]</li> <li><i>Office Application Startup: Outlook Home Page</i> [<a href="Office Application Startup: Outlook Home Page, Sub-technique T1137.004 - Enterprise | MITRE ATT&CK®">T1137.004</a>]</li> <li><i>Browser Extensions</i> [<a href="Browser Extensions, Technique T1176 - Enterprise | MITRE ATT&CK®">T1176</a>]</li> <li><i>BITS Jobs</i> [<a href="BITS Jobs, Technique T1197 - Enterprise | MITRE ATT&CK®">T1197</a>]</li> <li><i>Server Software Component: Web Shell</i> [<a href="Server Software Component: Web Shell, Sub-technique T1505.003 - Enterprise | MITRE ATT&CK®">T1505.003</a>]</li> <li><i>Pre-OS Boot: Bootkit</i> [<a href="Pre-OS Boot: Bootkit, Sub-technique T1542.003 - Enterprise | MITRE ATT&CK®">T1542.003</a>]</li> <li><i>Create or Modify System Process: Windows Service</i> [<a href="Create or Modify System Process: Windows Service, Sub-technique T1543.003 - Enterprise | MITRE ATT&CK®">T1543.003</a>]</li> <li><i>Event Triggered Execution: Change Default File Association</i> [<a href="Event Triggered Execution: Change Default File Association, Sub-technique T1546.001 - Enterprise | MITRE ATT&CK®">T1546.001</a>]</li> <li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="Event Triggered Execution: Windows Management Instrumentation Event Subscription, Sub-technique T1546.003 - Enterprise | MITRE ATT&CK®">T1546.003</a>]</li> <li><i>Event Triggered Execution: Accessibility Features</i> [<a href="Event Triggered Execution: Accessibility Features, Sub-technique T1546.008 - Enterprise | MITRE ATT&CK®">T1546.008</a>]</li> <li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="Event Triggered Execution: Component Object Model Hijacking, Sub-technique T1546.015 - Enterprise | MITRE ATT&CK®">T1546.015</a>]</li> <li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®">T1547.001</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="Boot or Logon Autostart Execution: Shortcut Modification, Sub-technique T1547.009 - Enterprise | MITRE ATT&CK®">T1547.009</a>]</li> </ul> </li> <li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="Privilege Escalation, Tactic TA0004 - Enterprise | MITRE ATT&CK®">TA0004</a>] <ul> <li><i>Process Injection</i> [<a href="Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®">T1055</a>]</li> <li><i>Process Injection: Process Hollowing</i> [<a href="Process Injection: Process Hollowing, Sub-technique T1055.012 - Enterprise | MITRE ATT&CK®">T1055.012</a>]</li> <li><i>Exploitation for Privilege Escalation</i> [<a href="Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®">T1068</a>]</li> <li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="Access Token Manipulation: Token Impersonation/Theft, Sub-technique T1134.001 - Enterprise | MITRE ATT&CK®">T1134.001</a>]</li> <li><i>Event Triggered Execution: Accessibility Features </i>[<a href="Event Triggered Execution: Accessibility Features, Sub-technique T1546.008 - Enterprise | MITRE ATT&CK®">T1546.008</a>]</li> <li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="Boot or Logon Autostart Execution: Shortcut Modification, Sub-technique T1547.009 - Enterprise | MITRE ATT&CK®">T1547.009</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="Abuse Elevation Control Mechanism: Bypass User Access Control, Sub-technique T1548.002 - Enterprise | MITRE ATT&CK®">T1548.002</a>]</li> <li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 - Enterprise | MITRE ATT&CK®">T1574.002</a>]</li> </ul> </li> <li><i><em><strong>Defense Evasion</strong></em></i> [<a href="Defense Evasion, Tactic TA0005 - Enterprise | MITRE ATT&CK®">TA0005</a>] <ul> <li><i>Rootkit</i> [<a href="Rootkit, Technique T1014 - Enterprise | MITRE ATT&CK®">T1014</a>]</li> <li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="Obfuscated Files or Information: Binary Padding, Sub-technique T1027.001 - Enterprise | MITRE ATT&CK®">T1027.001</a>]</li> <li><i>Obfuscated Files or Information: Software Packing </i>[<a href="Obfuscated Files or Information: Software Packing, Sub-technique T1027.002 - Enterprise | MITRE ATT&CK®">T1027.002</a>]</li> <li><i>Obfuscated Files or Information: Steganography</i> [<a href="Obfuscated Files or Information: Steganography, Sub-technique T1027.003 - Enterprise | MITRE ATT&CK®">T1027.003</a>]</li> <li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="Obfuscated Files or Information: Indicator Removal from Tools, Sub-technique T1027.005 - Enterprise | MITRE ATT&CK®">T1027.005</a>]</li> <li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="Masquerading: Match Legitimate Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®">T1036.005</a>]</li> <li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="Indicator Removal on Host: Clear Windows Event Logs, Sub-technique T1070.001 - Enterprise | MITRE ATT&CK®">T1070.001</a>]</li> <li><i>Indicator Removal on Host: Clear Command History</i> [<a href="Indicator Removal on Host: Clear Command History, Sub-technique T1070.003 - Enterprise | MITRE ATT&CK®">1070.003</a>]</li> <li><i>Indicator Removal on Host: File Deletion</i> [<a href="Indicator Removal on Host: File Deletion, Sub-technique T1070.004 - Enterprise | MITRE ATT&CK®">T1070.004</a>]</li> <li><i>Indicator Removal on Host: Timestomp</i> [<a href="Indicator Removal on Host: Timestomp, Sub-technique T1070.006 - Enterprise | MITRE ATT&CK®">T1070.006</a>]</li> <li><i>Modify Registry</i> [<a href="Modify Registry, Technique T1112 - Enterprise | MITRE ATT&CK®">T1112</a>]</li> <li><i>Deobfuscate/Decode Files or Information </i>[<a href="Deobfuscate/Decode Files or Information, Technique T1140 - Enterprise | MITRE ATT&CK®">T1140</a>]</li> <li><i>Exploitation for Defense Evasion</i> [<a href="Exploitation for Defense Evasion, Technique T1211 - Enterprise | MITRE ATT&CK®">T1211</a>]</li> <li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="Signed Binary Proxy Execution: Compiled HTML File, Sub-technique T1218.001 - Enterprise | MITRE ATT&CK®">T1218.001</a>]</li> <li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="Signed Binary Proxy Execution: Mshta, Sub-technique T1218.005 - Enterprise | MITRE ATT&CK®">T1218.005</a>]</li> <li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="Signed Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®">T1218.011</a>]</li> <li><i>Template Injection</i> [<a href="Template Injection, Technique T1221 - Enterprise | MITRE ATT&CK®">T1221</a>]</li> <li><i>Execution Guardrails: Environmental Keying</i> [<a href="Execution Guardrails: Environmental Keying, Sub-technique T1480.001 - Enterprise | MITRE ATT&CK®">T1480.001</a>]</li> <li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="Abuse Elevation Control Mechanism: Bypass User Access Control, Sub-technique T1548.002 - Enterprise | MITRE ATT&CK®">T1548.002</a>]</li> <li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="Use Alternate Authentication Material: Application Access Token, Sub-technique T1550.001 - Enterprise | MITRE ATT&CK®">T1550.001</a>]</li> <li><i>Subvert Trust Controls: Code Signing</i> [<a href="Subvert Trust Controls: Code Signing, Sub-technique T1553.002 - Enterprise | MITRE ATT&CK®">T1553.002</a>]</li> <li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="Impair Defenses: Disable or Modify Tools, Sub-technique T1562.001 - Enterprise | MITRE ATT&CK®">T1562.001</a>]</li> <li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="Impair Defenses: Disable or Modify System Firewall, Sub-technique T1562.004 - Enterprise | MITRE ATT&CK®">T1562.004</a>]</li> <li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="Hide Artifacts: Hidden Files and Directories, Sub-technique T1564.001 - Enterprise | MITRE ATT&CK®">T1564.001</a>]</li> <li><i>Hide Artifacts: Hidden Window</i> [<a href="Hide Artifacts: Hidden Window, Sub-technique T1564.003 - Enterprise | MITRE ATT&CK®">T1564.003</a>]</li> </ul> </li> <li><i><em><strong>Credential Access</strong></em> </i>[<a href="Credential Access, Tactic TA0006 - Enterprise | MITRE ATT&CK®">TA0006</a>] <ul> <li><i>OS Credential Dumping: LSASS Memory</i> [<a href="OS Credential Dumping: LSASS Memory, Sub-technique T1003.001 - Enterprise | MITRE ATT&CK®">T1003.001</a>]</li> <li><i>OS Credential Dumping: Security Account Manager </i>[<a href="OS Credential Dumping: Security Account Manager, Sub-technique T1003.002 - Enterprise | MITRE ATT&CK®">T1003.002</a>]</li> <li><i>OS Credential Dumping: NTDS</i> [<a href="OS Credential Dumping: NTDS, Sub-technique T1003.003 - Enterprise | MITRE ATT&CK®">T1003.003</a>]</li> <li><i>OS Credential Dumping: LSA Secrets</i> [<a href="OS Credential Dumping: LSA Secrets, Sub-technique T1003.004 - Enterprise | MITRE ATT&CK®">T1003.004</a>]</li> <li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="OS Credential Dumping: Cached Domain Credentials, Sub-technique T1003.005 - Enterprise | MITRE ATT&CK®">T1003.005</a>]</li> <li><i>Network Sniffing</i> [<a href="Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®">T1040</a>]</li> <li><i>Input Capture: Keylogging</i> [<a href="Input Capture: Keylogging, Sub-technique T1056.001 - Enterprise | MITRE ATT&CK®">T1056.001</a>]</li> <li><i>Brute Force: Password Cracking</i> [<a href="Brute Force: Password Cracking, Sub-technique T1110.002 - Enterprise | MITRE ATT&CK®">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise | MITRE ATT&CK®">T1110.003</a>]</li> <li><i>Forced Authentication</i> [<a href="Forced Authentication, Technique T1187 - Enterprise | MITRE ATT&CK®">T1187</a>]</li> <li><i>Steal Application Access Token</i> [<a href="Steal Application Access Token, Technique T1528 - Enterprise | MITRE ATT&CK®">T1528</a>]</li> <li><i>Unsecured Credentials: Credentials in Files</i> [<a href="Unsecured Credentials: Credentials In Files, Sub-technique T1552.001 - Enterprise | MITRE ATT&CK®">T1552.001</a>]</li> <li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="Unsecured Credentials: Group Policy Preferences, Sub-technique T1552.006 - Enterprise | MITRE ATT&CK®">T1552.006</a>]</li> <li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="Credentials from Password Stores: Credentials from Web Browsers, Sub-technique T1555.003 - Enterprise | MITRE ATT&CK®">T1555.003</a>]</li> </ul> </li> <li><i><em><strong>Discovery</strong></em> </i>[<a href="Discovery, Tactic TA0007 - Enterprise | MITRE ATT&CK®">TA0007</a>] <ul> <li><i>System Service Discovery</i> [<a href="System Service Discovery, Technique T1007 - Enterprise | MITRE ATT&CK®">T1007</a>]</li> <li><i>Query Registry</i> [<a href="Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®">T1012</a>]</li> <li><i>System Network Configuration Discovery</i> [<a href="System Network Configuration Discovery, Technique T1016 - Enterprise | MITRE ATT&CK®">T1016</a>]</li> <li><i>Remote System Discovery </i>[<a href="Remote System Discovery, Technique T1018 - Enterprise | MITRE ATT&CK®">T1018</a>]</li> <li><i>System Owner/User Discovery</i> [<a href="System Owner/User Discovery, Technique T1033 - Enterprise | MITRE ATT&CK®">T1033</a>]</li> <li><i>Network Sniffing</i> [<a href="Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®">T1040</a>]</li> <li><i>Network Service Scanning</i> [<a href="Network Service Scanning, Technique T1046 - Enterprise | MITRE ATT&CK®">T1046</a>]</li> <li><i>System Network Connections Discovery</i> [<a href="System Network Connections Discovery, Technique T1049 - Enterprise | MITRE ATT&CK®">T1049</a>]</li> <li><i>Process Discovery</i> [<a href="Process Discovery, Technique T1057 - Enterprise | MITRE ATT&CK®">T1057</a>]</li> <li><i>Permission Groups Discovery: Local Groups</i> [<a href="Permission Groups Discovery: Local Groups, Sub-technique T1069.001 - Enterprise | MITRE ATT&CK®">T1069.001</a>]</li> <li><i>Permission Groups Discovery: Domain Groups</i> [<a href="Permission Groups Discovery: Domain Groups, Sub-technique T1069.002 - Enterprise | MITRE ATT&CK®">T1069.002</a>]</li> <li><i>System Information Discovery</i> [<a href="System Information Discovery, Technique T1082 - Enterprise | MITRE ATT&CK®">T1082</a>]</li> <li><i>File and Directory Discovery</i> [<a href="File and Directory Discovery, Technique T1083 - Enterprise | MITRE ATT&CK®">T1083</a>]</li> <li><i>Account Discovery: Local Account</i> [<a href="Account Discovery: Local Account, Sub-technique T1087.001 - Enterprise | MITRE ATT&CK®">T1087.001</a>]</li> <li><i>Account Discovery: Domain Account</i> [<a href="Account Discovery: Domain Account, Sub-technique T1087.002 - Enterprise | MITRE ATT&CK®">T1087.002</a>]</li> <li><i>Peripheral Device Discovery</i> [<a href="Peripheral Device Discovery, Technique T1120 - Enterprise | MITRE ATT&CK®">T1120</a>]</li> <li><i>Network Share Discovery</i> [<a href="Network Share Discovery, Technique T1135 - Enterprise | MITRE ATT&CK®">T1135</a>]</li> <li><i>Password Policy Discovery </i>[<a href="Password Policy Discovery, Technique T1201 - Enterprise | MITRE ATT&CK®">T1201</a>]</li> <li><i>Software Discovery: Security Software Discovery</i> [<a href="Software Discovery: Security Software Discovery, Sub-technique T1518.001 - Enterprise | MITRE ATT&CK®">T1518.001</a>]</li> </ul> </li> <li><i><em><strong>Lateral Movement </strong></em></i>[<a href="Lateral Movement, Tactic TA0008 - Enterprise | MITRE ATT&CK®">TA0008</a>] <ul> <li><i>Remote Services: Remote Desktop Protocol</i> [<a href="Remote Services: Remote Desktop Protocol, Sub-technique T1021.001 - Enterprise | MITRE ATT&CK®">T1021.001</a>]</li> <li><i>Remote Services: SSH </i>[<a href="Remote Services: SSH, Sub-technique T1021.004 - Enterprise | MITRE ATT&CK®">T1021.004</a>]</li> <li><i>Taint Shared Content </i>[<a href="Taint Shared Content, Technique T1080 - Enterprise | MITRE ATT&CK®">T1080</a>]</li> <li><i>Replication Through Removable Media </i>[<a href="Replication Through Removable Media, Technique T1091 - Enterprise | MITRE ATT&CK®">T1091</a>]</li> <li><i>Exploitation of Remote Services</i> [<a href="Exploitation of Remote Services, Technique T1210 - Enterprise | MITRE ATT&CK®">T1210</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="Use Alternate Authentication Material: Pass the Hash, Sub-technique T1550.002 - Enterprise | MITRE ATT&CK®">T1550.002</a>]</li> <li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="Use Alternate Authentication Material: Pass the Ticket, Sub-technique T1550.003 - Enterprise | MITRE ATT&CK®">T1550.003</a>]</li> </ul> </li> <li><i><em><strong>Collection</strong></em></i> [<a href="Collection, Tactic TA0009 - Enterprise | MITRE ATT&CK®">TA0009</a>] <ul> <li><i>Data from Local System</i> [<a href="Data from Local System, Technique T1005 - Enterprise | MITRE ATT&CK®">T1005</a>]</li> <li><i>Data from Removable Media</i> [<a href="Data from Removable Media, Technique T1025 - Enterprise | MITRE ATT&CK®">T1025</a>]</li> <li><i>Data Staged: Local Data Staging</i> [<a href="Data Staged: Local Data Staging, Sub-technique T1074.001 - Enterprise | MITRE ATT&CK®">T1074.001</a>]</li> <li><i>Screen Capture</i> [<a href="Screen Capture, Technique T1113 - Enterprise | MITRE ATT&CK®">T1113</a>]</li> <li><i>Email Collection: Local Email Collection</i> [<a href="Email Collection: Local Email Collection, Sub-technique T1114.001 - Enterprise | MITRE ATT&CK®">T1114.001</a>]</li> <li><i>Email Collection: Remote Email Collection</i> [<a href="Email Collection: Remote Email Collection, Sub-technique T1114.002 - Enterprise | MITRE ATT&CK®">T1114.002</a>]</li> <li><i>Automated Collection</i> [<a href="Automated Collection, Technique T1119 - Enterprise | MITRE ATT&CK®">T1119</a>]</li> <li><i>Audio Capture</i> [<a href="Audio Capture, Technique T1123 - Enterprise | MITRE ATT&CK®">T1123</a>]</li> <li><i>Data from Information Repositories: SharePoint </i>[<a href="Data from Information Repositories: Sharepoint, Sub-technique T1213.002 - Enterprise | MITRE ATT&CK®">T1213.002</a>]</li> <li><i>Archive Collected Data: Archive via Utility</i> [<a href="Archive Collected Data: Archive via Utility, Sub-technique T1560.001 - Enterprise | MITRE ATT&CK®">T1560.001</a>]</li> <li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="Archive Collected Data: Archive via Custom Method, Sub-technique T1560.003 - Enterprise | MITRE ATT&CK®">T1560.003</a>]</li> </ul> </li> <li><i><em><strong>Command and Control</strong></em> </i>[<a href="Command and Control, Tactic TA0011 - Enterprise | MITRE ATT&CK®">TA0011</a>] <ul> <li><i>Data Obfuscation: Junk Data</i> [<a href="Data Obfuscation: Junk Data, Sub-technique T1001.001 - Enterprise | MITRE ATT&CK®">T1001.001</a>]</li> <li><i>Fallback Channels</i> [<a href="Fallback Channels, Technique T1008 - Enterprise | MITRE ATT&CK®">T1008</a>]</li> <li><i>Application Layer Protocol: Web Protocols</i> [<a href="Application Layer Protocol: Web Protocols, Sub-technique T1071.001 - Enterprise | MITRE ATT&CK®">T1071.001</a>]</li> <li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="Application Layer Protocol: File Transfer Protocols, Sub-technique T1071.002 - Enterprise | MITRE ATT&CK®">T1071.002</a>]</li> <li><i>Application Layer Protocol: Mail Protocols</i> [<a href="Application Layer Protocol: Mail Protocols, Sub-technique T1071.003 - Enterprise | MITRE ATT&CK®">T1071.003</a>]</li> <li><i>Application Layer Protocol: DNS</i> [<a href="Application Layer Protocol: DNS, Sub-technique T1071.004 - Enterprise | MITRE ATT&CK®">T1071.004</a>]</li> <li><i>Proxy: External Proxy</i> [<a href="Proxy: External Proxy, Sub-technique T1090.002 - Enterprise | MITRE ATT&CK®">T1090.002</a>]</li> <li><i>Proxy: Multi-hop Proxy</i> [<a href="Proxy: Multi-hop Proxy, Sub-technique T1090.003 - Enterprise | MITRE ATT&CK®">T1090.003</a>]</li> <li><i>Proxy: Domain Fronting</i> [<a href="Proxy: Domain Fronting, Sub-technique T1090.004 - Enterprise | MITRE ATT&CK®">T1090.004</a>]</li> <li><i>Communication Through Removable Media</i> [<a href="Communication Through Removable Media, Technique T1092 - Enterprise | MITRE ATT&CK®">T1092</a>]</li> <li><i>Non-Application Layer Protocol</i> [<a href="Non-Application Layer Protocol, Technique T1095 - Enterprise | MITRE ATT&CK®">T1095</a>]</li> <li><i>Web Service: Dead Drop Resolver</i> [<a href="Web Service: Dead Drop Resolver, Sub-technique T1102.001 - Enterprise | MITRE ATT&CK®">T1102.001</a>]</li> <li><i>Web Service: Bidirectional Communication</i> [<a href="Web Service: Bidirectional Communication, Sub-technique T1102.002 - Enterprise | MITRE ATT&CK®">T1102.002</a>]</li> <li><i>Multi-Stage Channels</i> [<a href="Multi-Stage Channels, Technique T1104 - Enterprise | MITRE ATT&CK®">T1104</a>]</li> <li><i>Ingress Tool Transfer</i> [<a href="Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®">T1105</a>]</li> <li><i>Data Encoding: Standard Encoding</i> [<a href="Data Encoding: Standard Encoding, Sub-technique T1132.001 - Enterprise | MITRE ATT&CK®">T1132.001</a>]</li> <li><i>Remote Access Software</i> [<a href="Remote Access Software, Technique T1219 - Enterprise | MITRE ATT&CK®">T1219</a>]</li> <li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="Dynamic Resolution: Domain Generation Algorithms, Sub-technique T1568.002 - Enterprise | MITRE ATT&CK®">T1568.002</a>]</li> <li><i>Non-Standard Port</i> [<a href="Non-Standard Port, Technique T1571 - Enterprise | MITRE ATT&CK®">T1571</a>]</li> <li><i>Protocol Tunneling</i> [<a href="Protocol Tunneling, Technique T1572 - Enterprise | MITRE ATT&CK®">T1572</a>]</li> <li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="Encrypted Channel: Symmetric Cryptography, Sub-technique T1573.001 - Enterprise | MITRE ATT&CK®">T1573.001</a>]</li> <li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="Encrypted Channel: Asymmetric Cryptography, Sub-technique T1573.002 - Enterprise | MITRE ATT&CK®">T1573.002</a>]</li> </ul> </li> <li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="Exfiltration, Tactic TA0010 - Enterprise | MITRE ATT&CK®">TA0010</a>] <ul> <li><i>Exfiltration Over C2 Channel</i> [<a href="Exfiltration Over C2 Channel, Technique T1041 - Enterprise | MITRE ATT&CK®">T1041</a>]</li> <li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Sub-technique T1048.003 - Enterprise | MITRE ATT&CK®">T1048.003</a>]</li> </ul> </li> <li><i><em><strong>Impact </strong></em></i>[<a href="Impact, Tactic TA0040 - Enterprise | MITRE ATT&CK®">TA0040</a>] <ul> <li><i>Data Encrypted for Impact</i> [<a href="Data Encrypted for Impact, Technique T1486 - Enterprise | MITRE ATT&CK®">T1486</a>]</li> <li><i>Resource Hijacking</i> [<a href="Resource Hijacking, Technique T1496 - Enterprise | MITRE ATT&CK®">T1496</a>]</li> <li><i>System Shutdown/Reboot</i> [<a href="System Shutdown/Reboot, Technique T1529 - Enterprise | MITRE ATT&CK®">T1529</a>]</li> <li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="Disk Wipe: Disk Structure Wipe, Sub-technique T1561.002 - Enterprise | MITRE ATT&CK®">T1561.002</a>]</li> </ul> </li> </ul> <h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p> <h4>Leaders</h4> <ul> <li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li> </ul> <h4>Users/Staff</h4> <ul> <li>Log off remote connections when not in use.</li> <li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li> <li>Use different passwords for corporate and personal accounts.</li> <li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li> <li>Employ strong multi-factor authentication for personal accounts, if available.</li> <li>Exercise caution when: <ul> <li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="Using Caution with Email Attachments | CISA">Using Caution with Email Attachments</a>.</li> <li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li> </ul> </li> </ul> <h4>IT Staff/Cybersecurity Personnel</h4> <ul> <li>Segment and segregate networks and functions.</li> <li>Change the default username and password of applications and appliances.</li> <li>Employ strong multi-factor authentication for corporate accounts.</li> <li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li> <li>Apply encryption to data at rest and data in transit.</li> <li>Use email security appliances to scan and remove malicious email attachments or links.</li> <li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li> <li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="Defending Against Malicious Cyber Activity Originating from Tor | CISA">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li> <li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="Top 10 Routinely Exploited Vulnerabilities | CISA">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li> <li>Implement an antivirus program and a formalized patch management process.</li> <li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li> <li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li> <li>Implement Group Policy Object and firewall rules.</li> <li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li> <li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li> <li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li> <li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li> <li>Disable or block unnecessary remote services.</li> <li>Limit access to remote services through centrally managed concentrators.</li> <li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li> <li>Limit unnecessary lateral communications.</li> <li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li> <li>Ensure applications do not store sensitive data or credentials insecurely.</li> <li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li> <li>Disable unnecessary services on agency workstations and servers.</li> <li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li> <li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li> <li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li> </ul> <h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href="Field Offices | Federal Bureau of Investigation">www.fbi.gov/contact-us/field</a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href="https://us-cert.cisa.govmailto:CyWatch@fbi.gov">CyWatch@fbi.gov</a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href="https://us-cert.cisa.govmailto:Central@cisa.gov">Central@cisa.gov</a>.</p> <h3>References</h3> <ul> <li><a href="Microsoft Office 365 Security Recommendations | CISA">CISA Alert: Microsoft Office 365 Security Recommendations</a></li> <li><a href="Technical Approaches to Uncovering and Remediating Malicious Activity | CISA">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li> <li><a href="https://www.cisa.gov/telework">CISA Webpage: Telework Guidance</a></li> <li><a href="https://www.cisa.gov/vpn-related-guidance">CISA Webpage: VPN-Related Guidance</a></li> <li><a href="http://image.communications.cyber.nj.gov/lib/fe3e15707564047c7c1270/m/2/PIN+-+4.9.2020.pdf">FBI Private Industry Notification: PIN 20200409-001</a></li> </ul> <h3>References</h3> <ul> <li><a href="Microsoft warns of Fancy Bear attacks on democratic think tanks - CyberScoop">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 1, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>

Continue reading...