Top Middle East Cyber Threats- 15 April 2019
At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cyber security threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Engineering a new means of attack
Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion. FIN6, a threat actor group known for compromising point-of-sales (PoS) systems and eCommerce-based organizations have begun to leverage LockerGoga and Ryuk file encryption malware to carry out ransomware attacks. The group has also expanded to new types of targets and has recently focused on the engineering industry.
In its initial phase of intrusion, the Group uses stolen credentials, Cobalt Strike, Metasploit, and publicly available tools such as Adfind and 7-Zip to conduct internal reconnaissance, compress data, and execute other activities to aid their overall objective.
During the analysis of the attacks, several suspicious SMB connections and Windows Registry artefacts were observed. This indicates that the attackers installed malicious Windows services to execute PowerShell commands on remote systems.
To initially gain access to the environment, FIN6 hackers attempt to compromise an internet facing system. On achieving this, they then leverage stolen credentials to move laterally within the environment. This is done using the Windows Remote Desktop Protocol (RDP) service. Following the successful RDP connection to other systems, FIN6 was found to use two different techniques to establish its foothold:
FIN6 uses PowerShell to execute an encoded command. This command consists of a byte array containing a base64 encoded payload. This encoded payload is a Cobalt Strike https-stager which is injected into the PowerShell process that runs the command. This https-stager is configured to download a second payload from “hxxps://176.126.85[.]207:443/7sJh”. This resource has been found to be a shellcode payload configured to download a third payload from “hxxps://176.126.85[.]207/ca”.
FIN6 was also found to leverage the creation of Windows services to execute its encoded PowerShell commands. This encoded command contains a Metasploit reverse HTTP shellcode payload stored in a byte-array- as in the first technique. This reverse HTTP payload is configured to communicate with the C2 IP address 176.126.85[.]207 over TCP port 443. This C2 contains shellcode that makes a HTTPS request for a successive download. To achieve privilege escalation within the targeted environment, FIN6 utilizes a named pipe impersonation technique within the Metasploit framework.
The output of the batch file includes Active Directory users, computers, organizational units, subnets, groups, etc. Using these outputs, FIN6 can identify user accounts that could access additional hosts in the domain. For lateral movement FIN6 uses another set of compromised credentials to gain access to additional groups in the domain.
FIN6 was found to use encoded PowerShell commands to install Cobalt Strike on the compromised devices for lateral movement. In some other cases, the encoded PowerShell commands were used to download and execute content hosted on “hxxps://pastebin[.]com”.
FIN6 also moves laterally to servers in the environment using RDP and then configures them as malware “distribution” servers. These distribution servers are used to stage the LockerGoga ransomware, additional utilities, and deployment scripts to automate the installation process of the ransomware. A utility script named “kill.bat” was found running on systems in the environment. This script contains a series of anti-forensics and other commands intended to disable antivirus software and to destabilize the OS.
FIN6 also creates several BAT files on the distribution servers with naming convention such as xaa.bat, xab.bat, xac.bat, etc. These BAT files contain psexec commands to connect to the compromised systems and deploy kill.bat along with LockerGoga.
Recommendations and Remediations:
- Blacklist the attack’s know Indicators of Compromise (IoCs) on your security appliances to help detect and prevent any activities related to the same.
- Exercise caution when receiving unsolicited, unexpected, or suspicious files, emails, or URLs.
- If it is not required for business purposes, disable the RDP service for internal devices.
- Use multi-factor authentication for identification and authorization of domain users.
- Introduce and enforce strict password policies for users such as password complexity requirements, password expiry, preventing the re-use of old password, etc.
- Fine tune your security devices/use cases in order to use the attack’s signatures for early detection/monitoring of similar threats.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.