The following bulletins were released in February 2013 by the U.S. Computer Emergency Readiness Team (US-CERT) on a limited basis to “confirmed members of the cybersecurity community of practice, which may include critical infrastructure owners and operators, systems administrators, and information security practitioners.” Both versions of the bulletin were found to be available on a number of public websites associated with various professional associations and trade groups.
Joint Indicator Bulletin (JIB) – INC260425 | 27 pages | February 18, 2013 | Download |
Joint Indicator Bulletin (JIB) – INC260425-2 | 10 pages | February 26, 2013 | Download |
Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate. In addition, DHS would welcome any additional information your organization may be able to share regarding this or similar activity, which may be provided to the US Computer Emergency Readiness Team (US-CERT) at soc@uscert.gov.
Document Overview
This Joint Indicator Bulletin is comprised of several sections covering malware indicators, network traffic, tool indicators, hostnames, and IP addresses known to be associated with the ongoing malicious activity. If suspicious network traffic or malware is identified based on these indicators, affected systems should be investigated for signs of compromise.
To support developing shared situational awareness of cyber threats, DHS welcomes any additional information your organization may be able to share regarding this or similar activity. Such information can be provided to the United States Computer Emergency Readiness Team (US-CERT) at soc@us-cert.gov.
…
Indicator Descriptions
As a general matter, malicious cyber actors have multiple tools at their disposal and can represent a significant threat to targeted victim organizations. Such actors frequently compromise victim organizations with targeted spear-phishing campaigns, understand how to move laterally within a network to acquire targeted data, and often maintain undetected persistence on victim networks for months or even years. The indicators provided in this Bulletin include malware and compromised IP addresses and domains used by such actors.
Malware
Malicious activity like that described in this Bulletin usually originates via targeted spear phishing email campaigns that compromise victim organizations. These emails can result in the installation of one or more pieces of malware used to enable complete control of those systems. The presence of such malware is a strong indication the computer or network has been compromised.
Client Tools
During the course of a computer intrusion, malicious actors often download additional tools to victim systems for the purpose of evading local security measures and to compromise additional computers on victim networks. These tools might have legitimate uses, but, when combined with other indications of an intrusion, could indicate that the computer has been compromised. The presence of these tools alone is not necessarily a positive indication of malicious activity, but may enable an organization to identify malicious activity.
IP Addresses, Hostnames and Second-Level Domains
Malicious actors routinely compromise hosts on the Internet for the purpose of obscuring their activity, particularly the exfiltration of computer files from end-point victims. The majority of these compromised hosts have been configured to prevent identification of the source of the intrusion activity. The traffic from these hosts is generally legitimate, but, because they have been compromised, activity to and from these IPs should be reviewed for indications of malicious traffic.
Malicious actors also make use of numerous Internet hostnames for the purpose of compromising and controlling victim systems. Actors have been known to register second-level domains for their exclusive use in these activities. In addition, malicious actors have been known to use DNS providers that allow the use of specific hostnames that are part of shared second-level domains.
Many of these hostnames and domains may be legitimate hosts or domains that have been co-opted by malicious actors. Any number of the IP addresses or domains in this Bulletin may have been remediated prior to publication of this list. In some cases, a single IP address from this indicator list may represent hundreds or even thousands of legitimate independent websites, or may represent a small business network. A number of indicators contained in this Bulletin resolve back to large scale service providers whose services are being abused. For these reasons, outright blocking of these indicators is not recommended. Rather, traffic from these IPs or domains should be investigated for signs of compromise.
List of IPs: http://publicintelligence.net/nccic-malware-ips/