Category Archives: THE FBI

James Comey exposes Donald Trumps Strange Behaviour

Advertisements

Exposed – FBI National Instant Criminal Background Check System (NICS) Presentation

 

National Instant Criminal Background Check System (NICS)

Page Count: 25 pages
Date: 2016
Restriction: Law Enforcement Sensitive
Originating Organization: Federal Bureau of Investigation, Criminal Justice Information Systems Division
File Type: pdf
File Size: 1,343,832 bytes
File Hash (SHA-256):0E6448F6CF16E5046871E1CDFA3DEDCCCA00237DD2B507AD0EB5ADAE1DA6A0D6

Download File

 

  • NICS Overview
  • Federal Firearm Prohibitions
  • NICS Access
  • Disposition of Firearm and Permit Checks
  • Conducting a Query with all NICS Protection Orders Returned (QNP)
  • Law Enforcement Enterprise Portal (LEEP)
  • NICS Denied Transaction File (DTF)
  • Contact Information

Title 18, United States Code, Section 922

  • (g)(1) Convicted of a crime punishable by more than one year or a misdemeanor punishable by more than two years
  • (g)(2) Fugitives from justice
  • (g)(3) Unlawful user of or addicted to any controlled substance
  • (g)(4) Adjudicated/committed to a mental institution
  • (g)(5) Illegal/unlawful aliens
  • (g)(6) Dishonorable discharge from military
  • (g)(7) Renounced U.S. Citizenship
  • (g)(8) Protection/restraining order
  • (g)(9) Misdemeanor crimes of domestic violence
  • (n) Under indictment/information for a crime punishable by more than one year or a misdemeanor punishable by more than two years

fbi-nics_page_04fbi-nics_page_05fbi-nics_page_11fbi-nics_page_12fbi-nics_page_13

Revealed – FBI Cyber Bulletin: Malware Targeting Foreign Banks

A-000073-MW

Page Count: 19 pages
Date: May 23, 2016
Restriction: TLP: GREEN
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 751,757 bytes
File Hash (SHA-256):B10AF987BF17BA217DED942BA847D9CF6DB8B38A0AE40B937FA4B031CB79EFC8

Download File

The FBI is providing the following information with HIGH confidence:

The FBI has obtained information regarding a malicious cyber group that has compromised the networks of foreign banks. The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system. In some instances, the actors have been present on victim networks for a significant period of time. Contact law enforcement immediately regarding any activity related to the indicators of compromise (IOCs) in the attached appendix that are associated with this group.

Technical Details

The FBI is providing the following information with HIGH confidence:

The enclosed IOCs have been employed by a cyber group linked to intrusions at foreign banks. Malicious insiders or external attackers have managed to submit international payment messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the international payment messaging system network. The group utilized malware that appears to have been customized for each victim environment. The malware is designed to hide evidence by removing some of the traces of the fraudulent messages. The observed malware samples were designed to securely delete themselves once they completed their tasks, removing evidence of their existence. Additionally, the intruders appear to have performed extensive network reconnaissance using remote access Trojans, keyloggers, screen grabbers, and a variety of legitimate Windows system administration utilities. In addition to these IOCs, the FBI recommends recipient organizations be alert to any changes to directories where international payment messaging system software has been installed.

Recommended Mitigations for Institutions with Connections to Payment Messaging Systems

Logically Segregate Your Operating Environment

  • Use firewalls to divide your operating environment into enclaves.
  • Use access control lists to permit/deny specific traffic from flowing between those enclaves.
  • Give special consideration to segregating enclaves holding sensitive information (for example, systems with customer records) from enclaves that require Internet connectivity (for example, email systems)

Isolate Payment Messaging Platforms

  • For institutions that access payment messaging platforms through private networks, confirm perimeter security controls prevent Internet hosts from accessing the private network infrastructure.
  • For institutions that access payment messaging platforms over the Internet, confirm perimeter security controls prevent Internet hosts other than payment messaging platform endpoints from accessing the infrastructure used for payment system access.

Routinely Confirm the Integrity of Secondary Security Controls

  • Perform monthly validation of transactional integrity systems, such as printers or secondary storage systems.
  • Perform monthly validation of payment messaging activity by performing telephone confirmation of transfer activity.

Routinely Test Operating Protocols

  • Confirm staffing plans for non-business, non-critical operating hours.
  • Ensure staff members understand payment messaging transfer protocols, along with emergency transfer protocols.

Monitor for Anomalous Behavior as Part of Layered Security

  • Develop baseline of expected software, users and logons. Monitor hosts running payment applications for unusual software installations, updates, account changes, or other activities outside of expected behavior.
  • Develop baseline of expected transaction participants, amounts, frequency and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.

Recommended Mitigations for All Alert Recipients

The FBI is providing the following information with HIGH confidence:

  • Prepare Your Environment for Incident Response
    • Establish Out-of-Band Communications methods for dissemination of intrusion response plans and activities, inform NOCs/CERTs according to institutional policy and SOPs.
    • Maintain and actively monitor centralized host and network logging solutions after ensuring that all devices have logging enabled and their logs are being aggregated to those centralized solutions.
    • Disable all remote (including RDP) access until a password change has been completed.
    • Implement full SSL/TLS inspection capability (on perimeter and proxy devices).
    • Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts.
    • Implement core mitigations to inhibit re-exploitation (within 72 hours)
    • Implement a network-wide password reset (preferably with local host access only, no remote changes allowed) to include:

A patch management process that regularly patches vulnerable software remains a critical component in raising the difficulty of intrusions for cyber operators. While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems.

After initial response activities, deploy and correctly configure Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). EMET employs several mitigation techniques to combat memory corruption techniques. It is recommended that all hosts and servers on the network implement EMET, but for recommendations on the best methodology to employ when deploying EMET, please see NSA/IAD’s Anti-Exploitation Slick sheet – https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntiExploitationFeatures_Web.pdf

Implement Data-At-Rest (DAR) Protections.

  • The goal for DAR protections is to prevent an attacker from compromising sensitive data when the End User Device (EUD) is powered off or unauthenticated.
  • The use of multiple encryption layers that meet IAD and CNSSP-15 guidance, implemented with components meeting the Commercial Solution for Classified (CSfC) vendor diversity requirements, reduces the likelihood that a single vulnerability or failure can be exploited to compromise EUDs, move laterally through a network, and access sensitive data.
  • Receiving and validating updates or code patches for these components only through direct physical administration or an NSA approved Data in Transit (DIT) solution mitigates the threat of malicious attempts to push unverified updates or code updates.
  • Procure products that have been validated through NIAP’s DAR Protection Profiles (PPs) and utilize the DAR Capability Package (CP) that provides configurations allowing customers to independently implement secure solutions using layered Commercial Off-the-Shelf (COTS) products. The CP is vendor-agnostic and provides high-level security and configuration guidance for customers and/or Solution Integrators.

Implement long-term mitigations to further harden systems

1. Protect Credentials: By implementing the following credential protections, the threat actor’s ability to gain highly privileged account access and move throughout a network is severely hampered.

a. Implement Least Privilege: Least privilege is the limiting of rights assigned to each group of accounts on a network to only the rights required for the user, as in a normal user is only granted user level privileges and cannot perform any administrative tasks such as installing software.

b. Restrict Local Accounts: By restricting the usage of local accounts, especially local administer accounts, you are able to reduce the amount of usable credentials found within a network. When utilizing local accounts, passwords and their corresponding hashes are stored on the host and are more readily available for harvesting by an adversary who seeks to establish persistence. Adversaries are known to use this information to move across the network through Pass the Hash.

c. Limit lateral movement: This mitigation reduces the adversary’s ability to go from exploiting one machine to taking over the entire network. Host firewall rules, Active Directory structuring, and/or Group Policy settings, can be tailored to stop communications between systems and increase the survivability and defensibility of a network under attack.

d. Admin Access Segregation: Once an adversary gains administrator credentials, especially domain administrator credentials, the network becomes wide open to their malicious activity. By decreasing the surface area where administrator credentials can be stolen, through restricting where administrators can use their accounts and what they can use their accounts for, the threat actor will have a much harder time fully compromising a network. Having different passwords and credentials for user, local administrator, and domain administrator accounts prevents an adversary from reusing a stolen credential from one to gain more access.

e. Admin Access Protection: Using encrypted protocols across the network where credentials especially administrative credentials, are sent in the clear enables an adversary to grab them in transit and reuse them. Be sure to use encrypted protocols (e.g. HTTPS, SSH, RDP, SFTP, etc.) for all management connections where credentials are passed, and disable the use of unencrypted protocols (e.g. Telnet, FTP, HTTP, etc.).

f. Ensure Administrative Accounts do not have email accounts or Internet access.

g. Utilize Strong Authentication: By enforcing multi-factor authentication (e.g., using smart cards), especially for privileged account and remote access (e.g. VPNs), you dramatically reduce when and where stolen credentials can be reused by an adversary. Until then, create, enforce, and maintain strong password policies across the organization. The use of strong password policies must be mandated for all users and is especially critical for administrator accounts and service accounts. Passwords should be complex and contain a combination of letters, numbers, and special characters, and they should be of a sufficient length (greater than 14 characters); require regular password changes for all administrative and other privileged account; and prevent the reuse of usernames and passwords across multiple domains and/or multiple systems.

h. Log and Monitor Privileged Admin Account Usage: Implementing logging and monitoring capabilities on privileged accounts can provide insight to system owners and incident response professionals of account misuse and potential compromise by malicious actors. For instance it may be discovered that a domain admin is logging in at 2200 every night even though that admin is done working for the day and gone from the building. This mitigation would also enable discovery of any privileged admin accounts that were created by the actor for persistence.

i. Log and Monitor Use of Administrative Tools: Non-administrative use of built-in OS administrative tools should be locked down in accordance with applicable guidance and hardening policies. Use of these tools, such as Windows® PowerShell® and Windows Management Instrumentation Command-line (WMIC), should be logged and monitored to help enable early detection of a compromise. Though administration activities take place on a constant basis, certain behaviors, or sets of activities, in concert with others, are suspicious and can lead to a discovery of intrusion. For example, the ‘ping’ command by itself has legitimate uses. However, the ‘ping’ command followed by a PowerShell command from one workstation to another is very suspicious.

2. Segregate Networks and Functions:

a. Know Your Network: Enterprise networks often become unmanageable leading to inefficient administration and ineffective security. In order to have any sort of control over your network, you first need to know what and where everything is and does. Ensure information about your networks is documented and is updated regularly. Create an accurate list of ALL devices and ALL protocols that are running on your network. Identify network enclaves and examine your network trust relationships within and between those enclaves as well as with external networks to determine whether they are really necessary for your organization’s mission.

b. DMZ Isolation: By ensuring that the DMZ is properly segregated both through physical and logical network architecture and admin/user accounts, a network owner can greatly decrease the external attack surface. Since webservers and corresponding databases usually sit in this location and are also externally accessible, they regularly are the first target during CNO. If these systems are compromised and the DMZ is not configured properly or at all, it could mean the loss of the entire enterprise.

c. Network Function Segregation: A network owner should implement a tiered system when determining the switching within a network. This way the lower security systems, like user workstations or machines with email and internet access, cannot insecurely communicate with higher security systems like domain controllers and other member servers. This can be achieved through multiple methods including VLANs, physical network topologies, and firewall rule sets. In the same vein, networks need to apply the same segregation principle to the various tiers of accounts within a network, ensuring highly privileged accounts cannot access lower security tiered systems and low privilege accounts cannot access higher security tiered systems.

d. Limit Workstation-to-Workstation Communications: Pass-the-Hash (PtH) and other forms of legitimate credential reuse are serious vulnerabilities existing in all environments that implement Single Sign-on. PtH allows an attacker to reuse legitimate administrator or user credentials to move from system to system on a network without ever having to crack password. Once an attacker compromises a single host, s/he will typically reuse stolen hashed credentials to spread to other systems on the network, gain access to a privileged user’s workstation, grab domain administrator credentials, and subsequently take control of the entire environment. Limiting workstation-to-workstation communication will severely restrict attackers’ freedom of movement via techniques such as PtH. In general, limiting the number and type of communication flows between systems also aids in the detection of potentially malicious network activity. Because there are fewer allowed communication paths, abnormal flows become more apparent to attentive network defenders.

e. Perimeter Filtering: Perimeter filtering refers to properly implementing network security devices, such as proxies, firewall, web content filters, and IDS/IPS. The intent is to block malicious traffic from reaching a user’s machine and provide protection against data exfiltration and command and control.

f. Use Web Domain Name System (DNS) Reputation: Various commercial services offer feeds rating the trustworthiness of web domains. Enterprises can protect their hosts by screening web accesses against such services and redirecting dangerous web requests to a warning page. Inspection can be implemented at either the web proxy or browser level.

g. Restrict or Prevent Remote Admin Access: Prior to an intrusion, remote access should be severely restricted and highly monitored. Once an intrusion is detected, all remote administration should be completely disallowed. Not only does this clear up the network traffic coming and going from a network, it also allows the network defenders to determine that the remote administration activities are malicious and better track and block them.

3. Implement Application Whitelisting: Application whitelisting is the configuring of host system to only execute a specific, known set of code. Basically, if a program or executable code, such as a piece of malware, is not included in the whitelist it’s never allowed to run.

4. Install and correctly use EMET: One of the frequently used tactics by an adversary is to initially infect a host through spear-phishing and drive-by’s/water-holing websites. The best way to counter this initial exploitation is through the implementation of an anti-exploitation tool, such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). These tools can render useless entire classes of malware and malicious TTP instead of eliminating one piece of malware at a time; an enormous boon to a network’s security.

5. Implement Host Intrusion Prevention System (HIPS) Rules: Standard signature-based host defenses are overwhelmed by exploit kits that continually morph attack components. HIPS technology focuses on threat behaviors and can better scale to entire sets of intrusion activities. For an enterprise with a well-configured and managed network, HIPS can be tuned to learn and allow normal network functionality while flagging anomalies characteristic of intrusions.

6. Centralize logging of all events: By pulling all of the system logs (such as Windows Event or Error logs, and any logs from security devices, such as SNORT, HIPS or firewall rule hits, as a few examples) into a centralized location that protects it from tampering and enables analytics, the network admin and intrusion response team would be able to more efficiently detect and understand the tools, tactics, and procedures of the adversary. This paper does not detail the entirety of logs that could be aggregated, however, specific recommendations of particular logs that should be targeted for aggregation can be obtained via consultation with the network’s Computer Network Defense-Service Provider (CND-SP) or with any of the organizations listed in the introduction of this section.

7. Take Advantage of Software Improvement: Apply patches for vulnerabilities as soon as they are released by the vendor. Upgrade as new versions of applications, software and operating systems become available. Delaying or ignoring patches for vulnerabilities considerably increases the chance of systems being exploited, in particular Internet/public facing systems (VPN, web, email servers). Open source research has shown that a working exploit is often available on the same day vulnerabilities are publicly disclosed, making it imperative to patch immediately. Vendors typically perform extensive testing of patches prior to release so misconceptions about negative effects on systems are often overstated. The cost of pre-deployment testing by the enterprise is miniscule compared to the potential costs incurred from a security breach. Application deployment and updating is becoming increasingly automated. Many operating systems and applications provide automatic update features to minimize the human factor.

8. Public Services Utilization: Enterprises are embracing the use of public services such as Cloud Storage and Social Networking Sites (SNS) as they offer capabilities not available with traditional software. These services also introduce a new set of vulnerabilities that must be considered. Open source reporting has shown these services to be an increasingly used vector for both malware delivery and data exfiltration. Establish a comprehensive public services policy and framework. Discover and document all the Cloud and Social Networking Services used and establish a policy that includes IT sanctioned sites permitted and prohibited within the enterprise as well as what is considered acceptable use. Integrate traffic logs to/from these sites into your centralized logging environment and implement analytics to detect and alert on potentially suspicious or abnormal traffic that could be indicative of a compromise.

9. Use a Standard Baseline: Implementing a uniform image with security already baked in and standardized applications affords the incident response team the ability to look at exploited machines and distinguish what is malicious vs. allowed. It also ensures that each machine on network is at least at a certain level of security prior to further customization for a user’s needs. Within the DoDIN this can be satisfied through the Unified Master Gold Disk, maintained and distributed through DISA.

10. Centralize logging of all events: By pulling all of the system logs, such as Windows Event or Error logs, and any logs from security devices, such as SNORT or firewall rule hits, into a centralized location, the network admin and intrusion response team would be able to more efficiently detect and understand the tools, tactics, and procedures of the adversary. Using this information then increases the responder’s ability to effectively corner and expel the adversary.

11. Data-at-Rest and Data-in-Transit Encryption: Implementing encryption for both data at rest and data in transit ensures that what is meant to be kept private stays private, whether it is stored on a disk or moving across a network. It means that exfiltration and espionage attempts can be thwarted since a threat actor cannot access the information.

Exposed – FBI Report on Hillary Clinton E-Mail Investigation for Mishandling of Classified Information

 

Clinton E-Mail Investigation Mishandling of Classified – Unknown Subject or Country (SIM)

Page Count: 58 pages
Date: July 2016
Restriction: None
Originating Organization: Federal Bureau of Investigation
File Type: pdf
File Size: 37,829,437 bytes
File Hash (SHA-256):E9ACBA18350499CE6CE739D165D5BE18C7C27B96C8F474CFABE315F6DC5BCAD4

Download File

On July 10, 2015, the Federal Bureau of Investigation (FBI) initiated a full investigation based upon a referral received from the US Intelligence Community Inspector General (ICIG), submitted in accordance with Section 811 (c) of the Intelligence Authorization Act of 1995 and dated July 6, 2015, regarding the potential unauthorized transmission and storage of classified information on the personal e-mail server of former Secretary of State Hillary Clinton (Clinton). The FBI’s investigation focused on determining whether classified information was transmitted or stored on unclassified systems in violation of federal criminal statutes and whether classified information was compromised by unauthorized individuals, to include foreign governments or intelligence services, via cyber intrusion or other means.

The FBI’s investigation and forensic analysis did not find evidence confirming that Clinton’ s e-mail accounts or mobile devices were compromised by cyber means. However, investigative limitations, including the FBI’s inability to obtain all mobile devices and various computer components associated with Clinton’s personal e-mail systems, prevented the FBI from conclusively determining whether the classified information transmitted and stored on Clinton’s personal server systems was compromised via cyber intrusion or other means. The FBI did find that hostile foreign actors successfully gained access to the personal e-mail accounts of individuals with whom Clinton was in regular contact and, in doing so, obtained e-mails sent to or received by Clinton on her personal account.

Prior to January 21, 2009, when she was sworn in as the US Secretary of State, Clinton used a personally-acquired BlackBerry device with service initially from Cingular Wireless and later AT&T Wireless, to access her e-mail accounts. Clinton initially used the e-mail addresses hr15@mycingular.blackberry.net and then changed to hr15@att.blackberry.net. According to Cooper, in January 2009, Clinton decided to stop using her hr15@att.blackberry.net e-mail address and instead began using a new private domain, clintonemail.com, to host e-mail service on the Apple Server. Clinton stated to the FBI that she directed aides, in or around January 2009, to create the clintonemail.com account, and as a matter of convenience her clintonemail.com account was moved to an e-mail system maintained by President Clinton’s aides. While Cooper could not specifically recall registering the domain, Cooper was listed as the point of contact for clintonemail.com when the domain was registered with a domain registration services company, Network Solutions, on January 13, 2009. Clinton used her att.blackberry.net e-mail account as her primary e-mail address until approximately mid-to-late January 2009 when she transitioned to her newly created hdr22@clintonemail.com account. The FBI did not recover any information indicating that Clinton sent an e-mail from her hr15@att.blackberry.net e-mail after March 18, 2009.

clinton-email-1

Revealed – FBI Cyber Bulletin: Targeting Activity Against State Board of Election SystemsFBI Cyber Bulletin: Targeting Activity Against State Board of Election Systems

 

Targeting Activity Against State Board of Election Systems

Page Count: 4 pages
Date: August 18, 2016
Restriction: TLP: AMBER
Originating Organization: Federa; Bureau of Investigation, Cyber Divison
File Type: pdf
File Size: 524,756 bytes
File Hash (SHA-256):1EE66D31C46FF1F4DE98D36012E705586D6DFF6800B7F051F564D1A7CED58B3E

Download File

The FBI received information of an additional IP address, 5.149.249.172, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 185.104.9.39 used in the aforementioned compromise.

Technical Details

The following information was released by the MS-ISAC on 1 August 2016, which was derived through the course of the investigation.

In late June 2016, an unknown actor scanned a state’s Board of Election website for vulnerabilities using Acunetix, and after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used SQLmap to target the state website. The majority of the data exfiltration occurred in mid-July. There were 7 suspicious IPs and penetration testing tools Acunetix, SQLMap, and DirBuster used by the actor, detailed in the indicators section below.
Indicators associated with the Board of Elections intrusion:

  • The use of Acunetix tool was confirmed when “GET /acunetix-wvs-test-for-some-inexistent-file – 443” and several requests with “wvstest=” appeared in the logs;
  • The user agent for Acunetix was identified in the logs –”Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.21++(KHTML,+like+Gecko)+Chrome/41.0.2228.0+Safari/537.21″;
  • The use of SQLMap was confirmed after “GET /status.aspx DLIDNumber=1′;DROP TABLE sqlmapoutput” appeared in the logs;
  • The user agent for SQLMap is “Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X+10.7;+en-US;+rv:1.9.2.2)+ Gecko/20100316+Firefox/3.6.2 200 0 0 421” (These are easily spoofed and not inclusive of all SQLMap activity);
  • The user agent for the DirBuster program is “DirBuster-1.0- RC1+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project&gt; )”;

IP Addresses:

  • 185.104.11.154
  • 185.104.9.39
  • 204.155.30.75
  • 204.155.30.76
  • 204.155.30.80
  • 204.155.30.81
  • 89.188.9.91
  • 5.149.249.172 (new, per FBI)

Recommendations

The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected. Attempts should not be made to touch or ping the IP addresses directly.

Unveiled – FBI Cyber Bulletin: Malware Targeting Foreign Banks

A-000073-MW

Page Count: 19 pages
Date: May 23, 2016
Restriction: TLP: GREEN
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 751,757 bytes
File Hash (SHA-256):B10AF987BF17BA217DED942BA847D9CF6DB8B38A0AE40B937FA4B031CB79EFC8

Download File

The FBI is providing the following information with HIGH confidence:

The FBI has obtained information regarding a malicious cyber group that has compromised the networks of foreign banks. The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system. In some instances, the actors have been present on victim networks for a significant period of time. Contact law enforcement immediately regarding any activity related to the indicators of compromise (IOCs) in the attached appendix that are associated with this group.

Technical Details

The FBI is providing the following information with HIGH confidence:

The enclosed IOCs have been employed by a cyber group linked to intrusions at foreign banks. Malicious insiders or external attackers have managed to submit international payment messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the international payment messaging system network. The group utilized malware that appears to have been customized for each victim environment. The malware is designed to hide evidence by removing some of the traces of the fraudulent messages. The observed malware samples were designed to securely delete themselves once they completed their tasks, removing evidence of their existence. Additionally, the intruders appear to have performed extensive network reconnaissance using remote access Trojans, keyloggers, screen grabbers, and a variety of legitimate Windows system administration utilities. In addition to these IOCs, the FBI recommends recipient organizations be alert to any changes to directories where international payment messaging system software has been installed.

Recommended Mitigations for Institutions with Connections to Payment Messaging Systems

Logically Segregate Your Operating Environment

  • Use firewalls to divide your operating environment into enclaves.
  • Use access control lists to permit/deny specific traffic from flowing between those enclaves.
  • Give special consideration to segregating enclaves holding sensitive information (for example, systems with customer records) from enclaves that require Internet connectivity (for example, email systems)

Isolate Payment Messaging Platforms

  • For institutions that access payment messaging platforms through private networks, confirm perimeter security controls prevent Internet hosts from accessing the private network infrastructure.
  • For institutions that access payment messaging platforms over the Internet, confirm perimeter security controls prevent Internet hosts other than payment messaging platform endpoints from accessing the infrastructure used for payment system access.

Routinely Confirm the Integrity of Secondary Security Controls

  • Perform monthly validation of transactional integrity systems, such as printers or secondary storage systems.
  • Perform monthly validation of payment messaging activity by performing telephone confirmation of transfer activity.

Routinely Test Operating Protocols

  • Confirm staffing plans for non-business, non-critical operating hours.
  • Ensure staff members understand payment messaging transfer protocols, along with emergency transfer protocols.

Monitor for Anomalous Behavior as Part of Layered Security

  • Develop baseline of expected software, users and logons. Monitor hosts running payment applications for unusual software installations, updates, account changes, or other activities outside of expected behavior.
  • Develop baseline of expected transaction participants, amounts, frequency and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.

Recommended Mitigations for All Alert Recipients

The FBI is providing the following information with HIGH confidence:

  • Prepare Your Environment for Incident Response
    • Establish Out-of-Band Communications methods for dissemination of intrusion response plans and activities, inform NOCs/CERTs according to institutional policy and SOPs.
    • Maintain and actively monitor centralized host and network logging solutions after ensuring that all devices have logging enabled and their logs are being aggregated to those centralized solutions.
    • Disable all remote (including RDP) access until a password change has been completed.
    • Implement full SSL/TLS inspection capability (on perimeter and proxy devices).
    • Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts.
    • Implement core mitigations to inhibit re-exploitation (within 72 hours)
    • Implement a network-wide password reset (preferably with local host access only, no remote changes allowed) to include:

A patch management process that regularly patches vulnerable software remains a critical component in raising the difficulty of intrusions for cyber operators. While a few adversaries use zero-day exploits to target victims, many adversaries still target known vulnerabilities for which patches have been released, capitalizing on slow patch processes and risk decisions by network owners not to patch certain vulnerabilities or systems.

After initial response activities, deploy and correctly configure Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). EMET employs several mitigation techniques to combat memory corruption techniques. It is recommended that all hosts and servers on the network implement EMET, but for recommendations on the best methodology to employ when deploying EMET, please see NSA/IAD’s Anti-Exploitation Slick sheet – https://www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_AntiExploitationFeatures_Web.pdf

Implement Data-At-Rest (DAR) Protections.

  • The goal for DAR protections is to prevent an attacker from compromising sensitive data when the End User Device (EUD) is powered off or unauthenticated.
  • The use of multiple encryption layers that meet IAD and CNSSP-15 guidance, implemented with components meeting the Commercial Solution for Classified (CSfC) vendor diversity requirements, reduces the likelihood that a single vulnerability or failure can be exploited to compromise EUDs, move laterally through a network, and access sensitive data.
  • Receiving and validating updates or code patches for these components only through direct physical administration or an NSA approved Data in Transit (DIT) solution mitigates the threat of malicious attempts to push unverified updates or code updates.
  • Procure products that have been validated through NIAP’s DAR Protection Profiles (PPs) and utilize the DAR Capability Package (CP) that provides configurations allowing customers to independently implement secure solutions using layered Commercial Off-the-Shelf (COTS) products. The CP is vendor-agnostic and provides high-level security and configuration guidance for customers and/or Solution Integrators.

Implement long-term mitigations to further harden systems

1. Protect Credentials: By implementing the following credential protections, the threat actor’s ability to gain highly privileged account access and move throughout a network is severely hampered.

a. Implement Least Privilege: Least privilege is the limiting of rights assigned to each group of accounts on a network to only the rights required for the user, as in a normal user is only granted user level privileges and cannot perform any administrative tasks such as installing software.

b. Restrict Local Accounts: By restricting the usage of local accounts, especially local administer accounts, you are able to reduce the amount of usable credentials found within a network. When utilizing local accounts, passwords and their corresponding hashes are stored on the host and are more readily available for harvesting by an adversary who seeks to establish persistence. Adversaries are known to use this information to move across the network through Pass the Hash.

c. Limit lateral movement: This mitigation reduces the adversary’s ability to go from exploiting one machine to taking over the entire network. Host firewall rules, Active Directory structuring, and/or Group Policy settings, can be tailored to stop communications between systems and increase the survivability and defensibility of a network under attack.

d. Admin Access Segregation: Once an adversary gains administrator credentials, especially domain administrator credentials, the network becomes wide open to their malicious activity. By decreasing the surface area where administrator credentials can be stolen, through restricting where administrators can use their accounts and what they can use their accounts for, the threat actor will have a much harder time fully compromising a network. Having different passwords and credentials for user, local administrator, and domain administrator accounts prevents an adversary from reusing a stolen credential from one to gain more access.

e. Admin Access Protection: Using encrypted protocols across the network where credentials especially administrative credentials, are sent in the clear enables an adversary to grab them in transit and reuse them. Be sure to use encrypted protocols (e.g. HTTPS, SSH, RDP, SFTP, etc.) for all management connections where credentials are passed, and disable the use of unencrypted protocols (e.g. Telnet, FTP, HTTP, etc.).

f. Ensure Administrative Accounts do not have email accounts or Internet access.

g. Utilize Strong Authentication: By enforcing multi-factor authentication (e.g., using smart cards), especially for privileged account and remote access (e.g. VPNs), you dramatically reduce when and where stolen credentials can be reused by an adversary. Until then, create, enforce, and maintain strong password policies across the organization. The use of strong password policies must be mandated for all users and is especially critical for administrator accounts and service accounts. Passwords should be complex and contain a combination of letters, numbers, and special characters, and they should be of a sufficient length (greater than 14 characters); require regular password changes for all administrative and other privileged account; and prevent the reuse of usernames and passwords across multiple domains and/or multiple systems.

h. Log and Monitor Privileged Admin Account Usage: Implementing logging and monitoring capabilities on privileged accounts can provide insight to system owners and incident response professionals of account misuse and potential compromise by malicious actors. For instance it may be discovered that a domain admin is logging in at 2200 every night even though that admin is done working for the day and gone from the building. This mitigation would also enable discovery of any privileged admin accounts that were created by the actor for persistence.

i. Log and Monitor Use of Administrative Tools: Non-administrative use of built-in OS administrative tools should be locked down in accordance with applicable guidance and hardening policies. Use of these tools, such as Windows® PowerShell® and Windows Management Instrumentation Command-line (WMIC), should be logged and monitored to help enable early detection of a compromise. Though administration activities take place on a constant basis, certain behaviors, or sets of activities, in concert with others, are suspicious and can lead to a discovery of intrusion. For example, the ‘ping’ command by itself has legitimate uses. However, the ‘ping’ command followed by a PowerShell command from one workstation to another is very suspicious.

2. Segregate Networks and Functions:

a. Know Your Network: Enterprise networks often become unmanageable leading to inefficient administration and ineffective security. In order to have any sort of control over your network, you first need to know what and where everything is and does. Ensure information about your networks is documented and is updated regularly. Create an accurate list of ALL devices and ALL protocols that are running on your network. Identify network enclaves and examine your network trust relationships within and between those enclaves as well as with external networks to determine whether they are really necessary for your organization’s mission.

b. DMZ Isolation: By ensuring that the DMZ is properly segregated both through physical and logical network architecture and admin/user accounts, a network owner can greatly decrease the external attack surface. Since webservers and corresponding databases usually sit in this location and are also externally accessible, they regularly are the first target during CNO. If these systems are compromised and the DMZ is not configured properly or at all, it could mean the loss of the entire enterprise.

c. Network Function Segregation: A network owner should implement a tiered system when determining the switching within a network. This way the lower security systems, like user workstations or machines with email and internet access, cannot insecurely communicate with higher security systems like domain controllers and other member servers. This can be achieved through multiple methods including VLANs, physical network topologies, and firewall rule sets. In the same vein, networks need to apply the same segregation principle to the various tiers of accounts within a network, ensuring highly privileged accounts cannot access lower security tiered systems and low privilege accounts cannot access higher security tiered systems.

d. Limit Workstation-to-Workstation Communications: Pass-the-Hash (PtH) and other forms of legitimate credential reuse are serious vulnerabilities existing in all environments that implement Single Sign-on. PtH allows an attacker to reuse legitimate administrator or user credentials to move from system to system on a network without ever having to crack password. Once an attacker compromises a single host, s/he will typically reuse stolen hashed credentials to spread to other systems on the network, gain access to a privileged user’s workstation, grab domain administrator credentials, and subsequently take control of the entire environment. Limiting workstation-to-workstation communication will severely restrict attackers’ freedom of movement via techniques such as PtH. In general, limiting the number and type of communication flows between systems also aids in the detection of potentially malicious network activity. Because there are fewer allowed communication paths, abnormal flows become more apparent to attentive network defenders.

e. Perimeter Filtering: Perimeter filtering refers to properly implementing network security devices, such as proxies, firewall, web content filters, and IDS/IPS. The intent is to block malicious traffic from reaching a user’s machine and provide protection against data exfiltration and command and control.

f. Use Web Domain Name System (DNS) Reputation: Various commercial services offer feeds rating the trustworthiness of web domains. Enterprises can protect their hosts by screening web accesses against such services and redirecting dangerous web requests to a warning page. Inspection can be implemented at either the web proxy or browser level.

g. Restrict or Prevent Remote Admin Access: Prior to an intrusion, remote access should be severely restricted and highly monitored. Once an intrusion is detected, all remote administration should be completely disallowed. Not only does this clear up the network traffic coming and going from a network, it also allows the network defenders to determine that the remote administration activities are malicious and better track and block them.

3. Implement Application Whitelisting: Application whitelisting is the configuring of host system to only execute a specific, known set of code. Basically, if a program or executable code, such as a piece of malware, is not included in the whitelist it’s never allowed to run.

4. Install and correctly use EMET: One of the frequently used tactics by an adversary is to initially infect a host through spear-phishing and drive-by’s/water-holing websites. The best way to counter this initial exploitation is through the implementation of an anti-exploitation tool, such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). These tools can render useless entire classes of malware and malicious TTP instead of eliminating one piece of malware at a time; an enormous boon to a network’s security.

5. Implement Host Intrusion Prevention System (HIPS) Rules: Standard signature-based host defenses are overwhelmed by exploit kits that continually morph attack components. HIPS technology focuses on threat behaviors and can better scale to entire sets of intrusion activities. For an enterprise with a well-configured and managed network, HIPS can be tuned to learn and allow normal network functionality while flagging anomalies characteristic of intrusions.

6. Centralize logging of all events: By pulling all of the system logs (such as Windows Event or Error logs, and any logs from security devices, such as SNORT, HIPS or firewall rule hits, as a few examples) into a centralized location that protects it from tampering and enables analytics, the network admin and intrusion response team would be able to more efficiently detect and understand the tools, tactics, and procedures of the adversary. This paper does not detail the entirety of logs that could be aggregated, however, specific recommendations of particular logs that should be targeted for aggregation can be obtained via consultation with the network’s Computer Network Defense-Service Provider (CND-SP) or with any of the organizations listed in the introduction of this section.

7. Take Advantage of Software Improvement: Apply patches for vulnerabilities as soon as they are released by the vendor. Upgrade as new versions of applications, software and operating systems become available. Delaying or ignoring patches for vulnerabilities considerably increases the chance of systems being exploited, in particular Internet/public facing systems (VPN, web, email servers). Open source research has shown that a working exploit is often available on the same day vulnerabilities are publicly disclosed, making it imperative to patch immediately. Vendors typically perform extensive testing of patches prior to release so misconceptions about negative effects on systems are often overstated. The cost of pre-deployment testing by the enterprise is miniscule compared to the potential costs incurred from a security breach. Application deployment and updating is becoming increasingly automated. Many operating systems and applications provide automatic update features to minimize the human factor.

8. Public Services Utilization: Enterprises are embracing the use of public services such as Cloud Storage and Social Networking Sites (SNS) as they offer capabilities not available with traditional software. These services also introduce a new set of vulnerabilities that must be considered. Open source reporting has shown these services to be an increasingly used vector for both malware delivery and data exfiltration. Establish a comprehensive public services policy and framework. Discover and document all the Cloud and Social Networking Services used and establish a policy that includes IT sanctioned sites permitted and prohibited within the enterprise as well as what is considered acceptable use. Integrate traffic logs to/from these sites into your centralized logging environment and implement analytics to detect and alert on potentially suspicious or abnormal traffic that could be indicative of a compromise.

9. Use a Standard Baseline: Implementing a uniform image with security already baked in and standardized applications affords the incident response team the ability to look at exploited machines and distinguish what is malicious vs. allowed. It also ensures that each machine on network is at least at a certain level of security prior to further customization for a user’s needs. Within the DoDIN this can be satisfied through the Unified Master Gold Disk, maintained and distributed through DISA.

10. Centralize logging of all events: By pulling all of the system logs, such as Windows Event or Error logs, and any logs from security devices, such as SNORT or firewall rule hits, into a centralized location, the network admin and intrusion response team would be able to more efficiently detect and understand the tools, tactics, and procedures of the adversary. Using this information then increases the responder’s ability to effectively corner and expel the adversary.

11. Data-at-Rest and Data-in-Transit Encryption: Implementing encryption for both data at rest and data in transit ensures that what is meant to be kept private stays private, whether it is stored on a disk or moving across a network. It means that exfiltration and espionage attempts can be thwarted since a threat actor cannot access the information.