Number: AL23-010
Date: July 25, 2023
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) are aware of incidents where victims were infected with ALPHV/BlackCat ransomware. As of July 24, 2023, incidents involving ALPHV/BlackCat have impacted multiple sectors within Canada and globally.
The Cyber Centre assesses that ALPHV/BlackCat are almost certainly financially motivated and have shown no pattern to victimization that suggests deliberate targeting. The Cyber Centre assesses that ALPHV/BlackCat and its affiliates very likely select their victims based on opportunity. ALPHV/BlackCat is responsible for a significant share of attributed Canadian ransomware incidents that the Cyber Centre is aware of between January 2022 and June 2023. ALPHV/BlackCat has presented a threat to Canadian organizations since at least January 2022 and will very likely continue to threaten Canadian and international organizations into the latter half of 2023.
In 2023, BlackBerry published an article which details the BlackCat malware Footnote 1. In the report they state “BlackCat has most often targeted companies in the financial, manufacturing, legal, and professional services industries — but BlackCat’s exploits span all industries.” With a campaign that “often employ a triple-extortion tactic: making individual ransom demands for the decryption of infected files; for not publishing stolen data; and for not launching denial of service (DoS) attacks."
The Cyber Centre continues to monitor activities impacting Canadian Ransomware victims and will provide further technical indicators along with advice and guidance as they are made available. The Cyber Centre is providing the following TTPs and attached IOCs related to activity recently reported to the Cyber Centre to provide network defenders techniques to better protect themselves. All government and non-government partners are also encouraged to use cyber security best practices to protect their environments.Footnote 2
Tactics, techniques, and procedures (TTP)
The following MITRE ATT&CK techniques leveraged by the actorsFootnote 3 were reported to the Cyber Centre or referenced through open-source. They are being provided to outline the reported activity. MITRE provides detection and mitigation strategies for system operators to better protect their network systems. These resources are available in the references section of this Alert.
Initial access
Threat actors have been reportedly using multiple forms of social engineering to gain access to user credentials. This has included phishing email and SMS messages with links to target-themed credential phishing, as well as phone calls to the users to harvest their credentials.Footnote 4
- T1586 – Compromise Accounts
- T1566 – Phishing
Threat actors have also been reportedly bypassing MFA by various means, including MFA fatigue and social engineering. Footnote 4
- T1111 - Multi-Factor Authentication Interception
Privilege escalation
Threat actors have been reportedly leveraging compromised credentials to conduct additional credential theft to escalate privileges.Footnote 4 Threat actors have also been reportedly compromising privileged accounts as part of the initial access.
- TA0004 – Privilege Escalation
Command and control (C2)
Following initial compromise, threat actors have also been reportedly using various remote monitoring and management tools to maintain persistence, many of which are commercial products to avoid detection.Footnote 4
- T1219 – Remote Access Software
Scanning
Following initial compromise, threat actors have been reportedly leveraging various tools to scan for RDP and SMB enabled devices on the network.Footnote 5
- T1135 – Network Share Discovery
- T1046 – Network Service Discovery
Persistence
Threat actors have been reportedly adding their own MFA tokens to existing user accounts. This allows the threat actor to maintain persistence while avoiding detection.Footnote 4
- T1098.005 - Account Manipulation: Device Registration
Threat actors have also been reportedly adding federated domains to Azure AD to maintain persistence.
- T1484.002 – Domain Policy Modification: Domain Trust Modification
Threat actors have also been reportedly using scheduled tasks to maintain persistenceFootnote 5
- T1053.005 – Scheduled Task/Job: Scheduled Task
Threat actors have also been reportedly using various remote monitoring and management tools to maintain persistence, many of which are commercial products to avoid detection.Footnote 4
- T1219 – Remote Access Software
Threat actors have also been reportedly abusing continuous configuration management software such as Ansible to maintain persistence. These tools are abused to automatically re-infect new systems.
- T1525 - Implant Internal Image
Movement within network
To move laterally within the network, threat actors have been reportedly leveraging management tools such as Microsoft InTune and WSUS to spread within the network.
- T1072 - Software Deployment Tools
Threat actors have also been reportedly using RDP connections to perform further credential theft via LSASS dumping.Footnote 6
- T1021.001 - Remote Services: Remote Desktop Protocol
Recovery prevention and obstruction
To prevent and obstruct recovery efforts, threat actors have been reportedly deleting virtual machine backups and snapshots. Threat actors have also been reportedly deleting Windows shadow copy backups during the encryption process.Footnote 1
- T1490 – Inhibit System Recovery
Suggested actions
The Cyber Centre recommends organizations:
- Review the attached indicators of compromise and above TTPs to determine if related activity has occurred. If activity has been detected and a compromise has occurred:
- Reimage compromised systems.
- Reset all potentially compromised credentials.
- Review the MITRE ATT&CK techniques and mitigationsFootnote 3 to assist in reducing potential threat surfaces.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 2 with an emphasis on the following topics.
- Phishing Awareness. This includes both identification of phishing but also procedures on what to do if a phishing email is received.
- The Cyber Centre has several publications available on Phishing AwarenessFootnote 7Footnote 8Footnote 9.
- Phishing Technical Controls.
- Multi-factor Authentication.
- Favouring hard tokens for sensitive or critical systems or accounts.
- Enforcing the Management of Administrative Privileges.
- Minimize number of administrators and privileged roles.
- Conduct administrative activities on managed, hardened, and dedicated devices with restricted access to email, web browsing and outside connectivity.
- Enable two-person integrity when resetting administrative accounts to minimize successful social engineering activities.
- Remote Access Management and Controls.
- Network segmentation and demilitarized zones (DMZs).
- Configure firewalls to selectively control and monitor traffic passed between zones.
- Software Management and Deployment Controls.
- Business continuity planning, which is tested and validated.
- Review the Cyber Centres Playbook on Ransomware (ITSM.00.099) and apply recommended security controls.Footnote 10
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.
Indicators of compromise
The Cyber Centre is releasing the following indicators of compromise (IoCs) associated with ALPHV/BlackCat activity. The Cyber Centre wishes to highlight that some of the provided network indicators may be used for legitimate purposes. The presence of connections to these network indicators does not necessarily imply that a system has been compromised, but it does merit further investigation to verify the systems integrity.
Additionally, as these indicators may contain legitimate infrastructure or software, it is important to verify business services and network environments before implementing any blocks based on these indicators.
| Indicator | Type | Notes |
|---|---|---|
| fleetdeck_agent_svc.exe | filename | FLEETDECK |
| njmatio0.fdx.cmd | filename | TA Scripts (njmatio0) |
| privacy.sexy | filename | TA Scripts (Disable MDE) |
| run-{B9184FF9-B695-4605-B649-BF3A488E9BF5}-v3854.exe | filename | ALPHV |
| run-{B9184FF9-B695-4605-B649-BF3A488E9BF5}-v3857.exe | filename | ALPHV |
| [REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32 (1).zip | filename | ALPHV |
| [REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32(1).zip | filename | ALPHV |
| [REDACTED]_non_employee_pcs__onprem__azure__aws__mk2_locker_windows32.zip | filename | ALPHV |
| WhenTheyCry0.ps1 | filename | TA Scripts (WhenTheyCry0.ps1) |
| Win - [REDACTED] - Dynamically Set Time Zone | filename | Malicious Intune Scripts |
| Win10 - CloudPC - Teams WebRTC Plugin | filename | Malicious Intune Scripts |
| Win - [REDACTED] - Zscaler Remediation v4 | filename | Malicious Intune Scripts |
| Win10 - WKSConfig - Add [REDACTED]Admin10 | filename | Malicious Intune Scripts |
| WindowsDefenderATPOffboardingScript_valid_until_2023-07-23.cmd | filename | TA Scripts (Disable MDE) |
| WindowsDefenderATPOffboardingScript_valid_until_2023-07-24.cmd | filename | TA Scripts (Disable MDE) |
| C:\ATP.cmd | filepath | TA Scripts (Disable MDE) |
| C:\forti.exe | filepath | FLEETDECK |
| C:\fortis.exe | filepath | ALPHV |
| C:\fortiss.bat | filepath | TA Scripts (Disable MDE) |
| C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe | filepath | FLEETDECK |
| C:\Users\Arssvc\downloads\24hours.exe | filepath | TA Executables (24hours.exe) | TA created user ARSSCV |
| C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\credentials.json | filepath | FLEETDECK |
| C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\deployment.json | filepath | FLEETDECK |
| C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\latest.json | filepath | FLEETDECK |
| C:\Users\[REDACTED]\AppData\Local\VirtualStore\Program Files (x86)\FleetDeck Agent\z7RvqxPCGUS2jCWMFVomadRMQD6C.txt | filepath | FLEETDECK |
| C:\Users\[REDACTED]\Downloads\FFjEqOaD6jGqN9upnK00kAbxWNH2FFXYuW.exe | filepath | ALPHV |
| C:\Windows\System32\Tasks\privacy.sexy | filepath | TA Scripts (Disable MDE) |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\script0.ps1 | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\ygkmZF5i4UtMWqDE6V3J.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\JN3x4VqhB81TOXBUl0JRfERIWjoCs.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\bin\g2dF1nbbDK3vpS9A4AxMNvIzQeqZx.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\RuntimeSettings\sCgJDQc9XLmMC0TYUnemYl.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Downloads\UyRsql4uhjaYT5Lm2wM.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Status\3XjHpEDkYDxh7GzUuVhwN7k6xCjKCU.txt | filepath | [nil] |
| C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.15\Status\aatftpKN1N46jZeJTPV.txt | filepath | [nil] |
| 2uee6idu7qoaqdata000.blob.core.windows[.]net | FQDN | TA Scripts (Disable MDE) |
| fleetdeck[.]io | FQDN | FLEETDECK |
| gofile[.]io | FQDN | TA Infrastructure |
| level[.]io | FQDN | LEVEL.IO |
| pinyin-[REDACTED].s3.us-west-2.amazonaws[.]com | FQDN | TA Infrastructure |
| privacy[.]sexy | FQDN | TA Scripts (Disable MDE) |
| storjshare[.]io | FQDN | TA Infrastructure |
| [REDACTED]-sso[.]com | FQDN | TA Infrastructure |
| temp[.]sh | FQDN | TA Infrastructure |
| 162.33.179[.]114 | IPv4 | UPDATE.EXE |
| 193.149.187[.]213 | IPv4 | TA Infrastructure |
| 4.157.42[.]62 | IPv4 | TA Infrastructure |
| 40.88.54[.]192 | IPv4 | TA Infrastructure |
| 52.188.53[.]135 | IPv4 | TA Infrastructure |
| 206.188.196[.]78 | IPv4 | TA Infrastructure |
| 193.149.187[.]213 | IPv4 | TA Infrastructure |
| 45.154.138[.]39 | IPv4 | TA Infrastructure |
| 47.154.86[.]24 | IPv4 | TA Infrastructure |
| 67.216.143[.]42 | IPv4 | TA Infrastructure |
| 29efd64dd3c7fe1e2b022b7ad73a1ba5 | MD5 | MIMIKATZ |
| 3c5a420aed54867a0fd0d373637595d2 | MD5 | FLEETDECK |
| 44eee3d7f6d60f3390c68ad3f1cb1b77 | MD5 | ALPHV |
| 4b940893856bbde6c7c587d7e10ec4d1 | MD5 | TA Scripts (Disable MDE) |
| 4bfe8fafe03fe781f75c375bdade54f7 | MD5 | FLEETDECK |
| 60cf9dfc495e4bd99e31b2b6079f654e | MD5 | Malicious Intune Scripts |
| 61b13d54c8dda98b7aa13e75abfdbd12 | MD5 | UPDATE.EXE |
| 7f4c0d171e104eea3c48e03ade1ec68a | MD5 | Malicious Intune Scripts |
| 825e125eb34abb8197178ed10d5452d5 | MD5 | ALPHV |
| adc52a4c68173dce2733dbfe45c5ebe9 | MD5 | Malicious Intune Scripts |
| bbeb9589a0f406d0d4921df68641ccf1 | MD5 | Malicious Intune Scripts |
| cc51281a38bdc87a7ad0e4b612181ced | MD5 | ALPHV |
| d2848456bc6fc3bdccf6998befeced4b | MD5 | TA Scripts (Disable MDE) |
| 1c939f39a93aa425f857f76a8072ef0e43153ed0 | SHA1 | ALPHV |
| 48579f02785e022db5d31c229be8b9a098134d95 | SHA1 | Malicious Intune Scripts |
| 6f464abe5f9591b3786f21ef911fc6cd1f717131 | SHA1 | TA Scripts (Disable MDE) |
| 9d966e90c1c6bc7100e9b089fe6c8ce52a6b379c | SHA1 | TA Scripts (Disable MDE) |
| a9ed0ca8e08cf1e7569fcda769351850c748d681 | SHA1 | ALPHV |
| b2cfe7344875528ce6bf64719c7eadadffb3e567 | SHA1 | FLEETDECK |
| b6da15fb313b3c7d66923f6144bac69aa19e74d1 | SHA1 | Malicious Intune Scripts |
| bd53bd285071966d8799e5d9ceaa84a0b058a4fb | SHA1 | Malicious Intune Scripts |
| c219e7bee1cb92e2026a81ac333cd6f439a077b2 | SHA1 | FLEETDECK |
| d278d06db4e1b8a6379308a797c0304676a30e10 | SHA1 | UPDATE.EXE |
| d34043b44a7405e1359ef5f4dbebd09f324d9645 | SHA1 | ALPHV |
| e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 | SHA1 | MIMIKATZ |
| eb410e312adadda3a3d13c608b8bb5ef7ecb812c | SHA1 | Malicious Intune Scripts |
| 140bcad5397858a7fa35a79dba4cd83decd4ae2927a22983218b3a0efebd8b9e | SHA256 | TA Scripts (njmatio0) |
| 1c2fbab9c849db1e8d8f26d217a7434aad3cab45b6f3c6c2de81b548220779fd | SHA256 | Malicious Intune Scripts |
| 20529bcdc538cc28303300bab95b9daeb07264cf7ccdef837f87e26ea2a4f23f | SHA256 | TA Scripts (Disable MDE) |
| 234f8d70d92dde7d8f5edee2d3b3152214ef0b86c8e7c30274371fa9880243e6 | SHA256 | ALPHV |
| 243e1d202848ae99d8ee7a13f08316a8f0d37db93379df2fcbae7ff82754d89e | SHA256 | ALPHV |
| 25e6fef0dce4e0f6260442b164ce7305561223429771b96f7448db8f337955cb | SHA256 | ALPHV |
| 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 | SHA256 | MIMIKATZ |
| 84d33d77ea225839f0f2e473e20108e77f8a3e2a125eac844dc85116ef9792f5 | SHA256 | FLEETDECK |
| 85ba48604d680d2786f485d70a6892dcf059c646e28b0a9befe530f9e3e459a5 | SHA256 | Malicious Intune Scripts |
| b6bb576e3dd58f09218cf455d94e4db253af5f244f70f88abd78af0dc29c1246 | SHA256 | Malicious Intune Scripts |
| bfa3cf521eefaaecc5d54028b3c12ea571033d4fe98e94d0031912b55071357b | SHA256 | ALPHV |
| c97641412ba384933dae4d4de377bc57bd0c9cd6d17b52a9a38c7c9a6eadd64c | SHA256 | TA Scripts (Disable MDE) |
| da8c1976b9756cfb9afdcb4eaca193f411f96cee65835a87b3efb3423b33810b | SHA256 | TA Scripts (WhenTheyCry0.ps1) |
| df1f54952d918b1ddabf543ac50c2dafbca7aad2e5681824c0d1a44416da9c1d | SHA256 | Malicious Intune Scripts |
| e616846973de11765207dddbdf7712a74b2d804a08b65badb47f9ef09a640d4f | SHA256 | FLEETDECK |
| e7e8a15588225ae93f2ebc91769352de0d48bfdcfcb93718e66119eb23dee976 | SHA256 | UPDATE.EXE |
| f51166cf076d96c47b5c2ba22e65903b21e4d6735e585e1c51f796108a0a54f9 | SHA256 | ALPHV |
MITRE ATT&CK techniques
- ID: T1586.002 – Compromise Accounts: Email Accounts
- ID: T1586 – Compromise Accounts
- ID: T1566 – Phishing
- ID: T1111 - Multi-Factor Authentication Interception
- ID: TA0004 – Privilege Escalation
- ID: T1219 – Remote Access Software
- ID: T1135 – Network Share Discovery
- ID: T1046 – Network Service Discovery
- ID: T1098.005 - Account Manipulation: Device Registration
- ID: T1484.002 – Domain Policy Modification: Domain Trust Modification
- ID: T1053.005 – Scheduled Task/Job: Scheduled Task
- ID: T1219 – Remote Access Software
- ID: T1525 - Implant Internal Image
- ID: T1072 - Software Deployment Tools
- ID: T1021.001 - Remote Services: Remote Desktop Protocol
- ID: T1490 – Inhibit System Recovery