Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA
Tags
cmtmf-attack-pattern: Application Layer Protocol Compromise Infrastructure Obfuscated Files Or Information Supply Chain Compromise
country: Russia United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Software Discovery - T1418 Application Layer Protocol - T1437 Code Signing - T1553.002 Compromise Infrastructure - T1584 Compromise Software Dependencies And Development Tools - T1195.001 Compromise Software Dependencies And Development Tools - T1474.001 Compromise Software Supply Chain - T1195.002 Compromise Software Supply Chain - T1474.003 Create Or Modify System Process - T1543 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domain Generation Algorithms - T1637.001 Domain Generation Algorithms - T1568.002 Domain Generation Algorithms - T1520 Domain Generation Algorithms - T1483 Domains - T1583.001 Domains - T1584.001 Dynamic Resolution - T1637 Dynamic Resolution - T1568 Email Accounts - T1585.002 Email Accounts - T1586.002 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Firmware - T1592.003 Impersonation - T1656 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Ip Addresses - T1590.005 Kerberoasting - T1558.003 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 Multi-Factor Authentication - T1556.006 Network Devices - T1584.008 Password Guessing - T1110.001 Password Spraying - T1110.003 Phishing - T1660 Phishing - T1566 Saml Tokens - T1606.002 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Service Execution - T1569.002 Sharepoint - T1213.002 Software - T1592.002 Software Discovery - T1518 Standard Encoding - T1132.001 Steganography - T1001.002 Steganography - T1406.001 Steganography - T1027.003 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 Supply Chain Compromise - T1474 System Services - T1569 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Service - T1543.003 Vulnerabilities - T1588.006 Standard Application Layer Protocol - T1071 Code Signing - T1116 Data Encoding - T1132 External Remote Services - T1133 File And Directory Discovery - T1083 File Deletion - T1107 Indicator Removal On Host - T1070 Remote File Copy - T1105 Kerberoasting - T1208 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Query Registry - T1012 Security Support Provider - T1101 Service Execution - T1035 Supply Chain Compromise - T1195 Valid Accounts - T1078 Indicator Removal On Host Supply Chain Compromise
Show in Graph
Common Information
Type Value
UUID 3e310c54-ce9e-47bd-a04c-dafc65da487d
Fingerprint bc0144c04e1cd5a3
Analysis status IN_PROGRESS
Considered CTI value 2
Text language
Published Dec. 17, 2020, midnight
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Alert (AA20-352A)
Title Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA
Detected Hints/Tags/Attributes 148/4/91
Source URLs
Redirection Url
Details Source https://us-cert.cisa.gov/ncas/alerts/aa20-352a
URL Provider
Details Provider Source level domain
Details cisa.gov us-cert.cisa.gov
Attributes
Details Type #Events CTI Value
Details Domain 154 
us-cert.cisa.gov
Details Domain 469 
www.cisa.gov
Details Domain 152 
cisa.gov
Details Domain 50 
avsvmcloud.com
Details Domain 4127 
github.com
Details Domain 5 
solarwinds.com
Details Domain 55 
cisa.dhs.gov
Details Domain 18 
dhs.sgov.gov
Details Domain 18 
dhs.ic.gov
Details Domain 5 
www.us-cert.cisa.gov
Details Email 10 
central@cisa.dhs.gov
Details Email 18 
us-cert@dhs.sgov.gov
Details Email 18 
us-cert@dhs.ic.gov
Details File 29 
orion.core
Details File 26 
businesslayer.dll
Details File 2 
sparrow.ps1
Details File 1 
core-secure-configuration.htm
Details Github username 11 
cisagov
Details md5 2 
e18a6a21eb44e77ca8d739a72209c370
Details md5 1 
b3f7ac8215b73e73e1e184933c788759
Details md5 1 
563d4d55eae72710f9419975d087fd11
Details md5 1 
d22e80d03fe69389cbf3299f6f800f80
Details md5 1 
6b5f205d79a647b275500597975314a5
Details md5 2 
731d724e8859ef063c03a8b1ab7f81ec
Details md5 7 
b91ce2fa41029f6955bff20079468448
Details md5 4 
2c4a910a1299cdae2a4e55988a2f102e
Details md5 5 
846e27a652a5e1bfbd0ddd38a16dc865
Details md5 1 
1412c74537fc769b5dd34b4c1da0bf48
Details md5 1 
2d9b1245d42bb9f928da2528bb057de2
Details md5 1 
610ec1ab7701b410df1e309240343cdf
Details sha1 1 
5e643654179e8b4cfe1d3c1906a90a4c8d611cea
Details sha1 1 
48e84a1ed30d36f6750bce8748fe0edbfa9fb3dc
Details sha1 1 
162bb92a18bb39ac7e9a9997369a6efe0dd74094
Details sha1 1 
98bb0c5d1a711472225dc1194133f37c80159664
Details sha1 1 
2a255070160b1c6fcad4f0586b64691fe8b6d0f8
Details sha1 3 
1acf3108bf1e376c8848fbb25dc87424f2c2a39c
Details sha1 3 
76640508b1e7759e548771a5359eaed353bf1eec
Details sha1 4 
2f1a5a7411d015d01aaee4535835400191645023
Details sha1 3 
d130bd75645c2433f88ac03e73395fba172ef676
Details sha1 1 
00f66fc1f74b9ecabf1aafc123f2ef0f94edc258
Details sha1 1 
8acbcc116baa80262d09635bd312018372fefca6
Details sha1 1 
babf9af689033fa2a825528715ae6dc625619e65
Details sha256 5 
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
Details sha256 1 
9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
Details sha256 1 
bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
Details sha256 1 
ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
Details sha256 1 
9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
Details sha256 9 
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
Details sha256 12 
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
Details sha256 13 
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
Details sha256 10 
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
Details sha256 2 
8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
Details sha256 2 
143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
Details sha256 2 
cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
Details IPv4 3 
20.140.0.1
Details IPv4 1 
12.227.230.4
Details IPv4 1 
65.153.203.68
Details MITRE ATT&CK Techniques 1 
T1101.001
Details MITRE ATT&CK Techniques 1 
T1101.003
Details MITRE ATT&CK Techniques 306 
T1078
Details MITRE ATT&CK Techniques 191 
T1133
Details MITRE ATT&CK Techniques 36 
T1195.002
Details MITRE ATT&CK Techniques 26 
T1027.003
Details MITRE ATT&CK Techniques 501 
T1012
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 52 
T1071.004
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 99 
T1132.001
Details MITRE ATT&CK Techniques 6 
T1195.001
Details MITRE ATT&CK Techniques 185 
T1518
Details MITRE ATT&CK Techniques 141 
T1518.001
Details MITRE ATT&CK Techniques 180 
T1543.003
Details MITRE ATT&CK Techniques 55 
T1553.002
Details MITRE ATT&CK Techniques 25 
T1568.002
Details MITRE ATT&CK Techniques 174 
T1569.002
Details MITRE ATT&CK Techniques 66 
T1584
Details Url 3 
https://us-cert.cisa.gov/remediating-apt-compromised-networks
Details Url 4 
https://www.cisa.gov/supply-chain-compromise.
Details Url 1 
https://github.com/cisagov/sparrow.
Details Url 1 
http://solarwinds.com/upgrading-your-environment
Details Url 1 
https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
Details Url 1 
https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448.
Details Url 1 
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
Details Url 1 
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
Details Url 1 
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
Details Url 1 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password.
Details Url 2 
http://www.us-cert.cisa.gov/.