Archive

Archive for the ‘Microsoft security intelligence’ Category

Secured-core PCs help customers stay ahead of advanced data theft

May 13th, 2020 No comments

Researchers at the Eindhoven University of Technology recently revealed information around “Thunderspy,” an attack that relies on leveraging direct memory access (DMA) functionality to compromise devices. An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.

Secured-core PCs provide customers with Windows 10 systems that come configured from OEMs with a set of hardware, firmware, and OS features enabled by default, mitigating Thunderspy and any similar attacks that rely on malicious DMA.

How Thunderspy works

Like any other modern attack, “Thunderspy” relies on not one but multiple building blocks being chained together to deliver protection from these kinds of targeted attacks. Below is a summary of how Thunderspy can be used to access a system where the attacker does not have the password needed to sign in. A video from the Thunderspy research team showing the attack is available here.

Step 1: A serial peripheral interface (SPI) flash programmer called Bus Pirate is plugged into the SPI flash of the device being attacked. This gives access to the Thunderbolt controller firmware and allows an attacker to copy it over to the attacker’s device

Step 2: The Thunderbolt Controller Firmware Patcher (tcfp), which is developed as part of Thunderspy, is used to disable the security mode enforced in the Thunderbolt firmware copied over using the Bus Pirate device in Step 1

Step 3: The modified insecure Thunderbolt firmware is written back to the SPI flash of the device being attacked

Step 4: A Thunderbolt-based attack device is connected to the device being attacked, leveraging the PCILeech tool to load a kernel module that bypasses the Windows sign-in screen

Diagram showing how the Thunderspy attack works

The result is that an attacker can access a device without knowing the sign-in password for the device. This means that even if a device was powered off or locked by the user, someone that could get physical access to the device in the time it takes to run the Thunderspy process could sign in and exfiltrate data from the system or install malicious software.

Secured-core PC protections

In order to counteract these targeted, modern attacks, Secured-core PCs use a defense-in-depth strategy that leverage features like Windows Defender System Guard and virtualization-based security (VBS) to mitigate risk across multiple areas, delivering comprehensive protection against attacks like Thunderspy.

Mitigating Steps 1 to 4 of the Thunderspy attack with Kernel DMA protection

Secured-core PCs ship with hardware and firmware that support Kernel DMA protection, which is enabled by default in the Windows OS. Kernel DMA protection relies on the Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless an authorized user is signed in and the screen is unlocked. Watch this video from the 2019 Microsoft Ignite to see how Windows mitigates DMA attacks.

This means that even if an attacker was able to copy a malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the user’s password in addition to being in physical possession of the device, significantly raising the degree of difficulty for the attacker.

Hardening protection for Step 4 with Hypervisor-protected code integrity (HVCI)

Secured-core PCs ship with hypervisor protected code integrity (HVCI) enabled by default. HVCI utilizes the hypervisor to enable VBS and isolate the code integrity subsystem that verifies that all kernel code in Windows is signed from the normal kernel. In addition to isolating the checks, HVCI also ensures that kernel code cannot be both writable and executable, ensuring that unverified code does not execute.

HVCI helps to ensure that malicious kernel modules like the one used in Step 4 of the Thunderspy attack cannot execute easily as the kernel module would need to be validly signed, not revoked, and not rely on overwriting executable kernel code.

Modern hardware to combat modern threats

A growing portfolio of Secured-core PC devices from the Windows OEM ecosystem are available for customers. They provide a consistent guarantee against modern threats like Thunderspy with the variety of choices that customers expect to choose from when acquiring Windows hardware. You can learn more here: https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers

 

Nazmus Sakib

Enterprise and OS Security 

The post Secured-core PCs help customers stay ahead of advanced data theft appeared first on Microsoft Security.

Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification

May 8th, 2020 No comments

The opportunities for innovative approaches to threat detection through deep learning, a category of algorithms within the larger framework of machine learning, are vast. Microsoft Threat Protection today uses multiple deep learning-based classifiers that detect advanced threats, for example, evasive malicious PowerShell.

In continued exploration of novel detection techniques, researchers from Microsoft Threat Protection Intelligence Team and Intel Labs are collaborating to study new applications of deep learning for malware classification, specifically:

  • Leveraging deep transfer learning technique from computer vision to static malware classification
  • Optimizing deep learning techniques in terms of model size and leveraging platform hardware capabilities to improve execution of deep-learning malware detection approaches

For the first part of the collaboration, the researchers built on Intel’s prior work on deep transfer learning for static malware classification and used a real-world dataset from Microsoft to ascertain the practical value of approaching the malware classification problem as a computer vision task. The basis for this study is the observation that if malware binaries are plotted as grayscale images, the textural and structural patterns can be used to effectively classify binaries as either benign or malicious, as well as cluster malicious binaries into respective threat families.

The researchers used an approach that they called static malware-as-image network analysis (STAMINA). Using the dataset from Microsoft, the study showed that the STAMINA approach achieves high accuracy in detecting malware with low false positives.

The results and further technical details of the research are listed in the paper STAMINA: Scalable deep learning approach for malware classification and set the stage for further collaborative exploration.

The role of static analysis in deep learning-based malware classification

While static analysis is typically associated with traditional detection methods, it remains to be an important building block for AI-driven detection of malware. It is especially useful for pre-execution detection engines: static analysis disassembles code without having to run applications or monitor runtime behavior.

Static analysis produces metadata about a file. Machine learning classifiers on the client and in the cloud then analyze the metadata and determine whether a file is malicious. Through static analysis, most threats are caught before they can even run.

For more complex threats, dynamic analysis and behavior analysis build on static analysis to provide more features and build more comprehensive detection. Finding ways to perform static analysis at scale and with high effectiveness benefits overall malware detection methodologies.

To this end, the research borrowed knowledge from  computer vision domain to build an enhanced static malware detection framework that leverages deep transfer learning to train directly on portable executable (PE) binaries represented as images.

Analyzing malware represented as image

To establish the practicality of the STAMINA approach, which posits that malware can be classified at scale by performing static analysis on malware codes represented as images, the study covered three main steps: image conversion, transfer learning, and evaluation.

Diagram showing the steps for the STAMINA approach: pre-processing, transfer learning, and evaluation

First, the researchers prepared the binaries by converting them into two-dimensional images. This step involved pixel conversion, reshaping, and resizing. The binaries were converted into a one-dimensional pixel stream by assigning each byte a value between 0 and 255, corresponding to pixel intensity. Each pixel stream was then transformed into a two-dimensional image by using the file size to determine the width and height of the image.

The second step was to use transfer learning, a technique for overcoming the isolated learning paradigm and utilizing knowledge acquired for one task to solve related ones. Transfer learning has enjoyed tremendous success within several different computer vision applications. It accelerates training time by bypassing the need to search for optimized hyperparameters and different architectures—all this while maintaining high classification performance. For this study, the researchers used Inception-v1 as the base model.

The study was performed on a dataset of 2.2 million PE file hashes provided by Microsoft. This dataset was temporally split into 60:20:20 segments for training, validation, and test sets, respectively.

Diagram showing a DNN with pre-trained weights on natural images, and the last portion fine-tuned with new data

Finally, the performance of the system was measured and reported on the holdout test set. The metrics captured include recall at specific false positive range, along with accuracy, F1 score, and area under the receiver operating curve (ROC).

Findings

The joint research showed that applying STAMINA to real-world hold-out test data set achieved a recall of 87.05% at 0.1% false positive rate, and 99.66% recall and 99.07% accuracy at 2.58% false positive rate overall. The results certainly encourage the use of deep transfer learning for the purpose of malware classification. It helps accelerate training by bypassing the search for optimal hyperparameters and architecture searches, saving time and compute resources in the process.

The study also highlights the pros and cons of sample-based methods like STAMINA and metadata-based classification methods. For example, STAMINA can go in-depth into samples and extract additional signals that might not be captured in the metadata.  However, for bigger size applications, STAMINA becomes less effective due to limitations in converting billions of pixels into JPEG images and then resizing them. In such cases, metadata-based methods show advantages over our research.

Conclusion and future work

The use of deep learning methods for detecting threats drives a lot of innovation across Microsoft. The collaboration with Intel Labs researchers is just one of the ways in which Microsoft researchers and data scientists continue to explore novel ways to improve security overall.

This joint research is a good starting ground for more collaborative work. For example, the researchers plan to collaborate further on platform acceleration optimizations that can allow deep learning models to be deployed on client machines with minimal performance impact. Stay tuned.

 

Jugal Parikh, Marc Marino

Microsoft Threat Protection Intelligence Team

 

The post Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2

May 5th, 2020 No comments

This is the sixth blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

COVID-19 and the SOC

Before we conclude the day in the life, we thought we would share an analyst’s eye view of the impact of COVID-19. Our analysts are mostly working from home now and our cloud based tooling approach enabled this transition to go pretty smoothly. The differences in attacks we have seen are mostly in the early stages of an attack with phishing lures designed to exploit emotions related to the current pandemic and increased focus on home firewalls and routers (using techniques like RDP brute-forcing attempts and DNS poisoning—more here). The attack techniques they attempt to employ after that are fairly consistent with what they were doing before.

A day in the life—remediation

When we last left our heroes in the previous entry, our analyst had built a timeline of the potential adversary attack operation. Of course, knowing what happened doesn’t actually stop the adversary or reduce organizational risk, so let’s remediate this attack!

  1. Decide and act—As the analyst develops a high enough level of confidence that they understand the story and scope of the attack, they quickly shift to planning and executing cleanup actions. While this appears as a separate step in this particular description, our analysts often execute on cleanup operations as they find them.

Big Bang or clean as you go?

Depending on the nature and scope of the attack, analysts may clean up attacker artifacts as they go (emails, hosts, identities) or they may build a list of compromised resources to clean up all at once (Big Bang)

  • Clean as you go—For most typical incidents that are detected early in the attack operation, analysts quickly clean up the artifacts as we find them. This rapidly puts the adversary at a disadvantage and prevents them from moving forward with the next stage of their attack.
  • Prepare for a Big Bang—This approach is appropriate for a scenario where an adversary has already “settled in” and established redundant access mechanisms to the environment (frequently seen in incidents investigated by our Detection and Response Team (DART) at customers). In this case, analysts should avoid tipping off the adversary until full discovery of all attacker presence is discovered as surprise can help with fully disrupting their operation. We have learned that partial remediation often tips off an adversary, which gives them a chance to react and rapidly make the incident worse (spread further, change access methods to evade detection, inflict damage/destruction for revenge, cover their tracks, etc.).Note that cleaning up phishing and malicious emails can often be done without tipping off the adversary, but cleaning up host malware and reclaiming control of accounts has a high chance of tipping off the adversary.

These are not easy decisions to make and we have found no substitute for experience in making these judgement calls. The collaborative work environment and culture we have built in our SOC helps immensely as our analysts can tap into each other’s experience to help making these tough calls.

The specific response steps are very dependent on the nature of the attack, but the most common procedures used by our analysts include:

  • Client endpoints—SOC analysts can isolate a computer and contact the user directly (or IT operations/helpdesk) to have them initiate a reinstallation procedure.
  • Server or applications—SOC analysts typically work with IT operations and/or application owners to arrange rapid remediation of these resources.
  • User accounts—We typically reclaim control of these by disabling the account and resetting password for compromised accounts (though these procedures are evolving as a large amount of our users are mostly passwordless using Windows Hello or another form of MFA). Our analysts also explicitly expire all authentication tokens for the user with Microsoft Cloud App Security.
    Analysts also review the multi-factor phone number and device enrollment to ensure it hasn’t been hijacked (often contacting the user), and reset this information as needed.
  • Service Accounts—Because of the high risk of service/business impact, SOC analysts work with the service account owner of record (falling back on IT operations as needed) to arrange rapid remediation of these resources.
  • Emails—The attack/phishing emails are deleted (and sometimes cleared to prevent recovering of deleted emails), but we always save a copy of original email in the case notes for later search and analysis (headers, content, scripts/attachments, etc.).
  • Other—Custom actions can also be executed based on the nature of the attack such as revoking application tokens, reconfiguring servers and services, and more.

Automation and integration for the win

It’s hard to overstate the value of integrated tools and process automation as these bring so many benefits—improving the analysts daily experience and improving the SOC’s ability to reduce organizational risk.

  • Analysts spend less time on each incident, reducing the attacker’s time to operation—measured by mean time to remediate (MTTR).
  • Analysts aren’t bogged down in manual administrative tasks so they can react quickly to new detections (reducing mean time to acknowledge—MTTA).
  • Analysts have more time to engage in proactive activities that both reduce organization risk and increase morale by keeping them focused on the mission.

Our SOC has a long history of developing our own automation and scripts to make analysts lives easier by a dedicated automation team in our SOC. Because custom automation requires ongoing maintenance and support, we are constantly looking for ways to shift automation and integration to capabilities provided by Microsoft engineering teams (which also benefits our customers). While still early in this journey, this approach typically improves the analyst experience and reduces maintenance effort and challenges.

This is a complex topic that could fill many blogs, but this takes two main forms:

  • Integrated toolsets save analysts manual effort during incidents by allowing them to easily navigate multiple tools and datasets. Our SOC relies heavily on the integration of Microsoft Threat Protection (MTP) tools for this experience, which also saves the automation team from writing and supporting custom integration for this.
  • Automation and orchestration capabilities reduce manual analyst work by automating repetitive tasks and orchestrating actions between different tools. Our SOC currently relies on an advanced custom SOAR platform and is actively working with our engineering teams (MTP’s AutoIR capability and Azure Sentinel SOAR) on how to shift our learnings and workload onto those capabilities.

After the attacker operation has been fully disrupted, the analyst marks the case as remediated, which is the timestamp signaling the end of MTTR measurement (which started when the analyst began the active investigation in step 2 of the previous blog).

While having a security incident is bad, having the same incident repeated multiple times is much worse.

  1. Post-incident cleanup—Because lessons aren’t actually “learned” unless they change future actions, our analysts always integrate any useful information learned from the investigation back into our systems. Analysts capture these learnings so that we avoid repeating manual work in the future and can rapidly see connections between past and future incidents by the same threat actors. This can take a number of forms, but common procedures include:
    • Indicators of Compromise (IoCs)—Our analysts record any applicable IoCs such as file hashes, malicious IP addresses, and email attributes into our threat intelligence systems so that our SOC (and all customers) can benefit from these learnings.
    • Unknown or unpatched vulnerabilities—Our analysts can initiate processes to ensure that missing security patches are applied, misconfigurations are corrected, and vendors (including Microsoft) are informed of “zero day” vulnerabilities so that they can create security patches for them.
    • Internal actions such as enabling logging on assets and adding or changing security controls. 

Continuous improvement

So the adversary has now been kicked out of the environment and their current operation poses no further risk. Is this the end? Will they retire and open a cupcake bakery or auto repair shop? Not likely after just one failure, but we can consistently disrupt their successes by increasing the cost of attack and reducing the return, which will deter more and more attacks over time. For now, we must assume that adversaries will try to learn from what happened on this attack and try again with fresh ideas and tools.

Because of this, our analysts also focus on learning from each incident to improve their skills, processes, and tooling. This continuous improvement occurs through many informal and formal processes ranging from formal case reviews to casual conversations where they tell the stories of incidents and interesting observations.

As caseload allows, the investigation team also hunts proactively for adversaries when they are not on shift, which helps them stay sharp and grow their skills.

This closes our virtual shift visit for the investigation team. Join us next time as we shift to our Threat hunting team (a.k.a. Tier 3) and get some hard won advice and lessons learned.

…until then, share and enjoy!

P.S. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b), Mark’s List (https://aka.ms/markslist), and our new security documentation site—https://aka.ms/securtydocs. Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Mark on LinkedIn or Twitter.

The post Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2 appeared first on Microsoft Security.

Mitigating vulnerabilities in endpoint network stacks

May 4th, 2020 No comments

The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations are forced to adapt to the new environment created by the global crisis, it’s not a new imperative. Microsoft has been investing heavily in security, and over the years our commitment to building proactive security into products and services has only intensified.

To help deliver on this commitment, we continuously find ways to improve and secure Microsoft products. One aspect of our proactive security work is finding vulnerabilities and fixing them before they can be exploited. Our strategy is to take a holistic approach and drive security throughout the engineering lifecycle. We do this by:

  • Building security early into the design of features.
  • Developing tools and processes that proactively find vulnerabilities in code.
  • Introducing mitigations into Windows that make bugs significantly harder to exploit.
  • Having our world-class penetration testing team test the security boundaries of the product so we can fix issues before they can impact customers.

This proactive work ensures we are continuously making Windows safer and finding as many issues as possible before attackers can take advantage of them. In this blog post we will discuss a recent vulnerability that we proactively found and fixed and provide details on tools and techniques we used, including a new set of tools that we built internally at Microsoft. Our penetration testing team is constantly testing the security boundaries of the product to make it more secure, and we are always developing tools that help them scale and be more effective based on the evolving threat landscape. Our investment in fuzzing is the cornerstone of our work, and we are constantly innovating this tech to keep on breaking new ground.

Proactive security to prevent the next WannaCry

In the past few years, much of our team’s efforts have been focused on uncovering remote network vulnerabilities and preventing events like the WannaCry and NotPetya outbreaks. Some bugs we have recently found and fixed include critical vulnerabilities that could be leveraged to exploit common secure remote communication tools like RDP or create ransomware issues like WannaCry: CVE-2019-1181 and CVE-2019-1182 dubbed “DejaBlue“, CVE-2019-1226 (RCE in RDP Server), CVE-2020-0611 (RCE in RDP Client), and CVE-2019-0787 (RCE in RDP client), among others.

One of the biggest challenges we regularly face in these efforts is the sheer volume of code we analyze. Windows is enormous and continuously evolving 5.7 million source code files, with more than 3,500 developers doing 1,100 pull requests per day in 440 official branches. This rapid cadence and evolution allows us to add new features as well proactively drive security into Windows.

Like many security teams, we frequently turn to fuzzing to help us quickly explore and assess large codebases. Innovations we’ve made in our fuzzing technology have made it possible to get deeper coverage than ever before, resulting in the discovery of new bugs, faster. One such vulnerability is the remote code vulnerability (RCE) in Microsoft Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and fixed on March 12, 2020.

In the following sections, we will share the tools and techniques we used to fuzz SMB, the root cause of the RCE vulnerability, and relevant mitigations to exploitation.

Fully deterministic person-in-the-middle fuzzing

We use a custom deterministic full system emulator tool we call “TKO” to fuzz and introspect Windows components.  TKO provides the capability to perform full system emulation and memory snapshottting, as well as other innovations.  As a result of its unique design, TKO provides several unique benefits to SMB network fuzzing:

  • The ability to snapshot and fuzz forward from any program state.
  • Efficiently restoring to the initial state for fast iteration.
  • Collecting complete code coverage across all processes.
  • Leveraging greater introspection into the system without too much perturbation.

While all of these actions are possible using other tools, our ability to seamlessly leverage them across both user and kernel mode drastically reduces the spin-up time for targets. To learn more, check out David Weston’s recent BlueHat IL presentation “Keeping Windows secure”, which touches on fuzzing, as well as the TKO tool and infrastructure.

Fuzzing SMB

Given the ubiquity of SMB and the impact demonstrated by SMB bugs in the past, assessing this network transfer protocol has been a priority for our team. While there have been past audits and fuzzers thrown against the SMB codebase, some of which postdate the current SMB version, TKO’s new capabilities and functionalities made it worthwhile to revisit the codebase. Additionally, even though the SMB version number has remained static, the code has not! These factors played into our decision to assess the SMB client/server stack.

After performing an initial audit pass of the code to understand its structure and dataflow, as well as to get a grasp of the size of the protocol’s state space, we had the information we needed to start fuzzing.

We used TKO to set up a fully deterministic feedback-based fuzzer with a combination of generated and mutated SMB protocol traffic. Our goal for generating or mutating across multiple packets was to dig deeper into the protocol’s state machine. Normally this would introduce difficulties in reproducing any issues found; however, our use of emulators made this a non-issue. New generated or mutated inputs that triggered new coverage were saved to the input corpus. Our team had a number of basic mutator libraries for different scenarios, but we needed to implement a generator. Additionally, we enabled some of the traditional Windows heap instrumentation using verifier, turning on page heap for SMB-related drivers.

We began work on the SMBv2 protocol generator and took a network capture of an SMB negotiation with the aim of replaying these packets with mutations against a Windows 10, version 1903 client. We added a mutator with basic mutations (e.g., bit flips, insertions, deletions, etc.) to our fuzzer and kicked off an initial run while we continued to improve and develop further.

Figure 1. TKO fuzzing workflow

A short time later, we came back to some compelling results. Replaying the first crashing input with TKO’s kdnet plugin revealed the following stack trace:

> tkofuzz.exe repro inputs\crash_6a492.txt -- kdnet:conn 127.0.0.1:50002

Figure 2. Windbg stack trace of crash

We found an access violation in srv2!Smb2CompressionDecompress.

Finding the root cause of the crash

While the stack trace suggested that a vulnerability exists in the decompression routine, it’s the parsing of length counters and offsets from the network that causes the crash. The last packet in the transaction needed to trigger the crash has ‘\xfcSMB’ set as the first bytes in its header, making it a COMPRESSION_TRANSFORM packet.

Figure 3. COMPRESSION_TRANSFORM packet details

The SMBv2 COMPRESSION_TRANSFORM packet starts with a COMPRESSION_TRANSFORM_HEADER, which defines where in the packet the compressed bytes begin and the length of the compressed buffer.

typedef struct _COMPRESSION_TRANSFORM_HEADER

{

UCHAR   Protocol[4]; // Contains 0xFC, 'S', 'M', 'B'

ULONG    OriginalMessageSize;

USHORT AlgorithmId;

USHORT Flags;

ULONG Length;

}

In the srv2!Srv2DecompressData in the graph below, we can find this COMPRESSION_TRANSFORM_HEADER struct being parsed out of the network packet and used to determine pointers being passed to srv2!SMBCompressionDecompress.

Figure 4. Srv2DecompressData graph

We can see that at 0x7e94, rax points to our network buffer, and the buffer is copied to the stack before the OriginalCompressedSegmentSize and Length are parsed out and added together at 0x7ED7 to determine the size of the resulting decompressed bytes buffer. Overflowing this value causes the decompression to write its results out of the bounds of the destination SrvNet buffer, in an out-of-bounds write (OOBW).

Figure 5. Overflow condition

Looking further, we can see that the Length field is parsed into esi at 0x7F04, added to the network buffer pointer, and passed to CompressionDecompress as the source pointer. As Length is never checked against the actual number of received bytes, it can cause decompression to read off the end of the received network buffer. Setting this Length to be greater than the packet length also causes the computed source buffer length passed to SmbCompressionDecompress to underflow at 0x7F18, creating an out-of-bounds read (OOBR) vulnerability. Combining this OOBR vulnerability with the previous OOBW vulnerability creates the necessary conditions to leak addresses and create a complete remote code execution exploit.

Figure 6. Underflow condition

Windows 10 mitigations against remote network vulnerabilities

Our discovery of the SMBv3 vulnerability highlights the importance of revisiting protocol stacks regularly as our tools and techniques continue to improve over time. In addition to the proactive hunting for these types of issues, the investments we made in the last several years to harden Windows 10 through mitigations like address space layout randomization (ASLR), Control Flow Guard (CFG), InitAll, and hypervisor-enforced code integrity (HVCI) hinder trivial exploitation and buy defenders time to patch and protect their networks.

For example, turning vulnerabilities like the ones discovered in SMBv3 into working exploits requires finding writeable kernel pages at reliable addresses, a task that requires heap grooming and corruption, or a separate vulnerability in Windows kernel address space layout randomization (ASLR). Typical heap-based exploits taking advantage of a vulnerability like the one described here would also need to make use of other allocations, but Windows 10 pool hardening helps mitigate this technique. These mitigations work together and have a cumulative effect when combined, increasing the development time and cost of reliable exploitation.

Assuming attackers gain knowledge of our address space, indirect jumps are mitigated by kernel-mode CFG. This forces attackers to either use data-only corruption or bypass Control Flow Guard via stack corruption or yet another bug. If virtualization-based security (VBS) and HVCI are enabled, attackers are further constrained in their ability to map and modify memory permissions.

On Secured-core PCs these mitigations are enabled by default.  Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.

While these mitigations collectively lower the chances of successful exploitation, we continue to deepen our investment in identifying and fixing vulnerabilities before they can get into the hands of adversaries.

 

The post Mitigating vulnerabilities in endpoint network stacks appeared first on Microsoft Security.

Data governance matters now more than ever

April 30th, 2020 No comments

Knowing, protecting, and governing your organizational data is critical to adhere to regulations and meet security and privacy needs. Arguably, that’s never been truer than it is today as we face these unprecedented health and economic circumstances. To help organizations to navigate privacy during this challenging time, Microsoft Chief Privacy Officer Julie Brill shared seven privacy principles to consider as we all collectively move forward in addressing the pandemic.

Organizations are also evaluating security and data governance more than ever before as they try to maintain business continuity amid the crisis. According to a new Harvard Business Review (HBR) research report released today commissioned by Microsoft, 61 percent of organizations struggle to effectively develop strong data security, privacy, and risk capabilities. Together with HBR, we surveyed close to 500 global business leaders across industries, including financial services, tech, healthcare, and manufacturing. The study found that 77 percent of organizations say an effective security, risk, and compliance strategy is essential for business success. However, 82 percent say that securing and governing data is becoming more difficult because of new risks and data management complexities brought on by digital transformation.

In a world in which remote work is the new normal, securing, and governing your company’s most critical data becomes more important than ever before. The increased volume of information and multiple collaboration systems create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly. 

General availability of Microsoft 365 Records Management

Today, we are excited to announce the general availability of Microsoft 365 Records Management to provide you with significantly greater depth in protecting and governing critical data. With Records Management, you can:

  • Classify, retain, review, dispose, and manage content without compromising productivity or data security.
  • Leverage machine learning capabilities to identify and classify regulatory, legal, and business critical records at scale.
  • Help demonstrate compliance with regulations through defensible audit trails and proof of destruction.

You can now access Records Management in the compliance center in Microsoft 365.

Data governance matters now more than ever

Striking the right balance between data governance and productivity: Records Management is built into the Microsoft 365 productivity stack and existing customer workflows, easing the friction that often occurs between enforcing governance controls and user productivity. For example, say your team is working on a contract. Thanks to built-in retention policies embedded in the tools people use every day, they can continue to be productive while collaborating on a contract that has been declared a record—such as sharing, coauthoring, and accessing the record through mobile devices. We have also integrated our disposition process natively into the tools you use every day, including SharePoint and Outlook. Records versioning also makes collaboration on record-declared documents better, so you can track when edits are made to the contract. It allows users to unlock a document with a record label to make edits to it with all records safely retained and audit trails maintained. With Records Management, you can balance rigorous enforcement of data controls with allowing your organization to be fully productive.

Building trust, transparency, and defensibility: Building trust and providing transparency is crucial to managing records. In addition to continuing to audit all events surrounding a record in our audit log, we’re excited to announce the ability to obtain proof of disposal and see all items automatically disposed as part of a record label. Proof of disposal helps provide you with the defensibility you need, particularly to meet legal and regulatory requirements. Learn more in this Microsoft docs page.

Leveraging machine learning for scale: Records Management leverages our broader investments in machine learning across information protection and governance, such as trainable classifiers. With trainable classifiers, you can train the classification engine to recognize data that is unique to your organization. Once you define a record or retention label, you can apply the label to all content that matches a trainable classifier that was previously defined. So, for example, any document that appears to be a contract or have contract-related content will be marked accordingly and automatically classified as a record. For more information on creating trainable classifiers, please see this documentation. Apart from using trainable classifiers, you can also choose to auto-apply retention labels either by matching keywords on the content, its metadata, sensitive information it contains, or as the default for a particular location or folder. These different auto classification methods provide the flexibility you need to manage the constantly increasing volume of data.

Please visit this portal to learn more about Records Management.

Importance of information protection and governance

There’s never been a more important time to ensure your data, especially your most critical data, is protected and governed efficiently and effectively. Records Management is generally available worldwide today, and you can learn even more in our post on Tech Community. Eligible Microsoft 365 E5 customers can start using Records Management in the Compliance Center or learn how to try or buy a Microsoft 365 subscription.

Lastly, as you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, you can visit our Remote Work site. We’re here to help in any way we can.

The post Data governance matters now more than ever appeared first on Microsoft Security.

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

April 28th, 2020 No comments

At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.

Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.

In this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:

We have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).

Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks

While the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.

In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.

To gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:

  • Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
  • Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
  • Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
  • Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510

Applying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.

Like many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.

As with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.

A motley crew of ransomware payloads

While individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.

diagram showing different attack stages and techniques in each stage that various ransomware groups use

RobbinHood ransomware

RobbinHood ransomware operators gained some attention for exploiting vulnerable drivers late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.

Vatet loader

Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.

The group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.

Using Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit CVE-2019-19781, brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.

NetWalker ransomware

NetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.

PonyFinal ransomware

This Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren’t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.

Maze ransomware

One of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.

Maze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.

In a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.

After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.

REvil ransomware

Possibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers – and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.

Other ransomware families

Other ransomware families used in human-operated campaigns during this period include:

  • Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks
  • RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials
  • MedusaLocker, which is possibly deployed via existing Trickbot infections
  • LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally

Immediate response actions for active attacks

We highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:

  • Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities
  • Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials
  • Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data

Customers using Microsoft Defender Advanced Threat Protection (ATP) can consult a companion threat analytics report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the Microsoft Threat Experts service can also refer to the targeted attack notification, which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.

If your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ “one-time use” infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.

Investigate affected endpoints and credentials

Investigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.

  • For endpoints onboarded to Microsoft Defender ATP, use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.
  • Otherwise, check the Windows Event Log for post-compromise logons—those that occur after or during the earliest suspected breach activity—with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.

Isolate compromised endpoints

Isolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. Isolate machines using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.

Address internet-facing weaknesses

Identify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as shodan.io, to augment your own data. Systems that should be considered of interest to attackers include:

  • RDP or Virtual Desktop endpoints without MFA
  • Citrix ADC systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510
  • Microsoft SharePoint servers affected by CVE-2019-0604
  • Microsoft Exchange servers affected by CVE-2020-0688
  • Zoho ManageEngine systems affected by CVE-2020-10189

To further reduce organizational exposure, Microsoft Defender ATP customers can use the Threat and Vulnerability Management (TVM) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.

Inspect and rebuild devices with related malware infections

Many ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.

Building security hygiene to defend networks against human-operated ransomware

As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.

Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:

  • Randomize local administrator passwords using a tool such as LAPS.
  • Apply Account Lockout Policy.
  • Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
  • Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
  • Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Turn on attack surface reduction rules, including rules that can block ransomware activity:
    • Use advanced protection against ransomware
    • Block process creations originating from PsExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.

Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware

What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services—in this time of global crisis—that their attacks cause.

Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.

Microsoft Threat Protections (MTP) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.

Through built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.

Microsoft Threat Protection is also part of a chip-to-cloud security approach that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On Secured-core PCs these mitigations are enabled by default.

We continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

 

Microsoft Threat Protection Intelligence Team

 

Appendix: MITRE ATT&CK techniques observed

Human-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.

Credential access

Persistence

Command and control

Discovery

Execution

Lateral movement

Defense evasion

  • T1070 Indicator Removal on Host | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe
  • T1089 Disabling Security Tools | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers

Impact

The post Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk appeared first on Microsoft Security.

Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry

April 22nd, 2020 No comments

Over the last fifteen years, attacks against critical infrastructure (figure1) have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organizations are targeted by sophisticated, patient, and well-funded adversaries.  Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.

Aerial view of port and freeways leading to downtown Singapore.

Figure 1: Increased attacks on critical infrastructure

This is the third and final post in the “Defending the power grid against supply chain attacks” series. In the first blog I described the nature of the risk. Last month I outlined how utility suppliers can better secure the devices they manufacture. Today’s advice is directed at the utilities. There are actions you can take as individual companies and as an industry to reduce risk.

Implement operational technology security best practices

According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of hacking-related breaches are the result of weak or compromised passwords. If you haven’t implemented multi-factor authentication (MFA) for all your user accounts, make it a priority. MFA can significantly reduce the likelihood that a user with a stolen password can access your company assets. I also recommend you take these additional steps to protect administrator accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to your administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

 

Image 2

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks. 

  • You also don’t want the occasional security mistake like clicking on a link when administrators are tired or distracted to compromise the workstation that has direct access to these critical systems.  Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

The following security best practices will also reduce your risk:

  • Whitelist approved applications. Define the list of software applications and executables that are approved to be on your networks. Block everything else. Your organization should especially target systems that are internet facing as well as Human-Machine Interface (HMI) systems that play the critical role of managing generation, transmission, or distribution of electricity
  • Regularly patch software and operating systems. Implement a monthly practice to apply security patches to software on all your systems. This includes applications and Operating Systems on servers, desktop computers, mobile devices, network devices (routers, switches, firewalls, etc.), as well as Internet of Thing (IoT) and Industrial Internet of Thing (IIoT) devices. Attackers frequently target known security vulnerabilities.
  • Protect legacy systems. Segment legacy systems that can no longer be patched by using firewalls to filter out unnecessary traffic. Limit access to only those who need it by using Just In Time and Just Enough Access principles and requiring MFA. Once you set up these subnets, firewalls, and firewall rules to protect the isolated systems, you must continually audit and test these controls for inadvertent changes, and validate with penetration testing and red teaming to identify rogue bridging endpoint and design/implementation weaknesses.
  • Segment your networks. If you are attacked, it’s important to limit the damage. By segmenting your network, you make it harder for an attacker to compromise more than one critical site. Maintain your corporate network on its own network with limited to no connection to critical sites like generation and transmission networks. Run each generating site on its own network with no connection to other generating sites. This will ensure that should a generating site become compromised, attackers can’t easily traverse to other sites and have a greater impact.
  • Turn off all unnecessary services. Confirm that none of your software has automatically enabled a service you don’t need. You may also discover that there are services running that you no longer use. If the business doesn’t need a service, turn it off.
  • Deploy threat protection solutions. Services like Microsoft Threat Protection help you automatically detect, respond to, and correlate incidents across domains.
  • Implement an incident response plan: When an attack happens, you need to respond quickly to reduce the damage and get your organization back up and running. Refer to Microsoft’s Incident Response Reference Guide for more details.

Speak with one voice

Power grids are interconnected systems of generating plants, wires, transformers, and substations. Regional electrical companies work together to efficiently balance the supply and demand for electricity across the nation. These same organizations have also come together to protect the grid from attack. As an industry, working through organizations like the Edison Electric Institute (EEI), utilities can define security standards and hold manufacturers accountable to those requirements.

It may also be useful to work with The Federal Energy Regulatory Committee (FERC), The North American Electric Reliability Corporation (NERC), or The United States Nuclear Regulatory Commission (U.S. NRC) to better regulate the security requirements of products manufactured for the electrical grid.

Apply extra scrutiny to IoT devices

As you purchase and deploy IoT devices, prioritize security. Be careful about purchasing products from countries that are motivated to infiltrate critical infrastructure. Conduct penetration tests against all new IoT and IIoT devices before you connect them to the network. When you place sensors on the grid, you’ll need to protect them from both cyberattacks and physical attacks. Make them hard to reach and tamper-proof.

Collaborate on solutions

Reducing the risk of a destabilizing power grid attack will require everyone in the utility industry to play a role. By working with manufacturers, trade organizations, and governments, electricity organizations can lead the effort to improve security across the industry. For utilities in the United States, several public-private programs are in place to enhance the utility industry capabilities to defend its infrastructure and respond to threats:

Read Part 1 in the series: “Defending the power grid against cyberattacks

Read “Defending the power grid against supply chain attacks: Part 2 – Securing hardware and software

Read how Microsoft Threat Protection can help you better secure your endpoints.

Learn how MSRC developed an incident response plan

Bookmark the Security blog to keep up with our expert coverage on security matters. For more information about our security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry appeared first on Microsoft Security.

Microsoft shares new threat intelligence, security guidance during global crisis

April 8th, 2020 No comments

Ready or not, much of the world was thrust into working from home, which means more people and devices are now accessing sensitive corporate data across home networks. Defenders are working round the clock to secure endpoints and ensure the fidelity of not only those endpoints, but also identities, email, and applications, as people are using whatever device they need to get work done. This isn’t something anyone, including our security professionals, were given time to prepare for, yet many customers have been thrust into a new environment and challenged to respond quickly. Microsoft is here to help lighten the load on defenders, offer guidance on what to prioritize to keep your workforce secure, and share resources about the built-in protections of our products.

Attackers are capitalizing on fear. We’re watching them. We’re pushing back.

Our inboxes, mobile alerts, TVs, and news updates are all COVID-19, all the time. It’s overwhelming and attackers know it. They know many are clicking without looking because stress levels are high and they’re taking advantage of that. That’s why we’re seeing an increase in the success of phishing and social engineering attacks. Attackers don’t suddenly have more resources they’re diverting towards tricking users; instead they’re pivoting their existing infrastructure, like ransomware, phishing, and other malware delivery tools, to include COVID-19 keywords that get us to click. Once we click, they can infiltrate our inboxes, steal our credentials, share more malicious links with coworkers across collaboration tools, and lie in wait to steal information that will give them the biggest payout. This is where intelligent solutions that can monitor for malicious activity across – that’s the key word – emails, identities, endpoints, and applications with built-in automation to proactively protect, detect, respond to, and prevent these types of attacks from being successful will help us fight this battle against opportunistic attackers.

Our threat intelligence teams at Microsoft are actively monitoring and responding to this shift in focus. Our data shows that these COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to this pandemic. This means we’re seeing a changing of lures, not a surge in attacks. Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment:

  • Every country in the world has seen at least one COVID-19 themed attack (see map below). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.
  • The trendy and pervasive Trickbot and Emotet malware families are very active and rebranding their lures to take advantage of the outbreak. We have observed 76 threat variants to date globally using COVID-19 themed lures (map below).
  • Microsoft tracks thousands of email phishing campaigns that cover millions of malicious messages every week. Phishing campaigns are more than just one targeted email at one targeted user. They include potentially hundreds or thousands of malicious emails targeting hundreds or thousands of users, which is why they can be so effective. Of the millions of targeted messages we see each day, roughly 60,000 include COVID-19 related malicious attachments or malicious URLs.
  • While that number sounds very large, it’s important to note that that is less than two percent of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing but attackers are shifting their techniques to capitalize on fear. Attackers are impersonating established entities like the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and the Department of Health to get into inboxes. Here’s an example of what just one of these malicious emails looks like now compared to before the COVID-19 crisis:

Comparison of malicious emails used in malware campaigns before the crisis and during

  • In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19-themed URLs and IP addresses. This again shows us that attackers are getting more aggressive and agile in the delivery of their attacks – using the same delivery methods, but swapping out the malicious URLs on a more frequent basis in an effort to evade machine learning protections.
  • Microsoft Office 365 Advanced Threat Protection prevented a big phishing campaign that used a fake Office 365 sign-in page to capture credentials. Roughly 2,300 unique HTML attachments posing as COVID-19 financial compensation information were caught in 24 hours in this one campaign. We expect to see more campaigns that utilize the economic fear from lost income, as governments widen the mandatory shutdown of their economies and stimulus funds begin to be issued in the U.S.
  • Several advanced persistent threat and nation-state actors have been observed targeting healthcare organizations and using COVID-19-themed lures in their campaigns. We continue to identify, track, and build proactive protections against these threats in all of our security products. When customers are affected by these attacks, Microsoft notifies the customer directly to help speed up investigations. We also report malicious COVID-19-themed domains and URLs to the proper authorities so that they can be taken down, and where possible, the individuals behind them prosecuted.

Map showing global impact of COVID-19-themed-attacks

Relative impact of COVID-19 themed attacks across the world by file count (as of April 7, 2020)

From endpoints and identities to the cloud, we have you covered

While phishing email is a common attack vector, it’s only one of the many points of entry for attackers. Defenders need a much broader view and solutions for remediation than visibility into just one entry method. An attacker’s primary goal is to gain entry and expand across domains so they can persist in an organization and lie in wait to steal or encrypt as much sensitive information as they can to reap the biggest payout. Defenders require visibility across each of these domains and automated correlation across emails, identities, endpoints, and cloud applications to see the full scope of compromise. Only with this view can defenders adequately remediate affected assets, apply Conditional Access, and prevent the same or similar attacks from being successful again.

During this trying time, we want to remind our customers what protections you have built into our products and offer guidance for what to prioritize:

  • Protect endpoints with Microsoft Defender ATP, which covers licensed users for up to five concurrent devices that can be easily onboarded at any time. Microsoft Defender ATP monitors threats from across platforms, including macOS. Our tech community post includes additional guidance, best practices, onboarding, and licensing information.
  • Enable multi-factor authentication (MFA) and Conditional Access through Azure Active Directory to protect identities. This is more important than ever to mitigate credential compromise as users work from home. We recommend connecting all apps to Azure AD for single sign-on – from SaaS to on-premises apps; enabling MFA and applying Conditional Access policies; and extending secure access to contractors and partners. Microsoft also offers a free Azure AD service for single sign-on, including MFA using the Microsoft Authenticator app.
  • Safeguard inboxes and email accounts with Office 365 ATP, Microsoft’s cloud-based email filtering service, which shields against phishing and malware, including features to safeguard your organization from messaging-policy violations, targeted attacks, zero-days, and malicious URLs. Intelligent recommendations from Security Policy Advisor can help reduce macro attack surface, and the Office Cloud Policy Service can help you implement security baselines.
  • Microsoft Cloud App Security can help protect against shadow IT and unsanctioned app usage, identify and remediate cloud-native attacks, and control how data travels across cloud apps from Microsoft or third-party applications.

Microsoft Threat Protection correlates signals from across each of these domains using Azure ATP, Microsoft Defender ATP, Office 365 ATP, and Microsoft Cloud App Security, to understand the entire attack chain to help defenders prioritize which threats are most critical to address and to auto-heal affected user identities, email inboxes, endpoints, and cloud apps back to a safe state. Our threat intelligence combines signals from not just one attack vector like email phishing, but from across emails, identities, endpoints, and cloud apps to understand how the threat landscape is changing and build that intelligence into our products to prevent attack sprawl and persistence. The built-in, automated remediation capabilities across these solutions can also help reduce the manual workload on defenders that comes from the multitude of new devices and connections.

Azure Sentinel is a cloud-native SIEM that brings together insights from Microsoft Threat Protection and Azure Security Center, along with the whole world of third-party and custom application logs to help security teams gain visibility, triage, and investigate threats across their enterprise. As with all Microsoft Security products, Azure Sentinel customers benefit from Microsoft threat intelligence to detect and hunt for attacks. Azure Sentinel makes it easy to add new data sources and scale existing ones with built-in workbooks, hunting queries, and analytics to help teams identify, prioritize, and respond to threats. We recently shared a threat hunting notebook developed to hunt for COVID-19 related threats in Azure Sentinel.

Cloud-delivered protections are a critical part of staying up to date with the latest security updates and patches. If you don’t already have them turned on, we highly recommend it. We also offer advanced hunting through both Microsoft Threat Protection and Azure Sentinel.

We’ll keep sharing and protecting – stay tuned, stay safe

Remember that we at Microsoft are 3,500 defenders strong. We’re very actively monitoring the threat landscape, we’re here to help: we’re providing resources, guidance, and for dire cases we have support available from services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

All of our guidance related to COVID-19 is and will be posted here. We will continue to share updates across channels to keep you informed. Please stay safe, stay connected, stay informed.

THANK YOU to our defenders who are working tirelessly to keep us secure and connected during this pandemic.

 

 

-Rob and all of us from across Microsoft security

 

 

To stay up to date with verified information on the COVID-19 crisis, the following sites are available:

 

The post Microsoft shares new threat intelligence, security guidance during global crisis appeared first on Microsoft Security.

Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do

April 1st, 2020 No comments

True to form, human-operated ransomware campaigns are always on prowl for any path of least resistance to gain initial access to target organizations. During this time of crisis, as organizations have moved to a remote workforce, ransomware operators have found a practical target: network devices like gateway and virtual private network (VPN) appliances. Unfortunately, one sector that’s particularly exposed to these attacks is healthcare.

As part of intensified monitoring and takedown of threats that exploit the COVID-19 crisis, Microsoft has been putting an emphasis on protecting critical services, especially hospitals. Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.

Why attackers are using human-operated ransomware

While a wide range of adversaries have been known to exploit vulnerabilities in network devices, more and more human-operated ransomware campaigns are seeing the opportunity and are jumping on the bandwagon. REvil (also known as Sodinokibi) is one of the ransomware campaigns that actively exploit gateway and VPN vulnerabilities to gain a foothold in target organizations. After successful exploitation, attackers steal credentials, elevate their privileges, and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads.

Microsoft has been tracking REvil as part of a broader monitoring of human-operated ransomware attacks. Our intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure used on more recent VPN attacks. This indicates an ongoing trend among attackers to repurpose old tactics, techniques, and procedures (TTPs) for new attacks that take advantage of the current crisis. We haven’t seen technical innovations in these new attacks, only social engineering tactics tailored to prey on people’s fears and urgent need for information. They employ human-operated attack methods to target organizations that are most vulnerable to disruption—orgs that haven’t had time or resources to double-check their security hygiene like installing the latest patches, updating firewalls, and checking the health and privilege levels of users and endpoints—therefore increasing probability of payoff.

Human-operated ransomware attacks are a cut above run-of-the-mill commodity ransomware campaigns. Adversaries behind these attacks exhibit extensive knowledge of systems administration and common network security misconfigurations, which are often lower on the list of “fix now” priorities. Once attackers have infiltrated a network, they perform thorough reconnaissance and adapt privilege escalation and lateral movement activities based on security weaknesses and vulnerable services they discover in the network.

In these attacks, adversaries typically persist on networks undetected, sometimes for months on end, and deploy the ransomware payload at a later time. This type of ransomware is more difficult to remediate because it can be challenging for defenders to go and extensively hunt to find where attackers have established persistence and identify email inboxes, credentials, endpoints, or applications that have been compromised.

We saw something. We said something.

The global crisis requires everyone to step up, especially since attackers seem to be stepping up in exploiting the crisis, too, even as some ransomware groups purportedly committed to spare the healthcare industry. Through Microsoft’s vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure. To help these hospitals, many already inundated with patients, we sent out a first-of-its-kind targeted notification with important information about the vulnerabilities, how attackers can take advantage of them, and a strong recommendation to apply security updates that will protect them from exploits of these particular vulnerabilities and others.

When managing VPN or virtual private server (VPS) infrastructure, it’s critical for organizations to know the current status of related security patches. Microsoft threat intelligence teams have observed multiple nation-state and cybercrime actors targeting unpatched VPN systems for many months. In October 2019, both the National Security Agency (NSA) and National Cyber Security Centre (NCSC) put out alerts on these attacks and encouraged enterprises to patch.

As organizations have shifted to remote work in light of the pandemic, we’re seeing from signals in Microsoft Threat Protection services (Microsoft Defender ATP, Office 365 ATP, and Azure ATP) that the attackers behind the REvil ransomware are actively scanning the internet for vulnerable systems. Attackers have also been observed using the updater features of VPN clients to deploy malware payloads.

Microsoft strongly recommends that all enterprises review VPN infrastructure for updates, as attackers are actively tailoring exploits to take advantage of remote workers.

How to detect, protect, and prevent this type of ransomware

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Department of Commerce National Institute of Standards and Technology (NIST) have published useful guidance on securing VPN/VPS infrastructure.

We understand how stressful and challenging this time is for all of us, defenders included, so here’s what we recommend focusing on immediately to reduce risk from threats that exploit gateways and VPN vulnerabilities:

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately.  In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.

To help organizations build a stronger security posture against human-operated ransomware, we published a comprehensive report and provided mitigation steps for making networks resistant against these threats and cyberattacks in general. These mitigations include:

  • Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
  • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.
  • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
  • Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

We continue to work with our customers, partners, and the research community to track human-operated ransomware and other trends attackers are using to take advantage of this global crisis.

For more guidance on how to stay protected during this crisis, we will continue to share updates on our blog channels.

 

Microsoft Threat Protection Intelligence Team

Microsoft Threat Intelligence Center (MSTIC)

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do appeared first on Microsoft Security.

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable

March 23rd, 2020 No comments

Following a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. The updated attack chain, which we started seeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion.

Figure 1. Microsoft Defender ATP data showing revival of Astaroth campaigns

Heat map showing Astaroth encounters, with Brazil accounting for majority of encounters

Figure 2. Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil

When we first blogged about Astaroth’s methods, we noted how it completely lived off the land to avoid detection: only system tools that are already existing on the machine are ever executed. In fact, it was an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC) that prompted our investigation and eventually exposed the Astaroth campaign.

Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections. Instead, the attackers introduced new techniques that make the attack chain even stealthier:

  • Abusing Alternate Data Streams (ADS) to hide malicious payloads
  • Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload

Astaroth exemplifies how living-off-the-land techniques have become standard components of today’s attacks intent on evading security solutions. However, as we mentioned in our previous blog on Astaroth, fileless threats are very much observable. These threats still leave a great deal of memory footprint that can be inspected and blocked as they happen. Next-generation protection and behavioral containment and blocking capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) lead the charge in exposing threats like Astaroth.

In this blog, we’ll share our technical analysis of the revamped Astaroth attack chain and demonstrate how specific Microsoft technologies tackle the multiple advanced components of the attack.

Dismantling the new Astaroth attack chain

The attackers were careful to ensure the updates didn’t make Astaroth easier to detect; on the contrary, the updates only make Astaroth’s activities even more invisible.

One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.

Astaroth 2020 attack chain

Figure 2. Astaroth attack chain 2020

In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.

Screenshot comparing contents of desktop.ini before and after infection

Figure 3. Desktop.ini before and after infection

The complex attack chain, which involves the use of multiple living-off-the-land binaries (LOLBins), results in the eventual loading of the Astaroth malware directly in memory. When running, Astaroth decrypts plugins that allow it to steal sensitive information, like email passwords and browser passwords.

In the succeeding sections, we describe each step of Astaroth’s attack chain in detail.

Arrival

The attack begins with an email with a message in Portuguese that translates to: “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The email contains a link that points to URL hosting an archive file, Arquivo_PDF_<date>.zip, which contains a LNK file with a similarly misleading name. When clicked, the LNK file runs an obfuscated BAT command line.

Email used in Astaroth campaign

Figure 4. Sample email used in latest Astaroth attacks

The BAT command drops a single-line JavaScript file to the Pictures folder and invokes explorer.exe to run the JavaScript file.

Malware code showing GetObject technique

The dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript directly in memory:

Malware code showing BITSAdmin abuse

BITSAdmin abuse

The main script then invokes multiple instances of BITSAdmin using a benign looking command-line to download multiple binary blobs from a command-and-control (C2) server:

Malware code showing downloaded content showing ADS

The downloaded payloads are encrypted and have the following file names:

  • masihaddajjaldwwn.gif
  • masihaddajjalc.jpg
  • masihaddajjala.jpg
  • masihaddajjalb.jpg
  • masihaddajjaldx.gif
  • masihaddajjalg.gif
  • masihaddajjalgx.gif
  • masihaddajjali.gif
  • masihaddajjalxa.~
  • masihaddajjalxb.~
  • masihaddajjalxc.~
  • masihaddajjal64w.dll
  • masihaddajjal64q.dll
  • masihaddajjal64e.dll

Alternate Data Streams abuse

As mentioned, the new Astaroth attacks use a clever technique of copying downloaded data to the ADS of desktop.ini. For each download, the content is copied to the ADS, and then the original content is deleted. These steps are repeated for all downloaded payloads.

Malware code showing abuse of ADS to run script to find security products

Another way that Astaroth abuses ADS is when it runs a script to find installed security products. A malicious script responsible for enumerating security products is dropped and then copied as an ADS to an empty text file. The execution command-line looks like this:

ExtExport.exe abuse

The main script combines three separately downloaded binary blobs to form the first-stage malware code:

Malware code showing three blobs forming first-stage malware code

The script then uses a LOLBin not previously seen in Astaroth attacks to load the first-stage malware code: ExtExport.exe, which is a legitimate utility shipped as part of Internet Explorer. Attackers can load any DLL by passing an attacker-controlled path to the tool. The tool searches for any DLL with the following file names: mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll. Attackers need only to rename the malicious payload to one of these names, and it is loaded by ExtExport.exe.

Malware code showing ExtExport.exe abuse

Userinit.exe abuse

The newly loaded DLL (mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll) is a proxy that reads three binary ADS streams (desktop.ini:masihaddajjalxa.~, desktop.ini:masihaddajjalxb.~, and desktop.ini:masihaddajjalxc.~) and combines these into a DLL. The newly formed DLL is the second-stage malware code and is loaded in the same process using the reflective DLL loading technique.

The newly loaded DLL is also a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalgx.gif) into a DLL. This DLL is injected into userinit.exe using the process hollowing technique.

The newly loaded DLL inside userinit.exe is again a proxy that reads and decrypts another ADS stream (desktop.ini:masihaddajjalg.gif) into a DLL. This DLL is the malicious info-stealer known as Astaroth and is reflectively loaded inside userinit.exe. Hence, Astaroth never touches the disk and is loaded directly in memory, making it very evasive.

Astaroth payload

When running, the Astaroth payload then reads and decrypts more components from the ADS stream of desktop.ini (desktop.ini:masihaddajjaldwwn.gif, desktop.ini:masihaddajjalc.jpg, desktop.ini:masihaddajjala.jpg, desktop.ini:masihaddajjalb.jpg, and desktop.ini:masihaddajjali.gif).

Some of these components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth abuses these plugins to steal information from compromised systems:

  • NirSoft’s MailPassView – an email client password recovery tool
  • NirSoft’s WebBrowserPassView – a web browser password recovery tool

As mentioned, Astaroth also finds installed security products. It then attempts to disable these security products. For Microsoft Defender Antivirus customers, tamper protection prevents such malicious and unauthorized changes to security settings.

Comprehensive, dynamic protection against living-off-the-land, fileless, and other sophisticated threats with Microsoft Threat Protection

Attackers are increasingly turning to living-off-the-land techniques to attempt running undetected for as long as possible on systems. Because these attacks use multiple executables that are native to the system and have legitimate uses, they require a comprehensive, behavior-based approach to detection.

Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of multiple Microsoft security services to coordinate protection, detection, response, and prevention across endpoints, email, identities, and apps.

In the case of Astaroth, Office 365 ATP detects the malware delivery via email. Using detonation-based heuristics and machine learning, Office 365 ATP inspects links and attachments to identify malicious artifacts.

On endpoints, next-generation protection capabilities in Microsoft Defender ATP detect and prevent some components of Astaroth’s new attack chain. Notably, through Antimalware Scan Interface (AMSI), Microsoft Defender ATP can inspect the encrypted malicious scripts used in the initial stages of the attack.

For the more sophisticated sections of the attack chain, behavioral blocking and containment capabilities provide dynamic protection that can stop malicious behaviors and process trees. Behavior-based protections are key to exposing living-off-the-land threats that abuse and hide behind legitimate processes. These protections identify suspicious behavior sequences and advanced attack techniques observed on the client, which are used as triggers to analyze the process tree using real-time machine learning models in the cloud.

Diagram showing preventive and behavior-based blocking & containment solutions against Astaroth

Figure 5. Preventive and behavior-based blocking & containment protections against Astaroth

These behavior-based detections raise alerts in Microsoft Defender Security Center. With behavioral blocking and containment, not only are evasive threats exposed, detected, and stopped; security operations personnel are also notified so they can thoroughly investigate and remediate the root cause.

Figure 6. Sample Microsoft Defender ATP alerts on behavior-based detections of Astaroth’s activities

Microsoft Defender ATP’s EDR capabilities also have very strong coverage of advanced techniques employed by Astaroth, including cross-process migration, code injection, and use of LOLBins.

Figure 7. Sample Microsoft Defender ATP EDR alert and process tree on Astaroth’s behaviors

We expect Astaroth to further develop and increase in complexity, as long-running malware campaigns do. We will continue to watch this evolving threat and ensure that customers are protected from future updates through durable behavior-based protections.

 

 

Hardik Suri

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft Defender ATP tech communities.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Latest Astaroth living-off-the-land attacks are even more invisible but not less observable appeared first on Microsoft Security.

Human-operated ransomware attacks: A preventable disaster

March 5th, 2020 No comments

Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.

These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads. And while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.

News about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of the ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain compromise that allow these human-operated attacks to succeed.

Based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege, or use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating target environments.

Human-operated ransomware campaigns often start with “commodity malware” like banking Trojans or “unsophisticated” attack vectors that typically trigger multiple detection alerts; however, these tend to be triaged as unimportant and therefore not thoroughly investigated and remediated. In addition, the initial payloads are frequently stopped by antivirus solutions, but attackers just deploy a different payload or use administrative access to disable the antivirus without attracting the attention of incident responders or security operations centers (SOCs).

Some well-known human-operated ransomware campaigns include REvil, Samas, Bitpaymer, and Ryuk. Microsoft actively monitors these and other long-running human-operated ransomware campaigns, which have overlapping attack patterns. They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable.

Combating and preventing attacks of this nature requires a shift in mindset, one that focuses on comprehensive protection required to slow and stop attackers before they can succeed. Human-operated attacks will continue to take advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively apply security best practices to their networks. In this blog, we will highlight case studies of human-operated ransomware campaigns that use different entrance vectors and post-exploitation techniques but have overwhelming overlap in the security misconfigurations they abuse and the devastating impact they have on organizations.

PARINACOTA group: Smash-and-grab monetization campaigns

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. Microsoft has been tracking this group for some time, but now refers to them as PARINACOTA, using our new naming designation for digital crime actors based on global volcanoes.

PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.

The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.

PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.

The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

Wadhrama PARINACOTA attack chain

Figure 1. PARINACOTA infection chain

We gained insight into these attacks by investigating compromised infrastructure that the group often utilizes to proxy attacks onto their next targets. To find targets, the group scans the internet for machines that listen on RDP port 3389. The attackers do this from compromised machines using tools like Masscan.exe, which can find vulnerable machines on the entire internet in under six minutes.

Once a vulnerable target is found, the group proceeds with a brute force attack using tools like NLbrute.exe or ForcerX, starting with common usernames like ‘admin’, ‘administrator’, ‘guest’, or ‘test’. After successfully gaining access to a network, the group tests the compromised machine for internet connectivity and processing capacity. They determine if the machine meets certain requirements before using it to conduct subsequent RDP brute force attacks against other targets. This tactic, which has not been observed being used by similar ransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the group has been observed leaving their tools running on compromised machines for months on end.

On machines that the group doesn’t use for subsequent RDP brute-force attacks, they proceed with a separate set of actions. This technique helps the attackers evade reputation-based detection, which may block their scanning boxes; it also preserves their command-and-control (C2) infrastructure. In addition, PARINACOTA utilizes administrative privileges gained via stolen credentials to turn off or stop any running services that might lead to their detection. Tamper protection in Microsoft Defender ATP prevents malicious and unauthorized to settings, including antivirus solutions and cloud-based detection capabilities.

After disabling security solutions, the group often downloads a ZIP archive that contains dozens of well-known attacker tools and batch files for credential theft, persistence, reconnaissance, and other activities without fear of the next stages of the attack being prevented. With these tools and batch files, the group clears event logs using wevutil.exe, as well as conducts extensive reconnaissance on the machine and the network, typically looking for opportunities to move laterally using common network scanning tools. When necessary, the group elevates privileges from local administrator to SYSTEM using accessibility features in conjunction with a batch file or exploit-laden files named after the specific CVEs they impact, also known as the “Sticky Keys” attack.

The group dumps credentials from the LSASS process, using tools like Mimikatz and ProcDump, to gain access to matching local administrator passwords or service accounts with high privileges that may be used to start as a scheduled task or service, or even used interactively. PARINACOTA then uses the same remote desktop session to exfiltrate acquired credentials. The group also attempts to get credentials for specific banking or financial websites, using findstr.exe to check for cookies associated with these sites.

Microsoft Defender ATP alert for credential theft

Figure 2. Microsoft Defender ATP alert for credential theft

With credentials on hand, PARINACOTA establishes persistence using various methods, including:

  • Registry modifications using .bat or .reg files to allow RDP connections
  • Setting up access through existing remote assistance apps or installing a backdoor
  • Creating new local accounts and adding them to the local administrators group

To determine the type of payload to deploy, PARINACOTA uses tools like Process Hacker to identify active processes. The attackers don’t always install ransomware immediately; they have been observed installing coin miners and using massmail.exe to run spam campaigns, essentially using corporate networks as distributed computing infrastructure for profit. The group, however, eventually returns to the same machines after a few weeks to install ransomware.

The group performs the same general activities to deliver the ransomware payload:

  • Plants a malicious HTA file (hta in many instances) using various autostart extensibility points (ASEPs), but often the registry Run keys or the Startup folder. The HTA file displays ransom payment instructions.
  • Deletes local backups using tools like exe to stifle recovery of ransomed files.
  • Stops active services that might interfere with encryption using exe, net.exe, or other tools.

Figure 3. PARINACOTA stopping services and processes

  • Drops an array of malware executables, often naming the files based on their intended behavior. If previous attempts to stop antivirus software have been unsuccessful, the group simply drops multiple variants of a malware until they manage to execute one that is not detected, indicating that even when detections and alerts are occurring, network admins are either not seeing them or not reacting to them.

As mentioned, PARINACOTA has recently mostly dropped the Wadhrama ransomware, which leaves the following ransom note after encrypting target files:

Figure 4. Wadhrama ransom note

In several observed cases, targeted organizations that were able to resolve ransomware infections were unable to fully remove persistence mechanisms, allowing the group to come back and deploy ransomware again.

Figure 5. Microsoft Defender ATP machine view showing reinfection by Wadhrama

PARINACOTA routinely uses Monero coin miners on compromised machines, allowing them to collect uniform returns regardless of the type of machine they access. Monero is popular among cybercriminals for its privacy benefits: Monero not only restricts access to wallet balances, but also mixes in coins from other transactions to help hide the specifics of each transaction, resulting in transactions that aren’t as easily traceable by amount as other digital currencies.

As for the ransomware component, we have seen reports of the group charging anywhere from .5 to 2 Bitcoins per compromised machine. This varies depending on what the attackers know about the organization and the assets that they have compromised. The ransom amount is adjusted based on the likelihood the organization will pay due to impact to their company or the perceived importance of the target.

Doppelpaymer: Ransomware follows Dridex

Doppelpaymer ransomware recently caused havoc in several highly publicized attacks against various organizations around the world. Some of these attacks involved large ransom demands, with attackers asking for millions of dollars in some cases.

Doppelpaymer ransomware, like Wadhrama, Samas, LockerGoga, and Bitpaymer before it, does not have inherent worm capabilities. Human operators manually spread it within compromised networks using stolen credentials for privileged accounts along with common tools like PsExec and Group Policy. They often abuse service accounts, including accounts used to manage security products, that have domain admin privileges to run native commands, often stopping antivirus software and other security controls.

The presence of banking Trojans like Dridex on machines compromised by Doppelpaymer point to the possibility that Dridex (or other malware) is introduced during earlier attack stages through fake updaters, malicious documents in phishing email, or even by being delivered via the Emotet botnet.

While Dridex is likely used as initial access for delivering Doppelpaymer on machines in affected networks, most of the same networks contain artifacts indicating RDP brute force. This is in addition to numerous indicators of credential theft and the use of reconnaissance tools. Investigators have in fact found artifacts indicating that affected networks have been compromised in some manner by various attackers for several months before the ransomware is deployed, showing that these attacks (and others) are successful and unresolved in networks where diligence in security controls and monitoring is not applied.

The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection. There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.

Figure 6. Sample Microsoft Defender ATP alert

The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access. Attackers utilize various methods to gain access to privileged accounts, including common credential theft tools like Mimikatz and LaZange. Microsoft has also observed the use of the Sysinternals tool ProcDump to obtain credentials from LSASS process memory. Attackers might also use LSASecretsView or a similar tool to access credentials stored in the LSA secrets portion of the registry. Accessible to local admins, this portion of the registry can reveal credentials for domain accounts used to run scheduled tasks and services.

Figure 7. Doppelpaymer infection chain

Campaign operators continually steal credentials, progressively gaining higher privileges until they control a domain administrator-level account. In some cases, operators create new accounts and grant Remote Desktop privileges to those accounts.

Apart from securing privileged accounts, attackers use other ways of establishing persistent access to compromised systems. In several cases, affected machines are observed launching a base64-encoded PowerShell Empire script that connects to a C2 server, providing attackers with persistent control over the machines. Limited evidence suggests that attackers set up WMI persistence mechanisms, possibly during earlier breaches, to launch PowerShell Empire.

After obtaining adequate credentials, attackers perform extensive reconnaissance of machines and running software to identify targets for ransomware delivery. They use the built-in command qwinsta to check for active RDP sessions, run tools that query Active Directory or LDAP, and ping multiple machines. In some cases, the attackers target high-impact machines, such as machines running systems management software. Attackers also identify machines that they could use to stay persistent on the networks after deploying ransomware.

Attackers use various protocols or system frameworks (WMI, WinRM, RDP, and SMB) in conjunction with PsExec to move laterally and distribute ransomware. Upon reaching a new device through lateral movement, attackers attempt to stop services that can prevent or stifle successful ransomware distribution and execution. As in other ransomware campaigns, the attackers use native commands to stop Exchange Server, SQL Server, and similar services that can lock certain files and disrupt attempts to encrypt them. They also stop antivirus software right before dropping the ransomware file itself.

Attempts to bypass antivirus protection and deploy ransomware are particularly successful in cases where:

  • Attackers already have domain admin privileges
  • Tamper protection is off
  • Cloud-delivered protection is off
  • Antivirus software is not properly managed or is not in a healthy state

Microsoft Defender ATP generates alerts for many activities associated with these attacks. However, in many of these cases, affected network segments and their associated alerts are not actively being monitored or responded to.

Attackers also employ a few other techniques to bypass protections and run ransomware code. In some cases, we found artifacts indicating that they introduce a legitimate binary and use Alternate Data Streams to masquerade the execution of the ransomware binary as legitimate binary.

Command prmpt dump output of the Alternate Data Stream

Figure 8. Command prompt dump output of the Alternate Data Stream

The Doppelpaymer ransomware binary used in many attacks are signed using what appears to be stolen certificates from OFFERS CLOUD LTD, which might be trusted by various security solutions.

Doppelpaymer encrypts various files and displays a ransom note. In observed cases, it uses a custom extension name for encrypted files using information about the affected environment. For example, it has used l33tspeak versions of company names and company phone numbers.

Notably, Doppelpaymer campaigns do not fully infect compromised networks with ransomware. Only a subset of the machines have the malware binary and a slightly smaller subset have their files encrypted. The attackers maintain persistence on machines that don’t have the ransomware and appear intent to use these machines to come back to networks that pay the ransom or do not perform a full incident response and recovery.

Ryuk: Human-operated ransomware initiated from Trickbot infections

Ryuk is another active human-operated ransomware campaign that wreaks havoc on organizations, from corporate entities to local governments to non-profits by disrupting businesses and demanding massive ransom. Ryuk originated as a ransomware payload distributed over email, and but it has since been adopted by human operated ransomware operators.

Like Doppelpaymer, Ryuk is one of possible eventual payloads delivered by human operators that enter networks via banking Trojan infections, in this case Trickbot. At the beginning of a Ryuk infection, an existing Trickbot implant downloads a new payload, often Cobalt Strike or PowerShell Empire, and begins to move laterally across a network, activating the Trickbot infection for ransomware deployment. The use of Cobalt Strike beacon or a PowerShell Empire payload gives operators more maneuverability and options for lateral movement on a network. Based on our investigation, in some networks, this may also provide the added benefit to the attackers of blending in with red team activities and tools.

In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware. In many cases, however, this activation phase comes well after the initial Trickbot infection, and the eventual deployment of a ransomware payload may happen weeks or even months after the initial infection.

In many networks, Trickbot, which can be distributed directly via email or as a second-stage payload to other Trojans like Emotet, is often considered a low-priority threat, and not remediated and isolated with the same degree of scrutiny as other, more high-profile malware. This works in favor of attackers, allowing them to have long-running persistence on a wide variety of networks. Trickbot, and the Ryuk operators, also take advantage of users running as local administrators in environments and use these permissions to disable security tools that would otherwise impede their actions.

Figure 9. Ryuk infection chain

Once the operators have activated on a network, they utilize their Cobalt Strike or PowerShell tools to initiate reconnaissance and lateral movement on a network. Their initial steps are usually to use built-in commands such as net group to enumerate group membership of high-value groups like domain administrators and enterprise administrators, and to identify targets for credential theft.

Ryuk operators then use a variety of techniques to steal credentials, including the LaZagne credential theft tool. The attackers also save various registry hives to extract credentials from Local Accounts and the LSA Secrets portion of the registry that stores passwords of service accounts, as well as Scheduled Tasks configured to auto start with a defined account. In many cases, services like security and systems management software are configured with privileged accounts, such as domain administrator; this makes it easy for Ryuk operators to migrate from an initial desktop to server-class systems and domain controllers. In addition, in many environments successfully compromised by Ryuk, operators are able to utilize the built-in administrator account to move laterally, as these passwords are matching and not randomized.

Once they have performed initial basic reconnaissance and credential theft, the attackers in some cases utilize the open source security audit tool known as BloodHound to gather detailed information about the Active Directory environment and probable attack paths. This data and associated stolen credentials are accessed by the attacker and likely retained, even after the ransomware portion is ended.

The attackers then continue to move laterally to higher value systems, inspecting and enumerating files of interest to them as they go, possibly exfiltrating this data. The attackers then elevate to domain administrator and utilize these permissions to deploy the Ryuk payload.

The ransomware deployment often occurs weeks or even months after the attackers begin activity on a network. The Ryuk operators use stolen Domain Admin credentials, often from an interactive logon session on a domain controller, to distribute the Ryuk payload. They have been seen doing this via Group Policies, setting a startup item in the SYSVOL share, or, most commonly in recent attacks, via PsExec sessions emanating from the domain controller itself.

Improving defenses to stop human-operated ransomware

In human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected networks with persistence via PowerShell Empire and other malware on machines that may seem unrelated to ransomware activities. To fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.

As we have learned from the adaptability and resourcefulness of attackers, human-operated campaigns are intent on circumventing protections and cleverly use what’s available to them to achieve their goal, motivated by profit. The techniques and methods used by the human-operated ransomware attacks we discussed in this blog highlight these important lessons in security:

  1. IT pros play an important role in security

Some of the most successful human-operated ransomware campaigns have been against servers that have antivirus software and other security intentionally disabled, which admins may do to improve performance. Many of the observed attacks leverage malware and tools that are already detected by antivirus. The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance. IT pros can help with determining the true impact of these settings and collaborate with security teams on mitigations.

Attackers are preying on settings and configurations that many IT admins manage and control. Given the key role they play, IT pros should be part of security teams.

  1. Seemingly rare, isolated, or commodity malware alerts can indicate new attacks unfolding and offer the best chance to prevent larger damage

Human-operated attacks involve a fairly lengthy and complex attack chain before the ransomware payload is deployed. The earlier steps involve activities like commodity malware infections and credential theft that Microsoft Defender ATP detects and raises alerts on. If these alerts are immediately prioritized, security operations teams can better mitigate attacks and prevent the ransomware payload. Commodity malware infections like Emotet, Dridex, and Trickbot should be remediated and treated as a potential full compromise of the system, including any credentials present on it.

  1. Truly mitigating modern attacks requires addressing the infrastructure weakness that let attackers in

Human-operated ransomware groups routinely hit the same targets multiple times. This is typically due to failure to eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of payloads, as targeted organizations focus on working to resolve the ransomware infections.

Organizations should focus less on resolving alerts in the shortest possible time and more on investigating the attack surface that allowed the alert to happen. This requires understanding the entire attack chain, but more importantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out.

While Wadhrama, Doppelpaymer, Ryuk, Samas, REvil, and other human-operated attacks require a shift in mindset, the challenges they pose are hardly unique.

Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.

Here are relevant mitigation actions that enterprises can apply to build better security posture and be more resistant against cyberattacks in general:

  • Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
  • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS.
  • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
  • Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications Other. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.

Figure 10. Improving defenses against human-operated ransomware

How Microsoft empowers customers to combat human-operated attacks

The rise of adaptable, resourceful, and persistent human-operated attacks characterizes the need for advanced protection on multiple attack surfaces. Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure. Through built-intelligence, automation, and integration, Microsoft Threat Protection combines and orchestrates into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP), Office 365 ATP, Azure ATP, and Microsoft Cloud App Security, providing customers integrated security and unparalleled visibility across attack vectors.

Building an optimal organizational security posture is key to defending networks against human-operated attacks and other sophisticated threats. Microsoft Secure Score assesses and measures an organization’s security posture and provides recommended improvement actions, guidance, and control. Using a centralized dashboard in Microsoft 365 security center, organizations can compare their security posture with benchmarks and establish key performance indicators (KPIs).

On endpoints, Microsoft Defender ATP provides unified protection, investigation, and response capabilities. Durable machine learning and behavior-based protections detect human-operated campaigns at multiple points in the attack chain, before the ransomware payload is deployed. These advanced detections raise alerts on the Microsoft Defender Security Center, enabling security operations teams to immediately respond to attacks using the rich capabilities in Microsoft Defender ATP.

The Threat and Vulnerability Management capability uses a risk-based approach to the discovery, prioritization, and remediation of misconfigurations and vulnerabilities on endpoints. Notably, it allows security administrators and IT administrators to collaborate seamlessly to remediate issues. For example, through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click.

Microsoft experts have been tracking multiple human operated ransomware groups. To further help customers, we released a Microsoft Defender ATP Threat Analytics report on the campaigns and mitigations against the attack. Through Threat Analytics, customers can see indicators of Wadhrama, Doppelpaymer, Samas, and other campaign activities in their environments and get details and recommendations that are designed to help security operations teams to investigate and respond to attacks. The reports also include relevant advanced hunting queries that can further help security teams look for signs of attacks in their network.

Customers subscribed to Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender ATP, get targeted attack notification on emerging ransomware campaigns that our experts find during threat hunting. The email notifications are designed to inform customers about threats that they need to prioritize, as well as critical information like timeline of events, affected machines, and indicators of compromise, which help in investigating and mitigating attacks. Additionally, with experts on demand, customers can engage directly with Microsoft security analysts to get guidance and insights to better understand, prevent, and respond to human-operated attacks and other complex threats.

 

Microsoft Threat Protection Intelligence Team

 

The post Human-operated ransomware attacks: A preventable disaster appeared first on Microsoft Security.

Ghost in the shell: Investigating web shell attacks

February 4th, 2020 No comments

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.

DART’s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbstat.exe, and eventually move laterally using PsExec.

The attackers installed additional web shells on other systems, as well as a DLL backdoor on an Outlook Web Access (OWA) server. To persist on the server, the backdoor implant registered itself as a service or as an Exchange transport agent, which allowed it to access and intercept all incoming and outgoing emails, exposing sensitive information. The backdoor also performed additional discovery activities as well as downloaded other malware payloads. In addition, the attackers sent special emails that the DLL backdoor interpreted as commands.

Figure 1. Sample web shell attack chain

The case is one of increasingly more common incidents of web shell attacks affecting multiple organizations in various sectors. A web shell is a piece of malicious code, often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow adversaries to execute commands and to steal data from a web server or use the server as launch pad for further attacks against the affected organization.

With the use of web shells in cyberattacks on the rise, Microsoft’s DART, the Microsoft Defender ATP Research Team, and the Microsoft Threat Intelligence Center (MSTIC) have been working together to investigate and closely monitor this threat.

Web shell attacks in the current threat landscape

Multiple threat actors, including ZINC, KRYPTON, and GALLIUM, have been observed utilizing web shells in their campaigns. To implant web shells, adversaries take advantage of security gaps in internet-facing web servers, typically vulnerabilities in web applications, for example CVE-2019-0604 or CVE-2019-16759.

In our investigations into these types of attacks, we have seen web shells within files that attempt to hide or blend in by using names commonly used for legitimate files in web servers, for example:

  • index.aspx
  • fonts.aspx
  • css.aspx
  • global.aspx
  • default.php
  • function.php
  • Fileuploader.php
  • help.js
  • write.jsp
  • 31.jsp

Among web shells used by threat actors, the China Chopper web shell is one of the most widely used. One example is written in JSP:

We have seen this malicious JSP code within a specially crafted file uploaded to web servers:

Figure 2. Specially crafted image file with malicious JSP code

Another China Chopper variant is written in PHP:

Meanwhile, the KRYPTON group uses a bespoke web shell written in C# within an ASP.NET page:

Figure 3. Web shell written in C# within an ASP.NET page

Once a web shell is successfully inserted into a web server, it can allow remote attackers to perform various tasks on the web server. Web shells can steal data, perpetrate watering hole attacks, and run other malicious commands for further compromise.

Web shell attacks have affected a wide range of industries. The organization in the public sector mentioned above represents one of the most common targeted sectors.

Aside from exploiting vulnerabilities in web applications or web servers, attackers take advantage of other weaknesses in internet-facing servers. These include the lack of the latest security updates, antivirus tools, network protection, proper security configuration, and informed security monitoring. Interestingly, we observed that attacks usually occur on weekends or during off-hours, when attacks are likely not immediately spotted and responded to.

Unfortunately, these gaps appear to be widespread, given that every month, Microsoft Defender Advanced Threat Protection (ATP) detects an average of 77,000 web shell and related artifacts on an average of 46,000 distinct machines.

Figure 3: Web shell encounters 

Detecting and mitigating web shell attacks

Because web shells are a multi-faceted threat, enterprises should build comprehensive defenses for multiple attack surfaces. Microsoft Threat Protection provides unified protection for identities, endpoints, email and data, apps, and infrastructure. Through signal-sharing across Microsoft services, customers can leverage Microsoft’s industry-leading optics and security technologies to combat web shells and other threats.

Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. The installation of web shells can be detected by monitoring web application directories for web script file writes. Applications such as Outlook Web Access (OWA) rarely change after they have been installed and script writes to these application directories should be treated as suspicious.

After installation, web shell activity can be detected by analyzing processes created by the Internet Information Services (IIS) process w3wp.exe. Sequences of processes that are associated with reconnaissance activity such as those identified in the alert screenshot (net.exe, ping.exe, systeminfo.exe, and hostname.exe) should be treated with suspicion. Web applications such as OWA run from well-defined Application Pools. Any cmd.exe process execution by w3wp.exe running from an application pool that doesn’t typically execute processes such as ‘MSExchangeOWAAppPool’ should be treated as unusual and regarded as potentially malicious.

Microsoft Defender ATP exposes these behaviors that indicate web shell installation and post-compromise activity by analyzing script file writes and process executions. When alerted of these activities, security operations teams can then use the rich capabilities in Microsoft Defender ATP to investigate and resolve web shell attacks.

Figure 4. Sample Microsoft Defender ATP alerts related to web shell attacks

Figure 5. Microsoft Defender ATP alert process tree

As in most security issues, prevention is critical. Organizations can harden systems against web shell attacks by taking these preventive steps:

  • Identify and remediate vulnerabilities or misconfigurations in web applications and web servers. Deploy latest security updates as soon as they become available.
  • Audit and review logs from web servers frequently. Be aware of all systems you expose directly to the internet.
  • Utilize the Windows Defender Firewall, intrusion prevention devices, and your network firewall to prevent command-and-control server communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
  • Enable cloud-delivered protection to get the latest defenses against new and emerging threats.
  • Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges.

 

 

Detection and Response Team (DART)

Microsoft Defender ATP Research Team

Microsoft Threat Intelligence Center (MSTIC)

 

The post Ghost in the shell: Investigating web shell attacks appeared first on Microsoft Security.

sLoad launches version 2.0, Starslord

January 21st, 2020 No comments

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name “sLoad” may have been derived from a popular comic book superhero.

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.

Tracking the stage of infection

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):

  • Value #1 is a URL to download additional payload using a download BITS job
  • Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:
    • “eval” – Run (possibly very large) PowerShell scripts
    • “iex” – Load and invoke (possibly small) PowerShell code
    • “run” – Download encoded PE file, decode using exe, and run the decoded executable
  • Value #3 is an integer that can signify the stage of infection for the machine

Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.

Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string “td”:”<value#3>”,”tds”:”3”. However, if the final stage fails to download and execute the payload, then the string formed is “td”:”<value #3>”,”tds”:”4”.

The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.

Anti-analysis trap

Starslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.

As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.

The sLoad dropper PowerShell script drops four files:

  • a randomly named .tmp file
  • a randomly named .ps1 file
  • a ini file
  • a ini file

It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The final stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.

As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst gets trapped:

What comes next is not very desirable for a security researcher: being profiled by the malware operator.

If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:

hxxps://<active C2>/doc/updx2401.jpg*eval*-1

In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (hxxps://<active C2>/doc/updx2401.jpg).

However, the string that is included in all successive exfiltration BITS jobs from such host is “td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.

Durable protection against evolving malware

sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.

Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an analyst machine.

Microsoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.

On endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.

 

 

Sujit Magar

Microsoft Defender ATP Research Team

The post sLoad launches version 2.0, Starslord appeared first on Microsoft Security.

Rethinking cyber scenarios—learning (and training) as you defend

January 14th, 2020 No comments

In two recent posts I discussed with Circadence the increasing importance of gamification for cybersecurity learning and how to get started as a practitioner while being supported by an enterprise learning officer or security team lead. In this third and final post in the series, Keenan and I address more advanced SecOps scenarios that an experienced practitioner would be concerned with understanding. We even show how Circadence and Microsoft help seasoned practitioners defend against some of the most prevalent and advanced attackers we see across industries.

Here are more of Keenan’s insights from our Q&A:

Q: Keenan, thanks for sharing in this digital conversation with me again. I admire your passion for gamified cyber learning. I’d not put the two ideas together, that you can adopt gaming concepts—and consoles—in a way that makes learning the often difficult and evolving subject matter of “cyber” much more fun and impactful. Now that I’ve used Project Ares for a year, it’s hard to imagine NOT having an interactive, gamified platform to help me build and refine cybersecurity concepts and skills. Several friends and colleagues have also registered their teenagers for Circadence’s Project Ares Academy subscriptions to kickstart their learning journey toward a cyber career path. If kids are going to game, let’s point them to something that will build employable skills for the future.

In our last two blogs, we introduced readers to a couple of new ideas:

Now, let’s pivot and focus on practical cyber scenarios (let’s say Tier 1 or Tier 2 defender scenarios)—situations that would likely be directed to experienced cyber professionals to handle. Walk us through some of detail about how Circadence has built SecOps gaming experiences into Project Ares through mission scenarios that are inspired by real cyber incidents pulled from news headlines incorporating today’s most common attack methods such as ransomware, credential theft, and even nation-state attacks?

A: Sure. I’ll start with descriptions of a couple of our foundational missions.

Scenario one: Ransomware—Project Ares offers several mission scenarios that address the cyber kill chain around ransomware. The one I’ll focus on is Mission 10, Operation Crimson Wolf. Acting as a cyber force member working for a transportation company, the user must secure networks so the company can conduct effective port activity. However, the company is in danger as ransomware has encrypted data and a hacker has launched a phishing attack on the network, impacting how and when operators offload ships. The player must stop the ransomware from spreading and attacking other nodes on the network before it’s too late. I love this scenario because 1) it’s realistic, 2) ransomware attacks occur far too often, and 3) it allows the player to engage in a virtual environment to build skills.

Users who engage in this mission learn core competencies like:

  • Computer network defense.
  • Incident response management.
  • Data forensics and handling.

We map all our missions to the NIST/NICE work role framework and Mission 10 touches on the following work roles: System Security Analyst, Cyber Defense Analyst, Cyber Defense Incident Responder, and the Cyber Defense Forensics Analyst.

Image from scenario one: Ransomware

Scenario two: Credential theft—Another mission that’s really engaging is Mission 1, Operation Goatherd. It teaches how credential theft can occur via a brute force attack. In this mission, the user must access the command and control server of a group of hackers to disable a botnet network in use. The botnet is designed to execute a widespread financial scam triggering the collapse of a national bank! The user must scan the command and control server located at myloot.com for running services, identify a vulnerable service, perform a brute force attack to obtain credentials, and then kill the web server acting as the command and control orchestrator.

This scenario is powerful because it asks the player to address the challenge by thinking from an adversary’s perspective. It helps the learner understand how an attacker would execute credential theft (though there are many ways) and gives the learner a different perspective for a well-rounded comprehension of the attack method.

Users who engage in this mission learn core competencies like:

  • Network protocols.
  • Reconnaissance and enumeration.
  • Password cracking and exploration.

The NIST/NICE work role aligned to this mission is a Cyber Operator. Specific tasks this work role must address include:

  • Analyzing target operational architecture for ways to gain access.
  • Conducting network scouting and vulnerability analysis of systems within a network.
  • Detecting exploits against targeted networks.

Image from scenario two: Credential theft

Q: Can you discuss how Project Ares’ learning curriculum addresses critical threats from advanced state or state-backed attackers. While we won’t name governments directly, the point for our readers to understand is that the national and international cybersecurity stage is built around identifying and learning how to combat the tools, tactics, and procedures that threat actors are using in all industries.

A: Here’s a good example.

Scenario three: Election security—In this mission, we deploy in our next release of Project Ares, which now leverages cloud native architecture (running on Microsoft Azure), is Mission 15, Operation Raging Mammoth. It helps a cyber professional protect against an election attack—something we are all too familiar with through recent headlines about election security. As an election security official, the user must monitor voting systems to establish a baseline of normal activity and configurations from which we identify anomalies. The user must detect and report changes to an administrator’s access permissions and/or modifications to voter information.

The NIST/NICE work roles aligned to this mission include professionals training as a Cyber Defense Analyst, Cyber Defense Incident Responder, or Threat/Warning Analyst.

Image from scenario three: Election security

I’ve reviewed some of the specific cyber scenarios a Tier 1 or Tier 2 defender might experience on the job. Now I’d like to share a bit how we build these exercises for our customers.

It really comes down to the professional experiences and detailed research from our Mission and Battle Room design teams at Circadence. Many of them have explicit and long-standing professional experience as on-the-job cyber operators and defenders, as well as cyber professors and teachers at renowned institutions. They really understand what professionals need to learn, how they need to learn, and the most effective ways to learn.

We profile Circadence professionals in the Living Our Mission Blog Series to help interested readers understand the skill and dedication of the people behind Project Ares. By sharing the individual faces behind the solution, we hope current and prospective customers will appreciate Project Ares more knowing that Circadence is building the most relevant learning experiences available to support immersive, gamified learning of today’s cyber professionals.

Learn more

To see Project Ares “in action” visit Circadence and request a demonstration, or speak with your local Microsoft representative. You can also try your hand at it by attending an upcoming Microsoft Ignite: The Tour event, which features a joint Microsoft/Circadence “Into the Breach” capture the flag exercise.

To learn more about how to close the cybersecurity talent gap, read the e-book: CISO essentials: How to optimize recruiting while strengthening cybersecurity. For more information on Microsoft intelligence security solutions, including guidance on Zero Trust, visit Reach the optimal state in your Zero Trust journey.

The post Rethinking cyber scenarios—learning (and training) as you defend appeared first on Microsoft Security.

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

December 18th, 2019 No comments

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like https://www.abuseipdb.com/, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-in and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, we will continue to enhance these detections to cover more security scenarios. Through data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers.

 

 

Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team

 

 

Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 1: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]

 

 

[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities

December 12th, 2019 No comments

Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS.

Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like Astaroth have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs.

sLoad, detected by Windows Defender Antivirus as TrojanDownloader:PowerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn’t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads.

Once sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise—hence raising the risk for the affected machine—every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines.

While several malware campaigns have leveraged BITS, sLoad’s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection detect and block sLoad’s activities as Behavior:Win32/sLoad.A.

In this blog we’ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques.

Stealthy installation via multiple cascaded scripts

sLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed.

Over time, we’ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself.

In the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named rr.ps1. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself.

In most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script:

  1. Creates an installation folder in the %APPDATA% folder named after the first 6 characters of the Win32 Product UUID. 
  2. Drops an infection marker file named _in, and during the successive executions, uses the LastWriteTime on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. 
  3. Drops the encrypted sLoad script and the C2 URL file as config.ini and web.ini, respectively. 
  4. Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. 
  5. Uses schtasks.exe to create a scheduled task named AppRunLog to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. 

The dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped config.ini in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader:PowerShell/sLoad, that uses BITS to perform every important malicious activity.

BITS abuse

The sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities:

Finding an active C2 server

The malware decrypts the contents of previously dropped web.ini into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message “sok”, being downloaded as part of created BITS job. This ensures that the handshake is complete.

If none responds, the script appends the number “1” to the domain names in both URLs, saves the encrypted data back to the web.ini file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified web.ini to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked.

This prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It’s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes.

Fetching a new list of C2s

For continued exfiltration of information, it’s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use.

Exfiltrating system information

Once an active C2 is identified, the malware starts collecting system information by performing the following:

  • saves the output of “net view” command
  • enumerates network drives and saves the provider names and device ids
  • produces the list of all running processes
  • obtains the OS caption
  • looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information

It then creates a BITS download job with the RemoteURL built using the URL for active C2 and the system information collected up this point.

Crafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware’s use of a download job instead of an upload job is a clever move to achieve stealth.

Deploying additional payloads

Because the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2.

It sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, certutil.exe, to decode it into a portable executable (PE) file with .exe extension. Finally, it uses PowerShell.exe to run the decoded PE payload. One more BITS download job is created to download additional files.

Spying

The malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine.

Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats

sLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it’s a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad’s behavior can be classified as a Type III fileless technique: while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.

To defeat multi-stage, stealthy, and persistent threats like sLoad, Microsoft Defender ATP’s antivirus component uses multiple next-generation protection engines on the client and in the cloud. While most threats are identified and stopped by many of these engines, behavioral blocking and containment capabilities detects malicious behaviors and blocks threats after they have started running:

These detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP’s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP.

As part of Microsoft Threat Protection, Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP’s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft’s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure.

 

Sujit Magar
Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities appeared first on Microsoft Security.

GALLIUM: Targeting global telecom

December 12th, 2019 No comments

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.

To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.

This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

Following Microsoft’s internal practices of assigning chemical elements to activity groups, GALLIUM is the code name for this activity group.

GALLIUM’s profile

Reconnaissance methods

As is often the case with the reconnaissance methods, it’s difficult to be definitive about those employed by GALLIUM. This is due to the passive nature of reconnaissance activities by the actor including the use of freely available data from open sources, such as public websites and social media outlets. However, based on MSTIC analyst assessments, GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets.

Delivery and exploitation

To gain initial access a target network, GALLIUM locates and exploits internet-facing services such as web servers. GALLIUM has been observed exploiting unpatched web services, such as WildFly/JBoss, for which exploits are widely available. Compromising a web server gives GALLIUM a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing.

Following exploitation of the web servers, GALLIUM actors typically install web shells, and then install additional tooling to allow them to explore the target network.

Lateral movement

GALLIUM uses a variety of tools to perform reconnaissance and move laterally within a target network. The majority of these are off-the-shelf tools or modified versions of known security tools. MSTIC investigations indicate that GALLIUM modifies its tooling to the extent it evades antimalware detections rather than develop custom functionality. This behavior has been observed with GALLIUM actors across several operational areas.

GALLIUM has been observed using several tools. Samples of the most prevalent are noted in Table 1.

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Table 1: GALLIUM tooling.

GALLIUM has signed several tools using stolen code signing certificates. For example, they’ve used a credential dumping tool signed using a stolen certificate from Whizzimo, LLC, as shown in Figure 1. The code signing certificate shown in Figure 1 was no longer valid at the time of writing; however, it shows GALLIUM had access to such certificates.

Image showing "Signers" using in the credential dumping tool signed using a stolen Whizzimo, LLC certificate.

Figure 1. Credential dumping tool signed using a stolen Whizzimo, LLC certificate.

GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network.

Installation

GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Infrastructure

GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. MSTIC analysis indicates the use of dynamic DNS providers as opposed to registered domains is in line with GALLIUM’s trend towards low cost and low effort operations.

GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan.

When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation.

A package of GALLIUM indicators containing GALLIUM command and control domains used during this operation have been prepared for Azure Sentinel and is available on the Microsoft GitHub.

Image showing an Azure Sentinel query of GALLIUM indicators.

Figure 2. Azure Sentinel query of GALLIUM indicators.

GALLIUM use of malware

First stage

GALLIUM does not typically use a traditional first stage installer for their malware. Instead, the group relies heavily on web shells as a first method of persistence in a victim network following successful exploitation. Subsequent malware is then delivered through existing web shell access.

Microsoft Defender Advanced Threat Protection (ATP) exposes anomalous behavior that indicate web shell installation and post compromise activity by analysing script file writes and process executions. Microsoft Defender ATP offers a number of detections for web shell activity protecting customers not just from GALLIUM activity but broader web shell activity too. Read the full report in your Microsoft Defender ATP portal.

Image showing Microsoft Defender ATP web shell detection.

Figure 3. Microsoft Defender ATP web shell detection.

When alerted of these activities, the security operations team can then use the rich capabilities in Microsoft Defender ATP to investigate web shell activity and subsequent reconnaissance and enumeration activity to resolve web shell attacks.

Image showing a Microsoft Defender ATP web shell process tree.

Figure 4. Microsoft Defender ATP web shell process tree.

In addition to standard China Chopper, GALLIUM has been observed using a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell; Microsoft has called this “BlackMould.”

BlackMould contains functionality to perform the following tasks on a victim host:

  • Enumerate local drives.
  • Employ basic file operations like find, read, write, delete, and copy.
  • Set file attributes.
  • Exfiltrate and infiltrate files.
  • Run cmd.exe with parameters.

Commands are sent in the body of HTTP POST requests.

Second stage

In cases where GALLIUM has deployed additional malware on a victim network, they’ve used versions of the Gh0st RAT (modified Ghost RAT detected as QuarkBandit) and Poison Ivy malware. In both cases, GALLIUM has modified the communication method used by the malware, likely to prevent detection through existing antimalware signatures since both malware families have several detections based on their original communication methods. Malware families are noted in Table 2.

Malware family Description and primary usage
BlackMould Native IIS web shell based on the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version that appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Table 2. GALLIUM malware families.

GALLIUM’s malware and tools appear to be highly disposable and low cost. In cases where GALLIUM has invested in modifications to their toolset, they appear to focus on evading antimalware detection, likely to make the malware and tooling more effective.

The MSTIC team works closely with Microsoft security products to implement detections and protections for GALLIUM malware and tooling in a number of Microsoft products. Figure 4 shows one such detection for a GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Image showing the GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Figure 5. GALLIUM PoisonIvy loader in Microsoft Defender ATP.

Additionally, MSTIC has authored a number of antimalware signatures for Windows Defender Antivirus covering the aforementioned malware families, a list of GALLIUM exclusive signature can be found in the Related indicators” section.

In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network.

Recommended defenses

The following are recommended defenses security operations teams can take to mitigate the impact of threats like GALLIUM in your corporate environment:

  • Maintain web server patching and log audits, run web services with minimum required operating system permissions
  • Install security updates on all applications and operating systems promptly. Check the Security Update Guide for detailed information about available Microsoft security updates.
  • For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.
  • Enable cloud-delivered protection and maintain updated antivirus.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.
  • Use behavior detection solutions to catch credential dumping or other activity that may indicate a breach.
  • Adopt Azure ATP—a cloud-based security solution that leverages your on-premises Active Directory signals—to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Use Microsoft Defender ATP to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Institute Multi-Factor Authentication (MFA) to mitigate against compromised accounts.

Related indicators

The list below provides known GALLIUM tooling and Indicators of Compromise (IOCs) observed during this activity. Microsoft encourages customers to implement detections and protections to identify possible prior campaigns or prevent future campaigns against their systems.

Tooling

Tool Purpose
HTRAN Connection bouncer to proxy connections.
Mimikatz Credential dumper.
NBTScan Scanner for open NETBIOS nameservers on a local or remote TCP/IP network.
Netcat Reads from and writes to network connections using TCP or UDP protocols.
PsExec Executes a command line process on a remote machine.
Windows Credential Editor (WCE) Credential dumper.
WinRAR Archiving utility.

Malware

Malware Notes
BlackMould Native IIS version of the China Chopper web shell.
China Chopper Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified) Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBandit Gh0st RAT variant with modified configuration options and encryption.

Indicators

Indicator Type
asyspy256[.]ddns[.]net Domain
hotkillmail9sddcc[.]ddns[.]net Domain
rosaf112[.]ddns[.]net Domain
cvdfhjh1231[.]myftp[.]biz Domain
sz2016rose[.]ddns[.]net Domain
dffwescwer4325[.]myftp[.]biz Domain
cvdfhjh1231[.]ddns[.]net Domain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd Sha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b Sha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e Sha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c Sha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf Sha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef Sha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 Sha256
TrojanDropper:Win32/BlackMould.A!dha Signature Name
Trojan:Win32/BlackMould.B!dha Signature Name
Trojan:Win32/QuarkBandit.A!dha Signature Name
Trojan:Win32/Sidelod.A!dha Signature Name

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post GALLIUM: Targeting global telecom appeared first on Microsoft Security.

The quiet evolution of phishing

December 11th, 2019 No comments

The battle against phishing is a silent one: every day, Office 365 Advanced Threat Protection detects millions of distinct malicious URLs and email attachments. Every year, billions of phishing emails don’t ever reach mailboxes—real-world attacks foiled in real-time. Heuristics, detonation, and machine learning, enriched by signals from Microsoft Threat Protection services, provide dynamic, robust protection against email threats.

Phishers have been quietly retaliating, evolving their techniques to try and evade these protections. In 2019, we saw phishing attacks reach new levels of creativity and sophistication. Notably, these techniques involve the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. At Microsoft, we have aggressive processes to identify and take down nefarious uses of our services without affecting legitimate applications.

In this blog we’ll share three of the most notable attack techniques we spotted this year. We uncovered these attacks while studying Office 365 ATP signals, which we use to track and deeply understand attacker activity and build durable defenses against evolving and increasingly sophisticated email threats.

Hijacked search results lead to phishing

Over the years, phishers have become better at evading detection by hiding malicious artifacts behind benign ones. This tactic manifests in, among many others, the use of URLs that point to legitimate but compromised websites or multiple harmless-looking redirectors that eventually lead to phishing.

One clever phishing campaign we saw in 2019 used links to Google search results that were poisoned so that they pointed to an attacker-controlled page, which eventually redirected to a phishing page. A traffic generator ensured that the redirector page was the top result for certain keywords.

Figure 1. Phishing attack that used poisoned search results

Using this technique, phishers were able to send phishing emails that contained only legitimate URLs (i.e., link to search results), and a trusted domain at that, for example:

  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EhOJoXatrCPy%3C/a%3E
  • hxxps://www[.]google[.]ru/#btnI&q=%3Ca%3EyEg5xg1736iIgQVF%3C/a%3E

The campaign was made even stealthier by its use of location-specific search results. When accessed by users in Europe, the phishing URL led to the redirector website c77684gq[.]beget[.]tech, and eventually to the phishing page. Outside Europe, the same URL returned no search results.

For this to work, attackers had to make sure that their website, c77684gq[.]beget[.]tech, was the top search result for the keyword “hOJoXatrCPy” when queried from certain regions. The website’s HTML code is composed of a redirector script and a series of anchor elements:

Figure 2. Redirector code

These anchor elements were designed to be crawled by search engines so that the page is indexed and returned as result for the search keywords that attackers wanted to use for their campaign.

Figure 3. Anchor tags containing search keywords

The attackers then set up a traffic generator to poison search results. Because the phishing URL used the open redirector functionality, it redirected to the top search result, hence the redirector page.

404 Not Found pages customized to be phishing sites

The other way that phishers evade detection is to use multiple URLs and sometimes even multiple domains for their campaigns. They use techniques like subdomain generation algorithms to try and always get ahead of solutions, which, without the right dynamic technologies, will be forced continually catch up as phishers generate more and more domains and URLs.

This year, attackers have found another shrewd way to serve phishing: custom 404 pages. We uncovered a phishing campaign targeting Microsoft that used 404 pages crafted as phishing pages, which gave phishers virtually unlimited phishing URLs.

Figure 4. Phishing attack that uses specially crafted 404 Not Found error page

The custom 404 page was designed to look like the legitimate Microsoft account sign-in page.

Figure 5. 404 page designed as phishing page

Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers could use random URLs for their campaigns. For example, we saw these two URLs used in phishing campaigns; the attackers added a single character to the second one to generate a new URL but serve the same phishing page:

  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQ
  • hxxps://skype-online8024[.]web[.]app/8cc1083b0ffdf1e5b9594c045c825b02d41d8cd98f00b204e9800998ecf8427e#ZG1jY2FubkBtb3Jicm9zLmNvbQs

We also found that the attackers randomized domains, exponentially increasing the number of phishing URLs:

  • outlookloffice365usertcph4l3q[.]web[.]app
  • outlookloffice365userdqz75j6h[.]web[.]app
  • outlookloffice365usery6ykxo07[.]web[.]app

All of these non-existent URLs returned the 404 error page, i.e., the phishing page:

Figure 6. When phishing URL is accessed, server responds with HTTP 404 error message, which is a phishing page

Man-in-the-middle component for dynamic phishing attack

Phishers have also been getting better at impersonation: the more legitimate the phishing emails looked, the better their chances at tricking recipients. Countless brands both big and small have been targets of spoofing by phishers.

One particular phishing campaign in 2019 took impersonation to the next level. Instead of attackers copying elements from the spoofed legitimate website, a man-in-the-middle component captured company-specific information like logos, banners, text, and background images from Microsoft’s rendering site.

Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages. The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same experience as the legitimate sign-page, which could significantly reduce suspicion.

Figure 7. Phishing attack that abuses Microsoft’s rendering site

Using the same URL, the phishing site was rendered differently for different targeted users. To generate legitimate-looking phishing sites, the server used the following code to retrieve the banner used by the target’s victim company as identified by the domain information in the email address; the response is the URL for the company banner:

Figure 8. Code snippet for requesting the banner

The server also retrieved the text used in the company’s sign-in page; the response is the actual text specific to the target victim’s company:

Figure 9. Code snippet for requesting the company-specific text

To complete the legitimate-looking phishing page, the server requested the background image using the code below; the response is the URL to the image:

Figure 10. Codes snippets for requesting background image

Office 365 ATP: Durable and dynamic defense for evolving email threats

The phishing techniques that we discussed in this blog are vastly different from each, but they are all clever attempts to achieve something that’s very important for phishers and other cybercrooks: stealth. The longer phishers can quietly hide from security solutions, the more chances they have to invade inboxes and trick people into divulging sensitive information.

To hunt down phishing and other threats that don’t want to be found, Office 365 ATP uses advanced security technologies that expose sophisticated techniques. Our URL detonation technology can follow the attack chain so it can detect threats even if they hide behind legitimate services and multiple layers of redirectors.

This rich visibility into email threats allows Office 365 ATP to continuously inform and improve its heuristic and machine learning protections so that new and emerging campaigns are blocked in real-time—silently protecting customers from attacks even when they don’t know it. The insights from Office 365 ATP also allow our security experts to track emerging techniques and other attacker activities like the ones we discussed in this blog, allowing us to ensure that our protections are effective not just for the campaigns that we see today but those that might emerge in the future.

In addition, with the new campaign views in Office 365 ATP currently in preview, enterprises can get a broad picture of email campaigns observed in their network, with details like when the campaign started, the sending pattern and timeline, the list of IP addresses and senders used in the attack, which messages were blocked or otherwise, and other important information.

As an important component of Microsoft Threat Protection, Office 365 ATP provides critical security signals about threat that arrive via email—a common entry point for cyberattacks—to the rest of Microsoft’s security technologies, helping provide crucial protection at the early stages of attacks. Through signal-sharing and remediation orchestration across security solutions, Microsoft Threat Protection provides comprehensive and integrated protection for identities, endpoints, user data, apps, and infrastructure.

 

Patrick Estavillo
Office 365 ATP Research Team

 

 

 


Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post The quiet evolution of phishing appeared first on Microsoft Security.

Insights from one year of tracking a polymorphic threat

November 26th, 2019 No comments

A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.

The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:

Timeline of evolution of Dexphot malware

While Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most cases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.

Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.

Number of machines that encountered Dexphot over time

Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.

Complex attack chain

The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:

  1. An installer with two URLs
  2. An MSI package file downloaded from one of the URLs
  3. A password-protected ZIP archive
  4. A loader DLL, which is extracted from the archive
  5. An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing

Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI packages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader DLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.

Dexphot attack chain

Multiple layers of security evasion

Based on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent install. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate system processes for nefarious purposes.

Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.

When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.

If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in the package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.

The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often, one clean unrelated DLL, which is likely included to mislead detection.

Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example, C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers>). The commands to generate the new names are also obfuscated, for example:

Msiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.

The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.

Stealthy execution through fileless techniques

Process hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.

This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.

To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.

Next, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.

Persistence through regularly scheduled malware updates

The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:

The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final fail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.

This persistence technique is interesting, because it employs two distinct MITRE ATT&CK techniques: Scheduled Task and Signed Binary Proxy Execution.

The scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during installation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.

Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.

Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.

The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name, such as %AppData%\<random>.exe. This makes the system process running malicious code a literal moving target.

Polymorphism

Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.

In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.

 

MSI package ID MSI package contents Password for ZIP file Contents of encrypted ZIP
Unzip.exe name ZIP file name Batch file name Loader DLL file name Encrypted data name
MSI-1 ex.exe webUI.r0_ f.bat kjfhwehjkf IECache.dll bin.dat
MSI-2 ex.exe analog.tv f.bat ZvDagW kernel32.bin bin.dat
MSI-3 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-4 unzip.exe ERDNT.LOC.zip iso100 ERDNT.LOC data.bin
MSI-5 pck.exe mse.zip kika _steam.dll bin.dat
MSI-6 z.exe msi.zip arima ic64.dll bin.dat
MSI-7 z.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-8 z.exe mse.zip kika _steam.dll bin.dat
MSI-9 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-10 hf.exe update.dat f.bat namr x32Frame.dll data.bin
MSI-11 z.exe yandex.zip f.bat jeremy SetupUi.dll bin.dat
MSI-12 unzip.exe PkgMgr.iso.zip pack PkgMgr.iso data.bin
MSI-13 ex.exe analog.tv f.bat kjfhwefkjwehjkf urlmon.7z bin.dat
MSI-14 ex.exe icon.ico f.bat ZDADW default.ocx bin.dat
MSI-15 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-16 pck.exe mse.zip f.bat kika _steam.dll bin.dat
MSI-17 z.exe mse.zip f.bat joft win2k.wim bin.dat
MSI-18 ex.exe plugin.cx f.bat ZDW _setup.ini bin.dat
MSI-19 hf.exe update.dat namr AvastFileRep.dll data.bin
MSI-20 ex.exe installers.msu f.bat 000cehjkf MSE.Engine.dll bin.dat
MSI-21 z.exe msi.zip f.bat arima ic64.dll bin.dat
MSI-22 z.exe archive00.x f.bat 00Jmsjeh20 chrome_watcher.dll bin.dat

A multitude of payload hosts

Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.

 

Scheduled task name Download URL
hboavboja https://supe********709.info/xoslqzu.pdi
{C0B15B19-AB02-0A10-259B-1789B8BD78D6} https://fa*****r.com/jz5jmdouv4js.uoe
ytiazuceqeif https://supe********709.info/spkfuvjwadou.bbo
beoxlwayou https://rb*****.info/xgvylniu.feo
{F1B4C720-5A8B-8E97-8949-696A113E8BA5} https://emp*******winc.com/f85kr64p1s5k.naj
gxcxhbvlkie https://gu*****me.net/ssitocdfsiu.pef
{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51} https://sy*****.info/pasuuy/xqeilinooyesejou.oew
{0575F553-1277-FB0F-AF67-EB649EE04B39} https://sumb*******on.info/gbzycb.kiz
gposiiobhkwz https://gu*****me.net/uyuvmueie.hui
{EAABDEAC-2258-1340-6375-5D5C1B7CEA7F} https://refr*******r711.info/3WIfUntot.1Mb
zsayuuec https://gu*****me.net/dexaeuioiexpyva.dil
njibqhcq https://supe********709.info/aodoweuvmnamugu.fux
{22D36F35-F5C2-29D3-1CF1-C51AC19564A4} https://pr*****.info/ppaorpbafeualuwfx/hix.ayk
qeubpmnu https://gu*****me.net/ddssaizauuaxvt.cup
adeuuelv https://supe********709.info/tpneevqlqziee.okn
{0B44027E-7514-5EC6-CE79-26EB87434AEF} https://sy*****.info/huauroxaxhlvyyhp/xho.eqx
{5A29AFD9-63FD-9F5E-F249-5EC1F2238023} https://refr*******r711rb.info/s28ZXoDH4.78y
{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411} https://fa*****r.com/rbvelfbflyvf.rws

Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.

Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats

Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.

To combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.

Behavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a remediation solution that prevents re-infection by removing artifacts.

Microsoft Defender ATP solutions for Dexphot attack

The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.

 

Sample indicators of compromise (IoCs)

Installer (SHA-256):
72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f

MSI files (SHA-256):
22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3
65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a
ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88

Loader DLLs  (SHA-256):
537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e
504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5
aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152

 

 

 

Hazel Kim

Microsoft Defender ATP Research Team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

 

The post Insights from one year of tracking a polymorphic threat appeared first on Microsoft Security.

Going in-depth on the Windows 10 random number generation infrastructure

November 25th, 2019 No comments

Throughout the years, we’ve had ongoing conversations with researchers, developers, and customers around our implementation of certain security features within the Windows operating system. Most recently, we have open-sourced our cryptography libraries as a way to contribute and show our continued support to the security community

For our most recent contribution, we have decided to go in-depth on our implementation of pseudo-random number generation in Windows 10.

We are happy to release to the public The Windows 10 random number generation infrastructure white paper.

This whitepaper explores details about the Windows 10 pseudo-random number generator (PRNG) infrastructure, and lists the primary RNG APIs. The whitepaper also explains how the entropy system works, what the entropy sources are, and how initial seeding works.

We expect academic and security researchers, as well as operating system developers and people with an in-depth understanding of random number generation, to get the most value out of this whitepaper. Note: Some of the terminology used in this whitepaper assumes prior knowledge of random number generators and entropy collection terms.

We welcome and look forward to your feedback on this whitepaper and the technologies it describes in the comments below. We also appreciate any reports of security vulnerabilities that you may find in our implementation.

 

The post Going in-depth on the Windows 10 random number generation infrastructure appeared first on Microsoft Security.