SOC Incident Toolkit
Back to Campaigns
Cyber Security in Elections

Cyber Security in Elections

electionelection security

In recent years, the effect of cyber operations on the elections of countries has been increasing rapidly and it has been observed that interstate operations are carried out with cyber espionage campaigns.

Indicators of Compromise

Domains (1697)

assumeditself.comforroad.onlineapronadhesive.comns2.pubfastdns.comalbuminnormal.comtodark.onlineinusage.onlineairyversed.comalphabetcrush.comjudgediligent.comambitionchalk.comarmypungent.comcomparegator.combabieshq.onlinesureout.onlineabandonclasp.comcurtainbarter.comaugmentreversed.comideyum.onlineoutfind.online+1677 more

Hashes (3729)

33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e45b0e5a457222455384713905f886bd425b09cdd135197ccd8981488f38b0450002974393cc0fa383d91a665d712adac231a95ad9f9bcc50cc4db59fb794c265fc6b524737f15e3324cd7abb9e4d2e983f8a807f741f8873e6fa5d222dc6f3b358ccfc3a6c700398b342f656eade8e280b5c372989a520e49b4a1aab9df776b9933fbf95e3d462e04729d074f6a289d26901abb5fc56e20170e9fe2c9c1b12ca871640cd4c4078e8f75bf8767df9011cd30b8468d16b631cafe458fd94cc319671e584e7e1fb3cf2689f549192fe3a82fd4cd8ee7c42c15d736ebad47b028087d69fad4a24aade835197d060947719f65528fe84c21074f340665935e6afe2a972c8d1ab517954e2dd05cc73e5ff0e8df587b99daf0ae0fa877f921d198239b7c722e12d14b2aa32fdfadaa37b47f558ae366de9cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe3236712a33574adefdba8a02ab2aa2fada59b94d0b161f1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce36cb6319957b1a6fb8efdbeb212ba6272a0df97277ddb361cecf8726df6d78ac+3709 more

IPv4 (1860)

185.162.235.12174.91.19.10875.87.185.45208.110.73.22145.58.37.14246.17.97.3789.107.62.39164.132.251.217144.217.149.6131.3.236.905.152.202.5292.222.206.20874.91.19.122204.12.207.1085.39.59.9762.113.207.181137.74.131.20894.23.90.226207.244.79.147213.32.11.30+1840 more

CVEs (14)

CVE-2014-6352CVE-2017-1099CVE-2017-12149CVE-2017-0199CVE-2021-21972CVE-2021-34523CVE-2021-27065CVE-2017-11882CVE-2021-4034CVE-2021-26858CVE-2021-44228CVE-2021-31207CVE-2014-4114CVE-2021-34473

APT Groups

APT31

China

CHRYSENE

Iran, Islamic Republic of

Energetic Bear

Russian Federation

APT 29

Russian Federation

Notes

<div>Foreign intelligence entities operate in the seams of democratic system to advance their interests, using the tools of traditional espionage in combination with cyber operations and influence campaigns. Foreign attempts to interfere with elections fall into five distinct categories:</div><div><span style="white-space:pre;"> </span>1. Cyber operations targeting election infrastructure,</div><div><span style="white-space:pre;"> </span>2. Cyber operations targeting political parties, campaigns, and public officials,</div><div><span style="white-space:pre;"> </span>3. Covert influence operations to assist or harm political organizations, campaigns, or public officials,</div><div><span style="white-space:pre;"> </span>4. Covert influence operations to influence public opinion and sow division,</div><div><span style="white-space:pre;"> </span>5. Covert efforts to influence policymakers and the public.</div><div><br></div><div><br></div><div><hr></div><div><br></div><div><div></div><br></div>

Mitigation

<h4 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;">General Mitigations</h4><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><font><b>Keep applications and systems updated and patched</b></font></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Apply all available software updates and patches; automate this process to the greatest extent possible (e.g., by using an update service provided directly from the vendor). Automating updates and patches is critical because of the speed at which threat actors create exploits after a patch is released. These “N-day” exploits can be as damaging as a zero-day exploits. Vendor updates must also be authentic; updates are typically signed and delivered over protected links to ensure the integrity of the content. Without rapid and thorough patch application, threat actors can operate inside a defender’s patch cycle.[<a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf?v=1" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">3</a>] In addition to updating the application, use tools (e.g., the OWASP Dependency-Check Project tool[<a href="https://owasp.org/www-project-dependency-check/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">4</a>]) to identify publicly known vulnerabilities in third-party libraries that the application depends on.</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><b style=""><font>Scan web applications for SQL injection and other common web vulnerabilities</font></b></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Implement a plan to scan public-facing web servers for common web vulnerabilities (SQL injection, cross-site scripting, etc.); use a commercial web application vulnerability scanner in combination with a source code scanner.[<a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/defending-against-the-exploitation-of-sql-vulnerabilities-to.cfm" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">5</a>] As vulnerabilities are found, they should be fixed or patched. This is especially crucial for networks that host older web applications; as sites get older, more vulnerabilities are discovered and exposed.</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><b style=""><font>Deploy a web application firewall&nbsp;</font></b></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Deploy a web application firewall (WAF) to help prevent invalid input attacks and other attacks destined for the web application. WAFs are intrusion/detection/prevention devices that inspect each web request made to and from the web application to determine if the request is malicious. Some WAFs install on the host system and others are dedicated devices that sit in front of the web application. WAFs also weaken the effectiveness of automated web vulnerability scanning tools.</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><b style=""><font>Deploy techniques to protect against web shells</font></b></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Patch web application vulnerabilities or fix configuration weaknesses that allow web shell attacks, and follow guidance on detecting and preventing web shell malware.[<a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">6</a>] Malicious cyber actors often deploy web shells—software that can enable remote administration—on a victim’s web server. Malicious cyber actors can use web shells to execute arbitrary system commands, which are commonly sent over HTTP or HTTPS. Attackers often create web shells by adding or modifying a file in an existing web application. Web shells provide attackers with persistent access to a compromised network using communications channels disguised to blend in with legitimate traffic. Web shell malware is a long-standing, pervasive threat that continues to evade many security tools.</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><b style=""><font>Use multi-factor authentication for administrator accounts</font></b></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Prioritize protection for accounts with elevated privileges, with remote access, and/or used on high value assets.[<a href="https://us-cert.cisa.gov/cdm/event/Identifying-and-Protecting-High-Value-Assets-Closer-Look-Governance-Needs-HVAs" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">7</a>] Use physical token-based authentication systems to supplement knowledge-based factors such as passwords and personal identification numbers (PINs).[<a href="https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">8</a>] Organizations should migrate away from single-factor authentication, such as password-based systems, which are subject to poor user choices and more susceptible to credential theft, forgery, and password reuse across multiple systems.</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px;"><b style=""><font>Remediate critical web application security risks</font></b></h5><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">First, identify and remedite critical web application security risks first; then, move on to other less critical vulnerabilities. Follow available guidance on securing web applications.[<a href="https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/building-web-applications-security-recommendations-for.cfm" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">9</a>],[<a href="https://owasp.org/www-project-top-ten/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">10</a>],[<a href="https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">11</a>]</p></h3><h5 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; font-size: 14px;">How do I respond to unauthorized access to election-related systems?</h5><h6 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; letter-spacing: normal;"><b style=""><font>Implement your security incident response and business continuity plan</font></b></h6><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">It may take time for your organization’s IT professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.</p></h3><h3 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px; font-size: 24px;"><span style="font-size: 16px;"><br></span></h3><div><hr><br></div><div>For <a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296a">CISA Alert(AA20-296A)</a></div><div><h4 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;">Network Defense-in-Depth</h4><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Proper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;">Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.</li></ul><p class="text-align-center" style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; text-align: center; color: rgb(51, 51, 51); font-family: &quot;"><em style="box-sizing: border-box;">Table 1: Patch information for CVEs</em></p><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; color: rgb(51, 51, 51); font-family: &quot; width: 881.467px; height: 312px; margin-left: auto; margin-right: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 198px;"><strong style="box-sizing: border-box;">Vulnerability</strong></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 311px;"><strong style="box-sizing: border-box;">Vulnerable Products</strong></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 356px;"><strong style="box-sizing: border-box;">Patch Information</strong></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-19781" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2019-19781</a></td><td style="box-sizing: border-box; padding: 0px; width: 311px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Citrix Application Delivery Controller</li><li style="box-sizing: border-box;">Citrix Gateway</li><li style="box-sizing: border-box;">Citrix SDWAN WANOP</li></ul><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">&nbsp;</p></td><td style="box-sizing: border-box; padding: 0px; width: 356px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;"><a href="https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0</a></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;"><a href="https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/" class="ext" style="background-color: transparent; box-sizing: border-box; color: rgb(43, 114, 175);">Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3</a></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;"><a href="https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/" class="ext" style="background-color: transparent; box-sizing: border-box; color: rgb(43, 114, 175);">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0</a></p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;"><a href="https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/" class="ext" style="background-color: transparent; box-sizing: border-box; color: rgb(43, 114, 175);">Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5</a></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-0688" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2020-0688</a></td><td style="box-sizing: border-box; padding: 0px; width: 311px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30</li><li style="box-sizing: border-box;">Microsoft Exchange Server 2013 Cumulative Update 23</li><li style="box-sizing: border-box;">Microsoft Exchange Server 2016 Cumulative Update 14</li><li style="box-sizing: border-box;">Microsoft Exchange Server 2016 Cumulative Update 15</li><li style="box-sizing: border-box;">Microsoft Exchange Server 2019 Cumulative Update 3</li><li style="box-sizing: border-box;">Microsoft Exchange Server 2019 Cumulative Update 4</li></ul><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">&nbsp;</p></td><td style="box-sizing: border-box; padding: 0px; width: 356px;"><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Microsoft Security Advisory for CVE-2020-068</a>8</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10149" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2019-10149</a></td><td style="box-sizing: border-box; padding: 0px; width: 311px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Exim versions 4.87–4.91</li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 356px;"><a href="https://www.exim.org/static/doc/security/CVE-2019-10149.txt" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Exim page for CVE-2019-10149</a></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2018-13379</a></td><td style="box-sizing: border-box; padding: 0px; width: 311px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">FortiOS 6.0: 6.0.0 to 6.0.4</li><li style="box-sizing: border-box;">FortiOS 5.6: 5.6.3 to 5.6.7</li><li style="box-sizing: border-box;">FortiOS 5.4: 5.4.6 to 5.4.12</li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 356px;"><a href="https://www.fortiguard.com/psirt/FG-IR-18-384" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Fortinet Security Advisory: FG-IR-18-38</a>4</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px; width: 198px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1472" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2020-1472</a></td><td style="box-sizing: border-box; padding: 0px; width: 311px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Windows Server 2008 R2 for x64-based Systems Service Pack 1</li><li style="box-sizing: border-box;">Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li><li style="box-sizing: border-box;">Windows Server 2012</li><li style="box-sizing: border-box;">Windows Server 2012 (Server Core installation)</li><li style="box-sizing: border-box;">Windows Server 2012 R2</li><li style="box-sizing: border-box;">Windows Server 2016</li><li style="box-sizing: border-box;">Windows Server 2019</li><li style="box-sizing: border-box;">Windows Server 2019 (Server Core installation)</li><li style="box-sizing: border-box;">Windows Server, version 1903&nbsp; (Server Core installation)</li><li style="box-sizing: border-box;">Windows Server, version 1909&nbsp; (Server Core installation)</li><li style="box-sizing: border-box;">Windows Server, version 2004&nbsp;&nbsp; (Server Core installation)</li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 356px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;"><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Microsoft Security Advisory for CVE-2020-1472</a>&nbsp;</p></td></tr></tbody></table><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">&nbsp;</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;">Follow Microsoft’s&nbsp;<a href="https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">guidance</a>&nbsp;on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.</li><li style="box-sizing: border-box;">If appropriate for your organization’s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on&nbsp;<a href="https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">SMB Security Best Practices</a>&nbsp;for more information.</li><li style="box-sizing: border-box;">Implement the prevention, detection, and mitigation strategies outlined in:<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">CISA Alert&nbsp;<a href="https://us-cert.cisa.gov/ncas/alerts/TA15-314A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance</a>.</li><li style="box-sizing: border-box;">National Security Agency Cybersecurity Information Sheet&nbsp;<a href="https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">U/OO/134094-20 – Detect and Prevent Web Shells Malware</a>.</li></ul></li><li style="box-sizing: border-box;">Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.</li><li style="box-sizing: border-box;">Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.</li><li style="box-sizing: border-box;">Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">PROGRAMFILES</code>,&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">PROGRAMFILES(X86)</code>, and&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">WINDOWS</code>&nbsp;folders. All other locations should be disallowed unless an exception is granted.</li><li style="box-sizing: border-box;">Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.</li></ul><h4 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;">Comprehensive Account Resets</h4><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">For accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT “Golden Tickets” may be required, and Microsoft has released specialized&nbsp;<a href="https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">guidance</a>for this. Such a reset should be performed very carefully if needed.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">If there is an observation of&nbsp;<a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CVE-2020-1472</a>&nbsp;Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through “creative destruction,” wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise—as well as in Azure-hosted—AD instances.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Note that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">It is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.</p><ol style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;">Create a temporary administrator account, and use this account only for all administrative actions</li><li style="box-sizing: border-box;">Reset the Kerberos Ticket Granting Ticket&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">(krbtgt</code>) password;[<a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">1</a>&nbsp;this must be completed before any additional actions (a second reset will take place in step 5)</li><li style="box-sizing: border-box;">Wait for the&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">krbtgt</code>&nbsp;reset to propagate to all domain controllers (time may vary)</li><li style="box-sizing: border-box;">&nbsp;Reset all account passwords (passwords should be 15 characters or more and randomly assigned):<ol style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">User accounts (forced reset with no legacy password reuse)</li><li style="box-sizing: border-box;">Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])</li><li style="box-sizing: border-box;">Service accounts</li><li style="box-sizing: border-box;">Directory Services Restore Mode (DSRM) account</li><li style="box-sizing: border-box;">Domain Controller machine account</li><li style="box-sizing: border-box;">Application passwords</li></ol></li><li style="box-sizing: border-box;">Reset the<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">&nbsp;krbtgt</code>&nbsp;password again</li><li style="box-sizing: border-box;">Wait for the&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">krbtgt</code>&nbsp;reset to propagate to all domain controllers (time may vary)</li><li style="box-sizing: border-box;">Reboot domain controllers</li><li style="box-sizing: border-box;">Reboot all endpoints</li></ol><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">The following accounts should be reset:</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;">AD Kerberos Authentication Master (2x)</li><li style="box-sizing: border-box;">All Active Directory Accounts</li><li style="box-sizing: border-box;">All Active Directory Admin Accounts</li><li style="box-sizing: border-box;">All Active Directory Service Accounts</li><li style="box-sizing: border-box;">All Active Directory User Accounts</li><li style="box-sizing: border-box;">DSRM Account on Domain Controllers</li><li style="box-sizing: border-box;">Non-AD Privileged Application Accounts</li><li style="box-sizing: border-box;">Non-AD Unprivileged Application Accounts</li><li style="box-sizing: border-box;">Non-Windows Privileged Accounts</li><li style="box-sizing: border-box;">Non-Windows User Accounts</li><li style="box-sizing: border-box;">Windows Computer Accounts</li><li style="box-sizing: border-box;">Windows Local Admin</li></ul><h4 style="box-sizing: border-box; font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;">VPN Vulnerabilities</h4><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Implement the following recommendations to secure your organization’s VPNs:</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Update VPNs, network infrastructure devices, and devices</strong>&nbsp;being used to remote into work environments with the latest software patches and security configurations. See CISA Tips&nbsp;<a href="https://us-cert.cisa.gov/ncas/tips/ST04-006" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Understanding Patches and Software Updates</a>&nbsp;and&nbsp;<a href="https://us-cert.cisa.gov/ncas/tips/ST18-001" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Securing Network Infrastructure Devices</a>. Wherever possible, enable automatic updates.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement MFA on all VPN connections to increase security</strong>. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips&nbsp;<a href="https://us-cert.cisa.gov/ncas/tips/ST04-002" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Choosing and Protecting Passwords</a>&nbsp;and&nbsp;<a href="https://us-cert.cisa.gov/ncas/tips/ST05-012" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Supplementing Passwords</a>&nbsp;for more information.</li></ul><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;">Discontinue unused VPN servers. Reduce your organization’s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px; color: rgb(51, 51, 51); font-family: &quot;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Audit&nbsp;</strong>configuration and patch management programs.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Monitor&nbsp;</strong>network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement</strong>&nbsp;MFA, especially for privileged accounts.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Use</strong>&nbsp;separate administrative accounts on separate administration workstations.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Keep&nbsp;</strong><a href="https://us-cert.cisa.gov/ncas/tips/ST04-006" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">software up to date</a>. Enable automatic updates, if available.</li></ul></div><div><span style="font-size: 16px;"><br></span></div><div><hr><br></div><div>For&nbsp;<a href="https://www.cisa.gov/uscert/ncas/alerts/aa20-296b">CISA Alert(AA20-296B)</a></div><div><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;"><br></span></div><div><span style="color: rgb(51, 51, 51); font-family: &quot; font-size: 16px;">The following recommended mitigations list includes self-protection strategies against the cyber techniques used by the APT actors:</span></div><div class="field field--name-field-aa-mitigations field--type-text-long field--label-hidden field--item" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Validate input—input validation is a method of sanitizing untrusted input provided by web application users. Implementing input validation can protect against security flaws of web applications by significantly reducing the probability of successful exploitation. Types of attacks possibly prevented include SQL injection, XSS, and command injection.</li><li style="box-sizing: border-box;">Audit your network for systems using Remote Desktop Protocol (RDP) and other internet-facing services. Disable the service if unneeded or install available patches. Users may need to work with their technology vendors to confirm that patches will not affect system processes.</li><li style="box-sizing: border-box;">Verify all cloud-based virtual machine instances with a public IP; do not have open RDP ports, unless there is a valid business reason to do so. Place any system with an open RDP port behind a firewall, and require users to use a VPN to access it through the firewall.</li><li style="box-sizing: border-box;">Enable strong password requirements and account lockout policies to defend against brute-force attacks.</li><li style="box-sizing: border-box;">Apply multi-factor authentication, when possible.</li><li style="box-sizing: border-box;">Apply system and software updates regularly, particularly if you are deploying products affected by CVE-2020-5902 and CVE-2017-9248.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">For patch information on CVE-2020-5902, refer to F5 Security Advisory&nbsp;<a href="https://support.f5.com/csp/article/K52145254" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">K52145254</a></li><li style="box-sizing: border-box;">For patch information on CVE-2017-9248, refer to&nbsp;<a href="https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Progress Telerik details for CVE-2017-9248</a></li></ul></li><li style="box-sizing: border-box;">Maintain a good information back-up strategy that involves routinely backing up all critical data and system configuration information on a separate device. Store the backups offline; verify their integrity and restoration process.</li><li style="box-sizing: border-box;">Enable logging and ensure logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days, and review them regularly to detect intrusion attempts.</li><li style="box-sizing: border-box;">When creating cloud-based virtual machines, adhere to the cloud provider's best practices for remote access.</li><li style="box-sizing: border-box;">Ensure third parties that require RDP access are required to follow internal policies on remote access.</li><li style="box-sizing: border-box;">Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.</li><li style="box-sizing: border-box;">Regulate and limit external to internal RDP connections. When external access to internal resources is required, use secure methods, such as VPNs, recognizing VPNs are only as secure as the connected devices.</li><li style="box-sizing: border-box;">Be aware of unsolicited contact on social media from any individual you do not know.</li><li style="box-sizing: border-box;">Be aware of attempts to pass links or files via social media from anyone you do not know.</li><li style="box-sizing: border-box;">Be aware of unsolicited requests to share a file via online services.</li><li style="box-sizing: border-box;">Be aware of email messages conveying suspicious alerts or other online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts.</li><li style="box-sizing: border-box;">Be suspicious of emails purporting to be from legitimate online services (e.g., the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, the email originates from an IP address not attributable to the provider/company).</li><li style="box-sizing: border-box;">Be suspicious of unsolicited email messages that contain shortened links (e.g., via&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">tinyurl</code>,&nbsp;<code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, &quot; font-size: 14.4px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">bit.ly</code>).</li><li style="box-sizing: border-box;">Use security features provided by social media platforms, use&nbsp;<a href="https://us-cert.cisa.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">strong passwords</a>, change passwords frequently, and use a different password for each social media account.</li><li style="box-sizing: border-box;">See CISA’s&nbsp;<a href="https://us-cert.cisa.gov/ncas/tips/ST19-002" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Tip on Best Practices for Securing Election Systems</a>&nbsp;for more information.<br></li></ul></div>