CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA, FBI update IOCs, TTPs, detection methods associated with AvosLocker ransomware variant

October 11, 2023
CISA, FBI update IOCs, TTPs, detection methods associated with AvosLocker ransomware variant

U.S. security agencies published Wednesday a joint cybersecurity advisory (CSA) that disseminates known IOCs (indicators of compromise), TTPs (tactics, techniques, and procedures), and detection methods associated with the AvosLocker ransomware variant identified through Federal Bureau of Investigation (FBI) investigations as recently as May this year. The latest guidance updates a March 2022 advisory on the AvosLocker ransomware by including IOCs and TTPs not previously included, and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.

Operating under a ransomware-as-a-service (RaaS) model, AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the U.S., affecting Windows, Linux, and VMware ESXi environments, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), said in the latest advisory. These ransomware affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.

The advisory detailed that AvosLocker ransomware affiliates use legitimate software and open-source tools during ransomware operations, which include exfiltration-based data extortion. Specifically, affiliates use remote system administration tools like Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent, as backdoor access vectors; and scripts to execute legitimate native Windows tools, such as PsExec and Nltest.

They were also found to adopt open-source networking tunneling tools such as Ligolo and Chisel; Cobalt Strike and Sliver for command and control (C2); Lazagne and Mimikatz for harvesting credentials; FileZilla and Rclone for data exfiltration; and Notepad++, RDP Scanner, and 7zip.

FBI has also observed AvosLocker affiliates Use custom PowerShell and batch ([dot]bat) scripts for lateral movement, privilege escalation, and disabling antivirus software. The agency also revealed that they upload and use custom webshells to enable network access. 

Based on an investigation by an advanced digital forensics group, the advisory said that the FBI created the following YARA rule to detect the signature for a file identified as enabling malware. “NetMonitor[dot]exe is a malware masquerading as a legitimate process and has the appearance of a legitimate network monitoring tool. This persistence tool sends pings from the network every five minutes.” 

The NetMonitor executable is configured to use an IP address as its command server, and the program communicates with the server over port 443. During the attack, traffic between NetMonitor and the command server is encrypted, where NetMonitor functions like a reverse proxy and allows hackers to connect to the tool from outside the victim’s network.

The FBI and CISA have issued a set of mitigation actions, strongly advising critical infrastructure organizations and network defenders to implement these measures. These actions are designed to diminish the likelihood and mitigate the impact of AvosLocker ransomware and other ransomware incidents. The agencies also recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques, thus, strengthening security posture for customers.

The mitigation measures align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). These CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. 

The security agencies called upon critical infrastructure organizations and network defenders to secure remote access tools by implementing application controls to manage and control the execution of software, including allowlisting remote access programs. They also recommended strictly limiting the use of RDP and other remote desktop services; disabling command-line and scripting activities and permissions; restricting the use of PowerShell, using group policy, and only granting access to specific users on a case-by-case basis.

The advisory also recommends disabling file and printer sharing services; implementing a recovery plan; maintaining offline backups of data; requiring phishing-resistant multi-factor authentication for all services to the extent possible; and keeping all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems. 

The advisory also pointed to the need to adopt network segmentation to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between, and access to, various subnetworks, restricting further lateral movement. It also suggests identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. 

In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. FBI and CISA recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques.

Last week, the National Security Agency (NSA) and CISA published a joint CSA highlighting the most common cybersecurity misconfigurations in large organizations. The advisory details the TTPs hackers use to exploit these misconfigurations. It also calls upon network defenders and software manufacturers to take appropriate action and reduce the risk of malicious actors exploiting the identified misconfigurations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation