Insight – LABS, 2015/03/11 10:56
0x00 Attack life cycle in evolution
A similar pattern of behavior emerges in most of the cases that we investigate, and we call it the assault lifecycle.
Security is like cat and mouse. The security team adds some new defenses, and then the attacker moves on to a new attack that bypasses your defenses. This is still true in 2014. We’re seeing more attacks using VPNS to connect to the victim’s network. There are also clever new ways to circumvent detection, new tools and techniques to extract information from the captured environment.
0 x01 VPN hijacked
Obtaining VPN access to the target network gives the attacker two very advantageous advantages. First, they can continuously connect to the target network without deploying a back door. Second, they can log on to the internal network like normal users.
In the last few years, we’ve seen some organizations take aim at VPN servers and VPN accounts as soon as they get a foothold on the Intranet. In 2014, the trend reached an all-time high, with an increasing number of attacks going through VPN services of the injured party.
We found two common ways to attack VPNS:
· Single-factor authentication: If the VPN of the other party requires only the user name and password to log in, the attacker can simply use the account collected previously or the account password obtained from the AD.
· Two-factor authentication based on account: If two-factor authentication such as user certificate is required for VPN, the attacker will use a common tool such as Mimikatz to obtain the certificate from the user terminal. We also found that some stolen user credentials were distributed to users in insecure ways, such as via email attachments (on the importance of social worker targeting email addresses) or in open network shares.
In other, rarest scenarios, attackers have used vulnerabilities to bypass VPNS, such as Heartbleed, which allows them to extract 64kB of data from the server’s memory. Security researchers were initially skeptical about the impact of the vulnerability, such as whether sensitive information such as encryption keys, passwords and certificates could be stolen in an actual attack.
Their nightmare came true when, within a week of the Heartbleed bug becoming public, we discovered a security incident that exploited the vulnerability to gain access to VPN sessions without requiring a user name or password. In the weeks that followed, the attackers used Heartbleed to attack other victims’ VPN systems.
While the priest climbs a post, the devil climbs ten. In 2014 we discovered some new tricks in the attack life cycle, some of them quite unique.
In these cases, VPN records give us some hints: the source address of the VPN account used by the attacker often changes, such as switching between IP segments of different ISPs, and even switching between different countries. (On the importance of SIEM)
0x02 Malware hiding in plain sight
Malware detection is a never-ending process. In 2014 we discovered that attackers were using many new techniques to hide their operations and new ways to install long-term backdoors.
Hiding WebShell We have found several cases where attackers have placed Webshells on servers that have SSL, because the network structure of the other side does not support SSL traffic checking, so the attacker’s Webshell bypassing traffic-based identification.
Another trend is to embed one-sentence Webshells, such as Eval, in legitimate web pages. The last sneaky way to hide backdoors is to load malicious modules in configuration files such as web.config. Such as:
#! html <! - HTTP Modules - > < Modules > <. Add type = "Microsoft Exchange. Clients. BadModule BadModule" name = "" / > < / Modules >Copy the code
The attacker used the configuration file to load a malicious module disguised as a real Microsoft DLL file name and changed the timestamp of the configuration file and DLL file.
0 x03 WMI back door
Windows Management Instrumentation (WMI) is a Windows core component, it provides a wide range of system Management functions and interfaces. Programs and various scripting languages can use WMI to collect data, interact with the underlying system, and execute commands. WMI also provides an event-based trigger that can be used to trigger malware when the state of a particular object changes.
In previous years, we did not find many attackers using WMI to circumvent detection, most likely because interaction with WMI was complex and other basic bypasses were sufficient. But in 2014, we discovered that some organizations were using WMI to implement hidden backdoors.
These techniques use three parts of WMI and are typically implemented through Powershell:
Event Filter Event filter: Uses the scheduled polling function of the system to implement long-term execution. For example, the Event filter is executed at x point X every day. Event consumer: Executes a particular program or command when a particular Event occurs. Filer to Consumer Binding: Binds the Consumer to the filter to ensure that the event Consumer is executed when the event occurs.Copy the code
Figure7:
1. The attacker establishes three WMI event objects by powershell command:
A consumer executes a command or script to poll the system for a filter and a binding to bind the filter to the consumer
2. WMI periodically polls the system for events in the Event Filter. In this example, the event of the Filter is when the time = 8:05 every day.
#! sql SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 08 AND TargetInstance.Minute = 05 GROUP WITHIN 60Copy the code
3. When the filter is triggered, the WMI automatically executes the bound consumer. This example shows a portion of the command executed by the Consumer using Powershell to execute base64 encoded malicious code.
#! Bash CommandLineTemplate = "C: \ WINDOWS \ System32 \ WindowsPowerShell \ v1.0 \ powershell exe - NonInteractive - enc SQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAALQBDAG8AbQBwAHUAdABl...Copy the code
The following is an example of using powershell to create a WMI command to execute consumer, using powershell.exe to execute base64 encoded parameters passed in. The base64 encoded content is also powershell scripts, such as downloading and executing programs. If you bind a filter that can be executed repeatedly, you can also execute the command periodically.
#! Bash set-wmiinstance -Namespace "root\subscription" -class 'CommandLineEventConsumer' -arguments @{name= 'EvilWMI'; CommandLineTemplate = "C: \ WINDOWS \ System32 \ WindowsPowerShell \ v1.0 \ powershell exe - enc SQBuAHYAbwBrAGUALQBDAG8AG8AbQ... < ">"; RunInteractively = 'false'}Copy the code
Persistent backdoors based on WMI make forensics difficult. WMI Filter and Consumer leave no trace in the registry. WMI objects exist in a complex database (objects.data) on hard disk, which makes analysis difficult. In addition, Windows logs audits of WMI execution only when debug logging is enabled, which is not always possible because of the large volume of logging (Windows itself has many features that use MWI).
0x04 Malicious Security Packages
We also observed several cases where attackers used Windows Local Security Authority (LSA) Security packages. A rare long-term backdoor based on the registry. Used to conceal auto-loading malware. Security packages are DLLS that are automatically loaded by lsas at system startup. These security modules are loaded using the HKLM\ SYSTEM\CurrentControlSet\Control\Lsa key value in the registry. Each key contains a list of strings pointing to the file name (without extension) to be loaded under %SYSTEMROOT%\system32\
Because the LSA module is automatically loaded through lsass.exe, attackers with administrator rights can add or modify these parameters to load malicious DLLS. In 2014, we found that an attacker loaded a multi-level backdoor, TSPkgex.dll, on the system through the function of the security package
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
SECURITY PACKAGES (before modification): Kerberos MSV1_0 Schannel wDigest TSPKG PKU2U SECURITY PACKAGES (after modification): kerberos msv1_0 schannel wdigest tspkg pku2u tspkgExCopy the code
This causes C:\WINDOWS\ System32\ tspkgex.dll to be automatically loaded upon system startup
Because of the scalability of Lsas, the customized security module can capture the plaintext password when a user logs in.
0x05 Mimikatz is a woman
In almost all of our investigations we have encountered various variants of Mimikatz that bypass the kill software, and attackers have generally modified and recompiled the source code to bypass detection. Mimikatz also includes a nefarious LSA module called Mimilib SSP for obtaining passwords.
Simply get the password
In 2014, two methods were commonly used: Pass the hash. Authentication is performed through the obtained hash.
Get the plaintext password from memory with Mimikatz. Microsoft has reduced the effectiveness of the above two methods in Windows server 2012R2 and Windows 8, but the majority of customers we encounter are still using server 2008 and Windows 7.
Hash passes are useful, especially if many systems use the same local administrator password. Mimikatz goes a step further and can get plaintext passwords directly from memory.
On an employee’s computer, access is limited to employee account passwords. On a server with many interactive logins, you can get a lot more. As victims quickly discovered, it takes only a short time for a few systems to be taken down and an entire domain taken down.
In our investigation, Mimikatz was almost never detected by kill software, and there were even Powershell-based scripts that executed Mimikatz in memory.
Mimikatz can also generate Kerberos Golden tickets, a golden key that lasts indefinitely after an attacker takes down the domain control and can be used to log in on behalf of any account, even if that account’s password has been changed. With this golden key, as long as the attacker to the Intranet environment, can be re-access to the entire domain management rights.
The only defense against Kerberos golden Keys is to reset the KRBTGT password of the service Kerberos Key Distribution account twice, in addition to keeping your domain from being taken down. This invalidates the generated golden key.
0x06 late penetration through WMI and Powershell
In the past, Windows internal network environment used to infiltrate some Windows tools, such as NET, AT, and write their own small tools, scripts or VBS, or is psexec. They’re quick and useful, but they leave evidence and a record.
From 2013 to 2014, we saw a significant change in the behavior of the APT organizations we tracked, as they increasingly used WMI and PowerShell for late penetration, password collection, information collection, etc. Powershell is also widely used for security research and penetration testing tools, which may open source a lot of information and source code, allowing both sides to learn a lot.
To conclude this article, the attacker’s new technique:
VPN hijacking: Over the course of this year we have seen more successful VPN access from injured parties obtained by attackers.
Plain-text passwords: Attackers recompiled Mimikatz, building various tools to extract plain-text passwords from memory and bypass anti-virus software.
Webshell hiding: Attackers continue to find novel ways to hide Web shells. We’ve found some subtle ways to hide webshells from the web by placing them in places where they can be accessed using SSL. The eval backdoor is used in normal web pages to load malicious DLLS through server configuration files.
Malicious security modules: use the extensibility of Windows Security Package to load backdoors and key Loggers
Use WMI and PowerShell: An increasing number of attacks take advantage of WMI and Powershel, two powerful tools/features built into Windows that are used to maintain long-term backdoors, collect data and continue infiltration.
Kerberos attack: After obtaining domain administrator rights, the attacker uses the Kerberos Golden Ticket Attack to log in to any account, even if the domain administrator resets the password.