Advisories

1.0 Introduction

Recently, CISA released six Industrial Control Systems (ICS) advisories on March 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

2.0 Affected Products

• Siemens SCALANCE, RUGGEDCOM Third-Party
• Siemens RUGGEDCOM CROSSBOW V5.3 
• Siemens RUGGEDCOM CROSSBOW V5.2
• Siemens SCALANCE W1750D Devices
• Siemens Mendix SMAL Module
• Honeywell OneWireless Wireless Device Manager
• Rockwell Automation Modbus TCP AOI Server
• AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A)

4.0 Recommendations
MyCERT encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:

• ICSA-23-075-01 Siemens SCALANCE, RUGGEDCOM Third-Party - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-01
• ICSA-23-075-02 Siemens RUGGEDCOM CROSSBOW V5.3 - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-02
• ICSA-23-075-03 Siemens RUGGEDCOM CROSSBOW V5.2 - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-03
• ICSA-23-075-04 Siemens SCALANCE W1750D Devices - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-04
• ICSA-23-075-05 Siemens Mendix SMAL Module - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-05
• ICSA-23-075-06 Honeywell OneWireless Wireless Device Manager - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
• ICSA-23-075-07 Rockwell Automation Modbus TCP AOI Server - https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07
• ICSA-22-342-02 AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A) - https://www.cisa.gov/news-events/ics-advisories/icsa-22-342-02

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/03/16/cisa-releases-eight-industrial-control-systems-advisories

1.0 Introduction
Recently, CISA and the National Security Agency (NSA) have published a joint cybersecurity advisory about control system defense for operational technology (OT) and industrial control systems (ICSs). 

2.0 Impact
"Control System Defense: Know the Opponent" is intended to provide critical infrastructure owners and operators with an understanding of the tactics, techniques, and procedures (TTP) used by malicious cyber actors.

3.0 Recommendations
MyCERT encourages critical infrastructure owners and operations to review the advisory, "Control System Defense: Know the Opponent", and apply the recommended mitigations and actions.

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine which updates should be applied.

For further inquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

4.0    References
• https://www.cisa.gov/uscert/ncas/current-activity/2022/09/22/cisa-and-nsa-publish-joint-cybersecurity-advisory-control-system
• https://www.cisa.gov/uscert/ncas/alerts/aa22-265a
 

1.0 Introduction

Since approximately September 2022, cyber criminals have organizations with a Royal ransomware variant, which uses its own custom-made file encryption program. It evolved from earlier iterations that used “Zeon” as a loader.

2.0 Impact
After gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems. Royal actors have made ransom demands ranging from approximately $1 million to $11 million USD in Bitcoin. In observed incidents, Royal actors do not include ransom amounts and payment instructions as part of the initial ransom note. Instead, the note, which appears after encryption, requires victims to interact directly with the threat actor via a .onion URL (reachable through the Tor browser). Royal actors have targeted numerous critical infrastructure sectors including, but not limited to, Manufacturing, Communications, Healthcare and Public Healthcare (HPH), and Education.

3.0 Techniques, Tactics and Procedures (TTPs)

Initial Access

Royal actors gain initial access to victim networks in a number of ways, cybercriminals including: 

• Phishing. According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566].
• According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2]
• Remote Desktop Protocol (RDP). RDP compromise is the second most common vector Royal actors use (in 13.3% of incidents) for initial access  
• Public-facing applications. FBI has also observed Royal actors gain initial access through exploiting public-facing applications [T1190]. 
  • Brokers. Reports from trusted third-party sources indicate that Royal actors may leverage brokers to gain initial access and source traffic by harvesting virtual private network (VPN) credentials from stealer logs. 

Command and Control

Once Royal actors gain access to the network, they communicate with command and control (C2) infrastructure and download multiple tools [T1105]. Legitimate Windows software is repurposed by Royal operators to strengthen their foothold in the victim’s network. Ransomware operators often use open-source projects to aid their intrusion activities; Royal operators have recently been observed using Chisel, a tunneling tool transported over HTTP and secured via SSH [T1572], to communicate with their C2 infrastructure. FBI has observed multiple Qakbot C2s used in Royal ransomware attacks, but has not yet determined if Royal ransomware exclusively uses Qakbot C2s.

Lateral Movement and Persistence

Royal actors often use RDP to move laterally across the network [T1021.001]. Microsoft Sysinternals tool PsExec has also been used to aid lateral movement. FBI has observed Royal actors using remote monitoring and management (RMM) software, such as AnyDesk, LogMeIn, and Atera, for persistence in the victim’s network [T1133]. In some instances, the actors moved laterally to the domain controller. In one confirmed case, the actors used a legitimate admin account to log on to the domain controller [T1078] remotely, typically. Once on the domain controller, the threat actor deactivated antivirus protocols [T1562.001] by modifying Group Policy Objects [T1484.001].

Exfiltration

Royal actors exfiltrate data from victim networks by repurposing legitimate cyber pen-testing tools, such as Cobalt Strike, and malware tools and derivatives, such as Ursnif/Gozi, for data aggregation and exfiltration. According to third-party reporting, Royal actors’ first hop in exfiltration and other operations is usually a U.S. IP address.

Note: In reference to Cobalt Strike and other tools mentioned above, a tool repository used by Royal was identified at IP: 94.232.41[.]105 in December 2022.

Encryption

Before starting the encryption process, Royal actors: 

• Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1] 
• Use Windows Volume Shadow Copy service (vssadmin.exe) to delete shadow copies to prevent system recovery.[1]  

FBI has found numerous batch (.bat) files on impacted systems which are typically transferred as an encrypted 7zip file. Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].

Malicious files have been found in victim networks in the following directories:

• C:\Temp\  
• C:\Users\<user>\AppData\Roaming\  
• C:\Users\<users>\ 
• C:\ProgramData\

4.0 Indicators of Compromise 

Indicators of Compromise (IOC)

See Tables 1 and 2 for Royal ransomware IOCs that the FBI obtained during threat response activities as of January 2023. Note: Some of the observed IP addresses are several months old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action, such as blocking.

Table 1: Royal Ransomware Associated Files, Hashes, and IP addresses as of January 2023

Table 2: Tools used by Royal operators

5.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to limit potential adversarial use of the common system and network discovery techniques and to reduce the risk of compromise by Royal ransomware. These mitigations follow CISA’s Cybersecurity Performance Goals (CPGs), which provide a minimum set of practices and protections that are informed by the most common and impactful threats, tactics, techniques, and procedures and which yield goals that all organizations across critical infrastructure sectors should implement:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies [CPG 3.4].
  • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length [CPG 1.4].
  • Store passwords in a hashed format using industry-recognized password managers.
  • Add password user “salts” to shared login credentials.
  • Avoid reusing passwords.
  • Implement multiple failed login attempt account lockouts [CPG 1.1].
  • Disable password hints.
  • Refrain from requiring password changes more frequently than once per year. Note: NIST guidance suggests favouring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password patterns cyber criminals can easily decipher. 
  • Require administrator credentials to install the real-timesoftware.
• Require multifactor authentication [CPG 1.3] for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. 
• Segment networks [CPG 8.1]. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and restricting adversary lateral movement. 
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic [CPG 5.1], including lateral movement activity on a network. Endpoint detection and response (EDR) tools are useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. 
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configures access controls according to the principle of least privilege [CPG 1.5].
• Disable unused ports.
• Consider adding an email banner to emails [CPG 8.3] received from outside your organization.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need support completing a certain task. 
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors cannot run these tools, they will have difficulty escalating privileges and/or moving laterally. 
• Maintain offline backups of data and regularly maintain backup and restoration [CPG 7.3]. By instituting this practice, the organization ensures they will not be severely interrupted and/or only have irretrievable data. 
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 3.3].

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

• https://www.stopransomware.gov/
• https://www.cybereason.com/blog/royal-ransomware-analysis
• https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/
• https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of security updates for the following products, features and roles.

• Azure
• Client Server Run-time Subsystem (CSRSS)
• Internet Control Message Protocol (ICMP)
• Microsoft Bluetooth Driver
• Microsoft Dynamics
• Microsoft Edge (Chromium-based)
• Microsoft Graphics Component
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft OneDrive
• Microsoft PostScript Printer Driver
• Microsoft Printer Drivers
• Microsoft Windows Codecs Library
• Office for Android
• Remote Access Service Point-to-Point Tunneling Protocol
• Role: DNS Server
• Role: Windows Hyper-V
• Service Fabric
• Visual Studio
• Windows Accounts Control
• Windows Bluetooth Service
• Windows Central Resource Manager
• Windows Cryptographic Services
• Windows Defender
• Windows HTTP Protocol Stack
• Windows HTTP.sys
• Windows Internet Key Exchange (IKE) Protocol
• Windows Kernel
• Windows Partition Management Driver
• Windows Point-to-Point Protocol over Ethernet (PPPoE)
• Windows Remote Procedure Call
• Windows Remote Procedure Call Runtime
• Windows Resilient File System (ReFS)
• Windows Secure Channel
• Windows SmartScreen
• Windows TPM
• Windows Win32K

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s March 2023 Security Update Guide and Deployment Information and apply the necessary updates. Kindly refer to the URLs below:

Microsoft’s March 2023 Security Update Guide : https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
Deployment Information : https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/03/14/microsoft-releases-march-2023-security-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
• https://msrc.microsoft.com/update-guide/deployments

1.0 Introduction

Recently, Apple has released security updates to address vulnerabilities in multiple products.

2.0 Impact
An attacker could exploit some of these vulnerabilities to take control of an affected device.

3.0 Affected Products

• Safari 16.3
• iOS 12.5.7
• macOS Monterey 12.6.3
• macOS Big Sur 11.7.3
• watchOS 9.3
• iOS 15.7.3 and iPadOS 15.7.3
• iOS 16.3 and iPadOS 16.3
• macOS Ventura 13.2

4.0 Recommendations
MyCERT encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

• Safari 16.3 : https://support.apple.com/en-us/HT213600
• iOS 12.5.7 : https://support.apple.com/en-us/HT213597
• macOS Monterey 12.6.3 : https://support.apple.com/en-us/HT213604
• macOS Big Sur 11.7.3 : https://support.apple.com/en-us/HT213603
• watchOS 9.3 : https://support.apple.com/en-us/HT213599
• iOS 15.7.3 and iPadOS 15.7.3 : https://support.apple.com/en-us/HT213598
• iOS 16.3 and iPadOS 16.3 : https://support.apple.com/en-us/HT213606
• macOS Ventura 13.2 : https://support.apple.com/en-us/HT213605

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/uscert/ncas/current-activity/2023/01/24/apple-releases-security-updates-multiple-products
• https://support.apple.com/