Lazy Workers May Be Deemed Hackers
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
Hacker-Tool Law Still Does Little
Enterprise Intrusion Analysis, Part One
Responding to a Brute Force SSH Attack
Data Recovery on Linux and <i>ext3</i>
>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
WiMax: Just Another Security Challenge?
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Original release date: July 20, 2018
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).Description
Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.Figure 1: Malicious email distributing Emotet
Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.
Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.
Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.
Example Filenames and Paths:
Typical Registry Keys:
System Root Directories:
Negative consequences of Emotet infection include
NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam:
If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the system and taking action to isolate the infected workstation based on the results. If multiple workstations are infected, the following actions are recommended:
MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s SLTT governments. More information about this topic, as well as 24/7 cybersecurity assistance for SLTT governments, is available by phone at 866-787-4722, by email at SOC@cisecurity.org, or on MS-ISAC’s website at https://msisac.cisecurity.org/.
To report an intrusion and request resources for incident response or technical assistance, contact NCCIC by email at NCCICCustomerService@hq.dhs.gov or by phone at 888-282-0870.References
Original release date: May 29, 2018 | Last revised: May 31, 2018
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:
The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
See the following links for a downloadable copy of IOCs:
NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs.Description
According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report  in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities.
Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.
During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows:
Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert.
Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include
Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.
Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.
Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.
Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:
Detection and Response
This alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible impacts include
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).References
Original release date: May 25, 2018 | Last revised: June 07, 2018
Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide   . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware.
DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.Description
The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown.
The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis.Impact
Negative consequences of VPNFilter malware infection include:
DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware.
Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities.
Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot.
While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices.References
Original release date: May 21, 2018 | Last revised: May 22, 2018
CPU hardware implementationsOverview
On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems.Description
Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.
Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to
Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:
Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems.Solution Mitigation
NCCIC recommends users and administrators
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.Link to Vendor InformationDate AddedAMDMay 21, 2018ARMMay 21, 2018IntelMay 22, 2018MicrosoftMay 21, 2018RedhatMay 21, 2018 References
Original release date: April 16, 2018 | Last revised: April 20, 2018
Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices.
NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.
DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.
The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.
For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml.Description
Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals.
Legacy Protocols and Poor Security Practice
Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to
Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router.
Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities:
These factors allow for both intermittent and persistent access to both intellectual property and U.S. critical infrastructure that supports the health and safety of the U.S. population.
Own the Router, Own the Traffic
Network devices are ideal targets. Most or all organizational and customer traffic must traverse these critical devices. A malicious actor with presence on an organization’s gateway router has the ability to monitor, modify, and deny traffic to and from the organization. A malicious actor with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts. Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between Industrial Control Systems – Supervisory Control and Data Acquisition (ICS-SCADA) sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
Network Devices—Often Easy Targets
Stage 1: Reconnaissance
Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include
Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.
Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.
Stage 2: Weaponization and Stage 3: Delivery
Commercial and government security organizations have identified specially crafted SNMP and SMI packets that trigger the scanned device to send its configuration file to a cyber-actor-controlled host via Trivial File Transfer Protocol (TFTP), User Datagram Protocol (UDP) port 69. [6-8] If the targeted network is blocking external SNMP at the network boundary, cyber actors spoof the source address of the SNMP UDP datagram as coming from inside the targeted network. The design of SMI (directors and clients) requires the director and clients to be on the same network. However, since SMI is an unauthenticated protocol, the source address for SMI is also susceptible to spoofing.
The configuration file contains a significant amount of information about the scanned device, including password hash values. These values allow cyber actors to derive legitimate credentials. The configuration file also contains SNMP community strings and other network information that allows the cyber actors to build network maps and facilitate future targeted exploitation.
Stage 4: Exploitation
Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.
Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.
Stage 5: Installation
SMI is an unauthenticated management protocol developed by Cisco. This protocol supports a feature that allows network administrators to download or overwrite any file on any Cisco router or switch that supports this feature. This feature is designed to enable network administrators to remotely install and configure new devices and install new OS files.
On November 18, 2016, a Smart Install Exploitation Tool (SIET) was posted to the Internet. The SIET takes advantage of the unauthenticated SMI design. Commercial and government security organizations have noted that Russian state-sponsored cyber actors have leveraged the SIET to abuse SMI to download current configuration files. Of concern, any actor may leverage this capability to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Additionally, these network devices have writeable file structures where malware for other platforms may be stored to support lateral movement throughout the targeted network.
Stage 6: Command and Control
Cyber actors masquerade as legitimate users to log into a device or establish a connection via a previously uploaded OS image with a backdoor. Once successfully logged into the device, cyber actors execute privileged commands. These cyber actors create a man-in-the-middle scenario that allows them to
At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible.Solution
Review network device logs and netflow data for indications of TCP Telnet-protocol traffic directed at port 23 on all network device hosts. Although Telnet may be directed at other ports (e.g., port 80, HTTP), port 23 is the primary target. Inspect any indication of Telnet sessions (or attempts). Because Telnet is an unencrypted protocol, session traffic will reveal command line interface (CLI) command sequences appropriate for the make and model of the device. CLI strings may reveal login procedures, presentation of user credentials, commands to display boot or running configuration, copying files and creation or destruction of GRE tunnels, etc. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.
SNMP and TFTP
Review network device logs and netflow data for indications of UDP SNMP traffic directed at port 161/162 on all network-device hosts. Because SNMP is a management tool, any such traffic that is not from a trusted management host on an internal network should be investigated. Review the source address of SNMP traffic for indications of addresses that spoof the address space of the network. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound or spoofed SNMP closely followed by outbound TFTP should be cause for alarm and further inspection. See Appendix C for detection of the cyber actors’ SNMP tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings associated with configuration data appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendor’s devices.
SMI and TFTP
Review network device logs and netflow data for indications of TCP SMI protocol traffic directed at port 4786 of all network-device hosts. Because SMI is a management feature, any traffic that is not from a trusted management host on an internal network should be investigated. Review outbound network traffic from the network device for evidence of Internet-destined UDP TFTP traffic. Any correlation of inbound SMI closely followed by outbound TFTP should be cause for alarm and further inspection. Of note, between June 29 and July 6, 2017, Russian actors used the SMI protocol to scan for vulnerable network devices. Two Russian cyber actors controlled hosts 22.214.171.124(3) and 126.96.36.199(4), and connected to IPs on several network ranges on port 4786. See Appendix D for detection of the cyber actors’ SMI tactics.
Because TFTP is an unencrypted protocol, session traffic will reveal strings appropriate for the make and model of the device. See Appendices A and B for CLI strings for Cisco and other vendors’ devices.
Determine if SMI is present
Detect use of SMI
The following signature may be used to detect SMI usage. Flag as suspicious and investigate SMI traffic arriving from outside the network boundary. If SMI is not used inside the network, any SMI traffic arriving on an internal interface should be flagged as suspicious and investigated for the existence of an unauthorized SMI director. If SMI is used inside the network, ensure that the traffic is coming from an authorized SMI director, and not from a bogus director.
Detect use of SIET
The following signatures detect usage of the SIET's commands change_config, get_config, update_ios, and execute. These signatures are valid based on the SIET tool available as of early September 2017:
In general, exploitation attempts with the SIET tool will likely arrive from outside the network boundary. However, before attempting to tune or limit the range of these signatures, i.e. with $EXTERNAL_NET or $HOME_NET, it is recommended that they be deployed with the source and destination address ranges set to “any”. This will allow the possibility of detection of an attack from an unanticipated source, and may allow for coverage of devices outside of the normal scope of what may be defined as the $HOME_NET.
Inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files.
There is a significant amount of publically available cybersecurity guidance and best practices from DHS, allied government, vendors, and the private-sector cybersecurity community on mitigation strategies for the exploitation vectors described above. The following are additional mitigations for network device manufacturers, ISPs, and owners or operators.
Owners or operators
Refer to the vendor-specific guidance for the make and model of network device in operation.
For information on mitigating SNMP vulnerabilities, see
How to Mitigate SMI Abuse
How to Mitigate GRE Tunneling Abuse:
Operating System Fingerprinting is analyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target. 
Spear phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they were sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, which can further expose them to future compromises. 
In a watering hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. 
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to NCCIC or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division at CyWatch@fbi.gov or 855-292-3937. To request information from or report cyber incidents to UK authorities, contact NCSC at www.ncsc.gov.uk/contact.
Appendix A: Cisco Related Command and Configuration Strings
Commands associated with Cisco IOS. These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls, or in the logs of network devices. Network device owners and operators should review the Cisco documentation of their particular makes and models for strings that would allow the owner or operator to customize the list for an Intrusion Detection System (IDS). Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
'sh bgp sum'
'sho bgp sum'
'show bgp sum'
'sh ip route'
'sho ip route'
'show ip route'
'sh nat trans'
'sho nat trans'
'show nat trans'
Strings associated with Cisco IOS configurations may be seen in the outbound network traffic of unencrypted management tools such as Telnet, HTTP, or TFTP. This is a subset of the possible strings. Network device owners and operators should export the configuration of their particular makes and models to a secure host and examine it for strings that would allow the owner or operator to customize the list for an IDS. Detecting outbound configuration data leaving an organization destined for Internet-based hosts should be a cause for concern and further investigation to ensure the destination is authorized to receive the configuration data. Because configuration data provides an adversary with information—such as the password hashes—to enable future attacks, configuration data should be encrypted between sender and receiver. Outbound configuration files may be triggered by SNMP queries and Cisco Smart Install commands. In such cases, the outbound file would be sent via TFTP. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
BGP router identifier
boot system flash:
Cisco Internetwork Operating System
Cisco IOS Software,
Codes C ? connected, S ? static
Current configuration :
! Last configuration change at
! NVRAM config last updated at
line protocol is
loopback not set
ip access-list extended
Routing Bit Set on this LSA
ROM: Bootstrap program is
System image file is
boot system flash
Appendix B: Other Vendor Command and Configuration Strings
Russian state-sponsored cyber actors could potentially target the network devices from other manufacturers. Therefore, operators and owners should review the documentation associated with the make and model they have in operation to identify strings associated with administrative functions. Export the current configuration and identify strings associated with the configuration. Place the device-specific administrative and configuration strings into network-based and host-based IDS. Examples for Juniper JUNOS may include: “enable”, ”reload”, ”show”, ”set”, ”unset” ”file copy”, or ”request system scripts” followed by other expected parameters. Examples for MicroTic may include: “ip”, ”interface”, ”firewall”, ”password”, or ”ping”. See the documentation for your make and model for specific strings and parameters to place on watch.
These strings may be seen in inbound network traffic of unencrypted management tools such as Telnet or HTTP, in the logs of application layer firewalls or network devices. Detecting commands from Internet-based hosts should be a cause for concern and further investigation. Detecting these strings in network traffic or log files does not confirm compromise. Further analysis is necessary to remove false positives.
The following are important functions to monitor:
Appendix C: SNMP Queries
Appendix D: SMI Queries
Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 188.8.131.52(3) and 184.108.40.206(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:
In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.
On Thursday, we will change our TLS certificate to one issued by Letsencrypt. In the past, we used normal "commercial" certificates. Until a few months ago, we used HTTP Public Key Pinning. It appears that key pinning is no longer going to be supported by browsers, so we decided to remove this feature, which enabled us to use Letsencrypt. We removed the key pinning header a while ago, and browsers should no longer "pin" for our sites. But in case you are experiencing problems connecting to this site later this week, please let us know. You may still be able to connect to www.dshield.org if you can not connect to isc.sans.edu.