US-CERT- AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs

Started by Netwörkheäd, August 21, 2021, 06:02:29 AM

Previous topic - Next topic

Netwörkheäd

AA21-200B: Chinese State-Sponsored Cyber Operations: Observed TTPs

[html]Original release date: July 19, 2021 | Last revised: August 20, 2021

Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9, and MITRE D3FEND™ framework, version 0.9.2-BETA-3. See the https://attack.mitre.org/versions/v8/techniques/enterprise/">ATT&CK for Enterprise for all referenced threat actor tactics and techniques and the https://d3fend.mitre.org/">D3FEND framework for referenced defensive tactics and techniques.



The National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People's Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China's long-term economic and military development objectives.



This Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.



To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders">CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.



https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF">Click here for a PDF version of this report.


Technical Details

Trends in Chinese State-Sponsored Cyber Operations



NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:




       

  •    

    Acquisition of Infrastructure and Capabilities. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community's practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.


       

  •    

  •    

    Exploitation of Public Vulnerabilities. Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability's public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:



       
       

  •    

  •    

    Encrypted Multi-Hop Proxies. Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.


       



Observed Tactics and Techniques



Chinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps">JSON file is also available on the https://github.com/nsacyber">NSA Cybersecurity GitHub page.



Refer to Appendix A: Chinese State-Sponsored Cyber Actors' Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.



https://us-cert.cisa.gov/sites/default/files/Example_of_tactics_and_techniques.png" width="1051" />



Figure 1: Example of tactics and techniques used in various cyber operations.



 



Mitigations



NSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:




       

  •    

    Patch systems and equipment promptly and diligently. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle.

       Note: for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.


       

  •    
  • Enhance monitoring of network traffic, email, and endpoint systems. Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.

  •    
  • Use protection capabilities to stop malicious activity. Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.▪



Resources



Refer to https://us-cert.cisa.gov/china">us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts">https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/">https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ for previous reporting on Chinese state-sponsored malicious cyber activity.



Disclaimer of Endorsement



The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.



Purpose



This document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/">http://www.us-cert.gov/tlp/.



Trademark Recognition



MITRE and ATT&CK are registered trademarks of The MITRE Corporation. • D3FEND is a trademark of The MITRE Corporation. • Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. • Pulse Secure is a registered trademark of Pulse Secure, LLC. • Apache is a registered trademark of Apache Software Foundation. • F5 and BIG-IP are registered trademarks of F5 Networks. • Cobalt Strike is a registered trademark of Strategic Cyber LLC. • GitHub is a registered trademark of GitHub, Inc. • JavaScript is a registered trademark of Oracle Corporation. • Python is a registered trademark of Python Software Foundation. • Unix is a registered trademark of The Open Group. • Linux is a registered trademark of Linus Torvalds. • Dropbox is a registered trademark of Dropbox, Inc.



APPENDIX A: Chinese State-Sponsored Cyber Actors' Observed Procedures



Note: D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.



Tactics: Reconnaissance [https://attack.mitre.org/versions/v9/tactics/TA0043">TA0043]    



Table 1: Chinese state-sponsored cyber actors' Reconnaissance TTPs with detection and mitigation recommendations




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
      
   

         

Threat Actor

         Technique / Sub-Techniques


         

         

Threat Actor Procedure(s)


         

         

Detection and Mitigation Recommendations


         

         

Defensive Tactics and Techniques


         

         

Active Scanning [https://attack.mitre.org/versions/v9/techniques/T1595">T1595] 


         

         

Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft® 365 (M365), formerly Office® 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python® scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization's fully qualified domain name, IP address space, and open ports to target or exploit.


         

         

Minimize the amount and sensitivity of data available to external parties, for example: 



         

                

  •             

    Scrub user email addresses and contact lists from public websites, which can be used for social engineering, 


                

  •             

  •             

    Share only necessary data and information with third parties, and 


                

  •             

  •             

    Monitor and limit third-party access to the network. 


                

  •          


         

Active scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.


         

         

Detect: 



         

                

  •             

    Network Traffic Analysis



                
                

  •          


         

Isolate: 



         

                

  •             

    Network Isolation



                
                

  •          

         

         

Gather Victim Network Information [https://attack.mitre.org/versions/v9/techniques/T1590">T1590]



         

 


         


Tactics: Resource Development [https://attack.mitre.org/versions/v9/tactics/TA0042">TA0042]



Table II: Chinese state-sponsored cyber actors' Resource Development TTPs with detection and mitigation recommendations




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
      
      
         
         
         
         
      
   

         

Threat Actor

         Technique / Sub-Techniques


         

         

Threat Actor Procedure(s)


         

         

Detection and Mitigation Recommendations


         
Defensive Tactics and Techniques

         

Acquire Infrastructure [https://attack.mitre.org/versions/v9/techniques/T1583">T1583]



         

 


         

         

Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.



         

 


         

         

Adversary activities occurring outside the organization's boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.



         

 


         

         

N/A


         

         

Stage Capabilities [https://attack.mitre.org/versions/v9/techniques/T1608">T1608]


         

         

Obtain Capabilities [https://attack.mitre.org/versions/v9/techniques/T1588">T1588]: 



         
         

         

Chinese state-sponsored cyber actors have been observed using Cobalt Strike® and tools from GitHub® on victim networks. 


         

         

Organizations may be able to identify malicious use of Cobalt Strike by:



         

                

  •             

    Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. 


                

  •             

  •             

    Looking for the default Cobalt Strike TLS certificate. 


                

  •             

  •             

    Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.


                

  •             

  •             

    Review the traffic destination domain, which may be malicious and an indicator of compromise.


                

  •             

  •             

    Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.


                

  •             

  •             

    Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.


                

  •          


         

 


         
N/A


Tactics: Initial Access [https://attack.mitre.org/versions/v9/tactics/TA0001/">TA0001]



Table III: Chinese state-sponsored cyber actors' Initial Access TTPs with detection and mitigation recommendations




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
   

         

Threat Actor Technique /

         Sub-Techniques


         

         

Threat Actor Procedure(s)


         

         

Detection and Mitigation Recommendations


         

         

Detection and Mitigation Recommendations


         

         

Drive By Compromise [https://attack.mitre.org/versions/v9/techniques/T1189">T1189]


         

         

Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.


         

         

                
  • Ensure all browsers and plugins are kept up to date.

  •             
  • Use modern browsers with security features turned on.

  •             
  • Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript®, restrict browser extensions, etc.

  •             
  • Use adblockers to help prevent malicious code served through advertisements from executing. 

  •             
  • Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. 

  •             
  • Use browser sandboxes or remote virtual environments to mitigate browser exploitation.

  •             
  • Use security applications that look for behavior used during exploitation, such as Windows Defender® Exploit Guard (WDEG).

  •          

         

         

Detect: 



         

         

Isolate: 



         
         

         

Exploit Public-Facing Application [https://attack.mitre.org/versions/v9/techniques/T1190">T1190]


         

         

Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html ">1] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources.

         Chinese state-sponsored cyber actors have also been observed:



         

                

  •             

    Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA®) and plant webshells.


                

  •             

  •             

    Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.


                

  •             

  •             

    Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.


                

  •          

         

         

Review previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.



         

Additional mitigations include:



         

                
  • Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.

  •             
  • Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).

  •             
  • Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.

  •             
  • Disable protocols using weak authentication.

  •             
  • Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF">Embracing a Zero Trust Security Model].

  •             
  • When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).

  •             
  • Use automated tools to audit access logs for security concerns.

  •             
  • Where possible, enforce MFA for password resets.

  •             
  • Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.

  •          

         

         

Harden:



         

         

Detect:



         

         

Isolate: 



         
         

         

Phishing [https://attack.mitre.org/versions/v9/techniques/T1566">T1566]: 



         
         

         

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. 

         These compromise attempts use the cyber actors' dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim's device after the user clicks on the malicious link or opens the attachment. 


         

         

                
  • Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.

  •             
  • Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.

  •             
  • Block uncommon file types in emails that are not needed by general users (.exe, .jar,.vbs)

  •             
  • Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.

  •             
  • Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

  •             
  • Prevent users from clicking on malicious links by stripping hyperlinks or implementing "URL defanging" at the Email Security Gateway or other email security tools.

  •             
  • Add external sender banners to emails to alert users that the email came from an external sender.

  •          

         

         

Harden: 



         

         

Detect: 



         
         

         

External Remote Services [https://attack.mitre.org/versions/v9/techniques/T1133">T1133]


         

         

Chinese state-sponsored cyber actors have been observed:



         

                

  •             

    Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.


                

  •             

  •             

    Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).


                

  •             

  •             

    Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including net, asp, apsx, php, japx, and cfm


                

  •          


         

Note: refer to the references listed above in Exploit Public-Facing Application [https://attack.mitre.org/versions/v9/techniques/T1190">T1190] for information on CVEs known to be exploited by malicious Chinese cyber actors.



         



         Note: this technique also applies to Persistence [https://attack.mitre.org/versions/v9/tactics/TA0003">TA0003].


         

         

                
  • Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.

  •             
  • Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.

  •             
  • Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).

  •             
  • Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.

  •             
  • Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.

  •             
  • Review and verify all connections between customer systems, service provider systems, and other client enclaves.

  •          

         

         

Harden:



         

         

Detect:



         
         

         

Valid Accounts [https://attack.mitre.org/versions/v9/techniques/T1078">T1078]:



         
         

         

Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.



         

Note: this technique also applies to Persistence [https://attack.mitre.org/versions/v9/tactics/TA0003">TA0003], Privilege Escalation [https://attack.mitre.org/versions/v9/tactics/TA0004">TA0004], and Defense Evasion [https://attack.mitre.org/versions/v9/tactics/TA0005">TA0005].


         

         

                
  • Adhere to best practices for password and permission management.

  •             
  • Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage 

  •             
  • Do not store credentials or sensitive data in plaintext.

  •             
  • Change all default usernames and passwords.

  •             
  • Routinely update and secure applications using Secure Shell (SSH). 

  •             
  • Update SSH keys regularly and keep private keys secure.

  •             
  • Routinely audit privileged accounts to identify malicious use.

  •          

         

         

Harden: 



         

         

Detect:



         
         


Tactics: Execution [https://attack.mitre.org/versions/v9/tactics/TA0002">TA0002]



Table IV: Chinese state-sponsored cyber actors' Execution TTPs with detection and mitigation recommendations




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
   

         

Threat Actor Technique /

         Sub-Techniques


         

         

Threat Actor Procedure(s)


         

         

Detection and Mitigation Recommendations


         

         

Defensive Tactics and Techniques


         

         

Command and Scripting Interpreter [https://attack.mitre.org/versions/v9/techniques/T1059">T1059]: 



         
         

         

Chinese state-sponsored cyber actors have been observed:



         

                

  •             

    Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).


                

  •             

  •             

    Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. 


                

  •             

  •             

    Employing Python scripts to exploit vulnerable servers.


                

  •             

  •             

    Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux® servers in the victim network.


                

  •          

         

         

PowerShell



         

                

  •             

    Turn on PowerShell logging. (Note: this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)


                

  •             

  •             

    Push Powershell logs into a security information and event management (SIEM) tool.


                

  •             

  •             

    Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.


                

  •             

  •             

    Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.


                

  •             

  •             

    Remove PowerShell if it is not necessary for operations. 


                

  •             

  •             

    Restrict which commands can be used.


                

  •          


         

Windows Command Shell



         

                

  •             

    Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. 


                

  •             

  •             

    Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. 


                

  •             

  •             

    Monitor for and investigate other unusual or suspicious scripting behavior. 


                

  •          


         

Unix



         

                

  •             

    Use application controls to prevent execution.


                

  •             

  •             

    Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. 


                

  •             

  •             

    If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. 


                

  •          


         

Python



         

                

  •             

    Audit inventory systems for unauthorized Python installations.


                

  •             

  •             

    Blocklist Python where not required.


                

  •             

  •             

    Prevent users from installing Python where not required.


                

  •          


         

JavaScript



         

                

  •             

    Turn off or restrict access to unneeded scripting components.


                

  •             

  •             

    Blocklist scripting where appropriate.


                

  •             

  •             

    For malicious code served up through ads, adblockers can help prevent that code from executing.


                

  •          


         

Network Device Command Line Interface (CLI)



         

                

  •             

    Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.


                

  •             

  •             

    Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.


                

  •             

  •             

    Ensure least privilege principles are applied to user accounts and groups.


                

  •          

         

         

Harden: 



         

         

Detect: 



         

                

  •             

    Process Analysis



                
                

  •          


         

Isolate:



         

                

  •             

    Execution Isolation



                
                

  •          

         

         

Scheduled Task/Job [https://attack.mitre.org/versions/v9/techniques/T1053">T1053]



         
         

         

Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks.



         



         Note: this technique also applies to Persistence [https://attack.mitre.org/versions/v9/tactics/TA0003">TA0003] and Privilege Escalation [https://attack.mitre.org/versions/v9/tactics/TA0004">TA0004].


         

         

•    Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity.

         •    Configure event logging for scheduled task creation and monitor process execution from svchost.exe (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in %systemroot%\System32\Tasks that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities—such as PowerShell or Windows Management Instrumentation (WMI)—that do not conform to typical administrator or user actions. 


         

         

Detect: 



         

         

Isolate: 



         
         

         

User Execution [https://attack.mitre.org/versions/v9/techniques/T1204">T1204]



         
         

         

Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim's device after the user clicks on the malicious link or opens the attachment.


         

         

                
  • Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.

  •             
  • Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.

  •             
  • Use a domain reputation service to detect and block suspicious or malicious domains.

  •             
  • Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

  •             
  • Ensure all browsers and plugins are kept up to date.

  •             
  • Use modern browsers with security features turned on.

  •             
  • Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.

  •          

         

         

Detect: 



         

         

Isolate: 



         
         


Tactics: Persistence [https://attack.mitre.org/versions/v9/tactics/TA0003">TA0003]



Table V: Chinese state-sponsored cyber actors' Persistence TTPs with detection and mitigation recommendations




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
   
Threat Actor Technique /

         Sub-Techniques
Threat Actor Procedure(s)Detection and Mitigation RecommendationsDefensive Tactics and Techniques

         

Hijack Execution Flow [https://attack.mitre.org/versions/v9/techniques/T1574">T1574]: 



         
         

         

Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. 



         

Note: this technique also applies to Privilege Escalation [https://attack.mitre.org/versions/v9/tactics/TA0004">TA0004] and Defense Evasion [https://attack.mitre.org/versions/v9/tactics/TA0005">TA0005].


         

         

                
  • Disallow loading of remote DLLs.

  •             
  • Enable safe DLL search mode.

  •             
  • Implement tools for detecting search order hijacking opportunities.

  •             
  • Use application allowlisting to block unknown DLLs.

  •             
  • Monitor the file system for created, moved, and renamed DLLs.

  •             
  • Monitor for changes in system DLLs not associated with updates or patches.

  •             
  • Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).

  •          

         

         

Detect: 



         

                
  • Platform Monitoring
                
                

  •             
  • Process Analysis
                
                

  •          


         

Isolate: 



         
         

         

Modify Authentication Process [https://attack.mitre.org/versions/v9/techniques/T1556">T1556]



         
         

         

Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network.

         Note: this technique also applies to Defense Evasion [https://attack.mitre.org/versions/v9/tactics/TA0005">TA0005] and Credential Access [https://attack.mitre.org/versions/v9/tactics/TA0006">TA0006].


         

         

                
  • Monitor for policy changes to authentication mechanisms used by the domain controller. 

  •             
  • Monitor for modifications to functions exported from authentication DLLs (such as cryptdll.dll and samsrv.dll).

  •             
  • Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. 

  •             
  • Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). 

  •             
  • Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

  •             
  • Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.

  •          

         

         

Detect: 



         
         

         

Server Software Component [https://attack.mitre.org/versions/v9/techniques/T1505">T1505]: 



         
         

         

Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. 


         

         

                
  • Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.

  •             
  • Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.

  •             
  • Perform integrity checks on critical servers to identify and investigate unexpected changes.

  •             
  • Have application developers sign their code using digital signatures to verify their identity.

  •             
  • Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.

  •             
  • Implement a least-privilege policy on web servers to reduce adversaries' ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.

  •             
  • If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.

  •             
  • Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.

  •             
  • Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.

  •             
  • Establish, and backup offline, a "known good" version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.

  •             
  • Employ user input validation to restrict exploitation of vulnerabilities.

  •             
  • Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.

  •             
  • Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.

  •          

         

         

Detect: 



         

         

Isolate:



         
         

         

Create or Modify System Process [https://attack.mitre.org/versions/v9/techniques/T1543">T1543]:



         
         

         

Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.



         

Note: this technique also applies to Privilege Escalation [https://attack.mitre.org/versions/v9/tactics/TA0004">TA0004].


         

         

                
  • Only allow authorized administrators to make service changes and modify service configurations. 

  •             
  • Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.

  •             
  • Monitor WMI and PowerShell for service modifications.

  •          

         
Detect:
         
         


Tactics: Privilege Escalation [https://attack.mitre.org/versions/v9/tactics/TA0004">TA0004]



Table VI: Chinese state-sponsored cyber actors' Privilege Escalation TTPs with detection and mit

Let's not argue. Let's network!