As the list of known organizations compromised by way of the SolarWinds supply chain attack is slowly growing – according to Reuters, the attackers also breached U.S. Department of Homeland Security’s systems, the State Department, and the National Institutes of Health – Microsoft has decided that its Defender Antivirus will start blocking/quarantining the known malicious SolarWinds binaries today – even if the process is running.
Some companies are about to find out they actually do use SolarWinds in production… https://t.co/eQhOoPUDF8
— Yoshi (@ChicagoCyber) December 15, 2020
SolarWinds hackers’ many capabilities
As security researcher Vinoth Kumar pointed out, the attackers might have easily compromised the company’s update server by using a password that was published on their public Github repository for over a year or, as several Reuters sources noted, they might have bought access to SolarWinds’ computers through underground forums.
We’re likely still far from getting concrete information about how the attackers actually got into SolarWinds’ systems, but the company’s recent report to the U.S. Securities and Exchange Commission seems to point to Microsoft Office 365 account compromise as the initial vector.
On that note: Volexity researchers say that the SolarWinds hackers – a threat actor they named Dark Halo – have repeatedly compromised a U.S.-based think tank all through 2019 and 2020, and have demonstrated a wide variety of sophisticated capabilities.
“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel,” they shared.
“Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020.”
The picture they paint points to sophisticated attackers, who “displayed a reasonable level of operational security throughout the attack, taking steps to wipe logs for various services used and to remove evidence of their commands from infected systems.”
Despite many unnamed sources fingering Russian hacking group APT 29 (aka CozyBear) for the breach, Volexity noted that they “discovered no hints as to the attacker’s origin or any links to any publicly known threat actor.”
What should possible and confirmed targets do?
- Only its Orion Platform was compromised by the attackers, and only specific versions (released between March and June 2020)
- There are 18,000 customers potentially affected by this security vulnerability (i.e., that’s the number of customers who downloaded the booby-trapped Orion versions)
The company has provided advice on what organizations should do to check whether they are among those that have been compromised and what to do if they find out they have.
It’s good to note here that, while many organizations have apparently downloaded the malicious Orion versions and were saddled with the Sunburst backdoor, the attackers might have not used that access to rifle through their systems. From the information currently available, the attackers concentrated on a limited number of specific targets.
Microsoft and industry partners have taken over and sinkholed a domain that the Sunburst malware would contact to received further instructions, so they will be able to create a partial list of compromised organizations and notify them.
SolarWinds has provided clean updates for the Orion platform and guidelines on what organizations can do if they can’t perform the update. The DHS, FireEye, Volexity and Microsoft have provided additional advice and IoCs.
The security teams of organizations using the Orion platform have a lot of work ahead of them: they have to perform a thorough check of all their systems, networks and assets, all the while hoping that they weren’t singled out by the attackers for thorough compromise (or by other attackers whose presence they missed before!)
A “highly sophisticated” hacking group has breached the U.S. Treasury Department, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), other government agencies and private sector companies (including, apparently, FireEye) via compromised SolarWinds Orion software.
A supply chain attack
According to reports by FireEye and Microsoft, the hacking group managed to insert a backdoor (signed with SolarWinds’ legitimate certificates) into a DLL file used by the SolarWinds Orion platform, which organizations use for IT monitoring and management.
“Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds,” Microsoft noted, and added that the backdoor was distributed via automatic update platforms or systems in target networks.
Once inside, the attackers moved laterally and proceeded to steal data.
According to Microsoft, they used administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate and they forged SAML tokens that impersonate any of the organization’s existing users and accounts (which allowed them to access to on-premises and cloud resources). They also made changes to the organizations’ Azure Active Directory settings to facilitate long term access.
SolarWinds has confirmed that SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020, have been compromised and that a “clean” version (2020.2.1 HF 1) is now available for download.
“An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements,” the company noted.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive instructing “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
Who’s behind these attacks?
SolarWinds’ customers include US telecoms, all five branches of the US Military, various US federal agencies (including the Pentagon, State Department, and the Office of the President of the United States), more than 425 of the US Fortune 500 companies, and many higher education institutions.
FireEye says that this campaign may have begun as early as Spring 2020 and the attackers gained access to government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.
Washington Post sources say that the hacker group behind these attacks is APT29 (aka Cozy Bear), which has ties with the Russian Foreign Intelligence Service. Kremlin spokesman Dmitry Peskov said that Russia had nothing to do with the attacks on the U.S. Treasury and Commerce departments.
UPDATE (December 14, 2020, 8:40 a.m. PT):
SolarWinds has filed a report with the U.S. SEC, in which it stated that “the vulnerability … was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.”
Also, that it “currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” and that the attackers likely breached the company by compromising company emails (they use Microsoft Office 365 for its email and office productivity tools).
ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS (point-of-sale) – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide.
The majority of the identified targets were from the United States.
Containing a custom algorithm
What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.
This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.
Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.
“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” cautions ESET researcher Martin Smolár, who discovered ModPipe.
“Probably the most intriguing parts of ModPipe are its downloadable modules. We’ve been aware of their existence since the end of 2019, when we first found and analyzed its basic components,” explains Smolár.
- GetMicInfo targets data related to the MICROS POS, including passwords tied to two database usernames predefined by the manufacturer. This module can intercept and decrypt these database passwords, using a specifically designed algorithm.
- ModScan 2.20 collects additional information about the installed MICROS POS environment on the machines by scanning selected IP addresses.
- ProcList with main purpose is to collect information about currently running processes on the machine.
“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market,” adds Smolár.
What can you do?
To keep the operators behind ModPipe at bay, potential victims in the hospitality sector as well as any other businesses using the RES 3700 POS are advised to:
- Use the latest version of the software.
- Use it on devices that run updated operating system and software.
- Use reliable multilayered security software that can detect ModPipe and similar threats.
Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor, Trend Micro researchers warn.
The trojanized package in this specific case is the Windows installer for Windscribe VPN, and contains the Bladabindi backdoor, which is able to:
- Execute commands from a remote malicious user (e.g., downloading, executing, and updating files)
- Log a user’s keystrokes
- Take screenshots of the user’s screen
- Collect information about the computer (OS, username, machine name), the running AV product(s), and passwords stored in browsers
The trojanized installer is offered on third-party download sites and users who download and run it are unlikely to notice that something is wrong with it.
“The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background,” the researchers explained.
Trojanizing legitimate software
Bundling malware with legitimate apps is a popular technique for compromising computers and mobile devices.
In Bladabindi’s case, there’s even a publicly available hacker tool (NJ Rat) that can help create variants sporting a “benign” icon designed to mislead users into running the file:
Users who don’t stick to official download centers and app stores are at greater danger of downloading malware, although attackers have been known to bypass app stores’ protections and compromise official developer sites to deliver malware.
“Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats,” the researchers concluded.
Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.
Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.
Opened email lets spy in
According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.
Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.
These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.
Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).
The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.
Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.
In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.
This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.
Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.
Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.
The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.
Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.
The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).
“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.
“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.
“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.
“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”
A fileless worm dubbed FritzFrog has been found roping Linux-based devices – corporate servers, routers and IoT devices – with SSH servers into a P2P botnet whose apparent goal is to mine cryptocurrency.
Simultaneously, though, the malware creates a backdoor on the infected machines, allowing attackers to access it at a later date even if the SSH password has been changed in the meantime.
“When looking at the amount of code dedicated to the miner, compared with the P2P and the worm (‘cracker’) modules – we can confidently say that the attackers are much more interested in obtaining access to breached servers then making profit through Monero,” Guardicore Labs lead researcher Ophir Harpaz told Help Net Security.
“This access and control over SSH servers can be worth much more money than spreading a cryptominer. Additionally, it is possible that FritzFrog is a P2P-infrastructure-as-a-service; since it is robust enough to run any executable file or script on victim machines, this botnet can potentially be sold in the darknet and be the genie of its operators, fulfilling any of its malicious wishes.”
The worm’s targets
FritzFrog is a modular, multi-threaded and fileless SSH internet worm that attempts to grow a P2P botnet by breaking into public IP addresses, ignoring known ranges saved for private addresses.
The botnet has nodes around the globe:
“While intercepting the FritzFrog P2P network, we’ve seen target lists which consist of sequential IP addresses, resulting in a very systematic scan of IP ranges in the internet,” Harpaz explained.
Since January 2020, it targeted IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies, and successfully breached more than 500 SSH servers.
An advanced piece of malware
Written in Golang, the malware seems to be the work of highly professional software developers:
- It’s fileless – it assembles and executes payloads in-memory, operates with no working directory, and also uses the fileless approach when sharing and exchanging files between nodes
- Its brute-force attempts are aggressive, based on an extensive dictionary
- It’s efficient – no two nodes in the network attempt to “crack” the same target machine
- Its P2P protocol is proprietary and was written from scratch (i.e., not based on an existing implementation)
- It creates a backdoor in the form of an SSH-RSA public key added to the authorized_keys file. With the secret private key, the attackers can access the compromise machine whenever they want, without needing to know the SSH password
Other things that allow the malware to fly under the radar:
- It’s process runs under the names ifconfig, nginx or libexec (the latter is used when Monero-mining)
- It tunnels its P2P commands over the standard SSH port by running a local netcat client on the infected machines. Any command sent over SSH is used as netcat’s input and transmitted to the malware
“Even with this creative way of sending commands, the process remains completely automated and under the malware’s control. Even after creating this P2P channel to the newly-infected host, the malware is the one which keeps feeding the victim with commands,” Harpaz noted.
“However, it is very likely that manual, human-operated commands are sent to network peers. Guardicore Labs has developed a tool which intercepts the network and is capable of sending and receiving commands on demand. The actor behind this campaign can do the exact same thing, and it is highly probable that the operator has the means for sending commands manually to certain (or all) nodes in the network.”
Check whether your machines are part of the botnet
Detecting a cryptominer on a machine running an SSH server is not proof that it’s been infected, as the malware checks whether the machine can expend power to mine and decides against it if it can’t.
Admins can use a detection script that searches for the aforementioned fileless processes, evidence of malware listening on port 1234 and of TCP traffic over port 5555 (network traffic to the Monero pool).
While a reboot of the affected machine/device will remove the malware from memory and terminate the malware process, since a victim is immediately ‘logged’ to the P2P network along with its login credentials, it will be re-infected in no time.
Instead, admins should:
- Terminate the malicious processes
- Change the SSH password to a strong one and use public key authentication
- Remove FritzFrog’s public key from the authorized_keys file to “close” the backdoor
- Consider changing routers’ and IoT devices’ SSH port or completely disabling SSH access to them if the service is not needed
Privacy is a basic right and a necessary protection in the digital age to avoid victimization and manipulation.
In much of the world, privacy is considered a basic human right. For example, citizens in the European Union have the right to dignity. They respect individuals’ rights to a private life, to act without coercion, and to maintain control of their personal information. These aspects are so valuable that they are considered an integral part of EU society. Europe and most of the world have codified these rights into legislation largely due to the learnings of its past.
A society cannot have liberty without privacy. It can appear as a luxury, but it is important to the well-being of a free and just society.
Throughout history, races and groups of people have been persecuted due to their characteristics, affiliations, possessions, or beliefs. Governments, powerful business entities, criminals, and influential organizations have often sought to obtain private information so they can malign individuals and control or manipulate the masses. Privacy has been one of the shields used to protect people from unjust victimization.
Invasion of privacy as a weapon
During WWII, the Axis powers targeted specific races and religions, to the point of near genocide. Many of those who survived did so because they were able to keep their information private, essentially hiding in the crowd. We witnessed the persecution of people demonstrating for democracy during the Arab Spring movements. Their digital signatures and locations were harvested by oppressive governments to identify people attending public rallies.
Many governments and employers actively spy on their citizens to monitor for undesired ideas, discussions, or dissent. Violators are then prosecuted or re-educated to align with what those in authority deem appropriate. Without the benefit of anonymity, citizens’ desire to express their thoughts is effectively repressed.
Governments undermine privacy to control or influence people. In the United States, during the recent Black Live Matters protests, surveillance concerns have resulted in IBM, Microsoft, and Amazon rethinking their participation in providing facial recognition solutions to law enforcement. Protecting privacy is crucial for whistleblowers who come forward to expose injustice. Investigative reporters are ethically bound to protect the identity of their confidential sources for this very reason. Harassment and mistreatment can remain hidden at a tremendous scale when people are fearful of reporting issues because they feel they can be identified.
Privacy protects the innocent from oppression
Autocratic regimes, whether it’s the highest level of government or caustic management of a business, often suppress complaints and new ideas that might undermine their authority or reveal inappropriate acts. Privacy allows dissension, reporting of issues, expression of ideas, constructive resolution of disagreements, and liberty to be heard. Privacy strengthens a community and gives victims a voice by safeguarding free speech that is necessary to counter oppression.
In the digital era, privacy goes beyond anonymity as it also protects people from victimization and manipulation. Society has embraced technology to get educated, communicate, conduct business, and form relationships. Our viewpoints and opinions are strongly influenced by what we learn from local, national, and international news sources.
Data is the new oil
We heavily contribute to the digital landscape through our actions and decisions. Our digital fingerprints are everywhere. They tell a story of where we go, what we do, who we like or dislike, and what we think. They are created by every click we make and every file, application, and device we use. When that data is aggregated, it can provide tremendously powerful insights about a person or community – enough to build complex and accurate personas.
This information is commonly used to manipulate people’s beliefs and behaviors. Online shopping is a perfect example: targeted marketing and data-driven advertising is a big business because it is successful at getting people to spend money. It all comes back to knowing what people are doing, thinking, saying, consuming, and watching. Having access to vast amounts of private data gives advertisers the ability to craft timely and meaningful messages that pull people into desired behaviors.
But if retailers can get people to buy things they don’t need, what else can private data be used for? How about changing what people think, who they support, their political views, what should become a law, and what to believe? The use of private information has long been leveraged to promote, vilify, or persecute various religions and political parties and leaders.
In the last few decades, how global citizens receive their news has changed. The news and entertainment segments have begun to blend, often reporting facts with embellishments and opinionated stories to sway public opinions. The more private information that is known, the easier it becomes to influence, convince, cajole, or threaten people.
More data = More power
A veil of privacy can shield both benefits and abuses. The current trend is to establish and extend privacy rights for the benefit of citizens. This reduces digital victimization, manipulation, and exploitation by protecting sensitive data and allows for activities that promote liberty and free speech.
Without laws, governments and businesses have evolved practices that leverage the power of gathering sensitive information and using it to their own advantage. New privacy laws (GDPR, CCPA) are changing the landscape with many ethical companies downshifting their collection efforts to be more conservative and respectful. They are also showing flexibility in how they treat, protect, and share such data.
Some governments and agencies are also reducing collection, limiting retention, or ending domestic programs that are considered invasive by citizens. At the same time, law enforcement agencies want to retain capabilities to detect and investigate crimes, to protect the security and safety of citizens.
Privacy is also misused. It is the preferred tool for those committing crimes and allows heinous acts against others to remain undetected. It can conceal terrible acts and allow widespread coordination of fraud, abuse, and terror.
Backdoors and master keys
The argument is made that digital backdoors, master keys, and encryption algorithms that gain access to systems and private information would assist in the lawful detection of criminal activity and in investigations to identify terrorists. Although that sounds like a great tool against criminals, it is a Pandora’s Box.
The problem is twofold.
Backdoors and master keys don’t limit access for a specific investigation where probable cause exists, but rather they enable widespread surveillance and data harvesting of an entire population, including law-abiding citizens. This violates people’s right to privacy and opens the door for manipulation and political prosecution. The ability to read every text, email, message, and online conversation to “monitor” the population creates a clear path to abuse. The risk of control and exploitation is real.
Even for those who have no objection to their government having access, we must consider the fact that such backdoors and master-keys would be sought by cybercriminals and other nation-state actors. No system is infallible. Eventually, such tools would be found and used by criminals to the detriment of the global digital community. Some backdoors could be worth tens of billions of dollars to the right buyer as they could unlock unimaginable power to seize wealth, affect people, damage nations, undermine independence, and stifle free thought.
Protecting privacy is not about hiding information. It is about the ability to be free from unwanted influence, tyranny, and to communicate with others in ways that challenge the status quo. Privacy protects individuals but also the underpinnings of a free society.
A complicated situation
Privacy is not an easy topic and there is no perfect solution. It is a dynamic situation and will continue to shift with public sentiment.
Everyone wants some level of discretion, confidentiality, and space. Nobody wants their passwords, family finances, details of personal relationships, medical history, location, purchases, and private discussions exposed. Nor do people enjoy being flooded with spam, phishing, and relentless sales calls. Privacy is not necessarily about hiding something, as it is about limiting information to those with a right-to-know.
Too little privacy can undermine free speech, liberty, and the reporting of victimizations. It also empowers powerful entities to manipulate people’s digital world to coerce, manipulate, and victimize them. Too much privacy can allow criminal actors to thrive and hide from authorities.
A balance must be struck.
Contributing author: Lisa Thee, Lead, Launch Consulting Group.
A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor.
Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.
Sarwent’s new capabilities
Sarwent is a piece of malware that started out as a loader for other malware, but has recently been updated with two new functionalities, SentinelOne researchers discovered.
These never variants can now also:
- Execute commands via Windows Command Prompt and PowerShell
- Create a new Windows user account, enable the RDP service for it, and make changes to the Windows firewall so that RDP access to the infected machine is allowed
Removing the malware from the infected computer will not automatically close the RDP “hole”. Users, admins or paid “cleaners” also have to remove the user account set up by the malware and close the RDP access port in the firewall.
RDP access: A hot commodity
Gaining access to Windows machines via the Remote Desktop Protocol has become a preferred tactic of cyber crooks and ransomware gangs, though they usually scan for machines/servers that already have RDP enabled and then they try to brute-force the passwords that safeguard access through it.
Since COVID-19 spread across the globe and many employees started working from home, RDP use has soared.
The crooks wielding Sarwent want to increase the chances of retaining access to the machine after the malware is found and removed.
It might be that they want to use that access themselves, to reinfect the computer at a later date. It’s also possible that they plant to rent or sell that access to other cyber gangs or individuals.
Access to corporate networks and systems is regularly sold on dark web forums and marketplaces.
Cyber attackers are increasingly leveraging web shell malware to get persistent access to compromised networks, the US National Security Agency and the Australian Signals Directorate warn.
What are web shells?
Web shells are malicious scripts that are uploaded to target systems (usually web servers) to enable attackers to control it remotely. In affect, they create a backdoor into the target system.
The threat is not limited to internet-facing web servers, though, and can be deployed on non-internet facing internal content management systems or network device management interfaces.
Preventing web shell installation
Attackers usually manage to deploy web shells by exploiting web application vulnerabilities, weak server security configuration, or by uploading to otherwise compromised systems.
Among the web application vulnerabilities that are commonly exploited to install web shell malware are:
“This list is not intended to be exhaustive, but it provides insight on some frequently exploited cases,” the agencies noted, and advised organizations to regularly patch/update web apps and limit their permissions.
“In particular, web applications should not have permission to write directly to a web accessible directory or modify web accessible code. Attackers are unable to upload a web shell to a vulnerable application if the web server blocks access to the web accessible directory,” they pointed out.
If the latter step is not possible, they advised orgs to implement file integrity monitoring to block file changes to web accessible directories or alert when changes occur.
Finally, they should add defense layers such as Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF), and improve network segregation and harden web servers.
Detecting installed web shells
“Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation,” the agencies explained. That’s what makes them so useful to attackers and so dangerous to defenders.
There are several methods that can be used to detect their presence, such as:
- Comparing a verified benign version of the web app against the production version (and analyzing the discrepancies)
- Monitoring web traffic for anomalies
- Detection based on signatures (can work for detecting popular web shells that have been minimally modified)
- Monitoring for unexpected network flows
- Using Endpoint Detection and Response (EDR) and logging tools such as Microsoft Sysmon or Auditd (on Linux systems) to spot system call or process lineage abnormalities
The NSA has set up a GitHub repository with tools and signatures that can help defenders implement these techniques.
Finally, the agencies warn, organizations that find a web shell on one or more of their systems should investigate how far the attacker penetrated within the network.
For the last two years or so, attackers have been infecting and reinfecting poorly secured MS SQL servers, booting other criminals’ malware from them and exploiting their compute power to mine Vollar and Monero cryptocurrency.
61.5 percent of the infected machines get cleaned up by administrators and IT security teams within two days, and the rest between three to 14 days but, according to Guardicore Labs researchers, 10 percent of the victims end up reinfected, likely because “malware removal is often done in a partial manner, without an in-depth investigation into the root cause of the infection.”
About the campaign and the MS SQL servers botnet
This campaign, dubbed Vollgar by the researchers, has been going on since at least May 2018. The attackers manage to compromise around 3,000 database machines daily, belonging to companies in various industry sectors and located all around the world.
The attackers gain access by brute-forcing the targeted databases. Once access is achieved, they:
- Make configuration changes to the database to allow future command execution and downloading of malware binaries
- Set multiple backdoor users on the machine (both in the MS SQL database context and in that of the operating system) and elevate their privileges
- Eliminate other threat actors’ activity and traces of that activity from the machine (delete keys used for persistence, remove values that allows malware to attach itself to legitimate processes, etc.)
- Write several downloader scripts
- Download multiple RAT modules and an XMRig-based cryptominer.
The RAT modules phone back to the command and control servers and deliver information about the system (location data, system data), the cryptominer starts mining Monero and the Vollar alt-coin.
Attack detection, prevention and mitigation
Microsoft SQL Server is a relational database management system/software that can run on computers running any of the most popular operating systems (Windows, Linux, macOS).
The attackers target internet-facing Windows machines running poorly secured MS SQL servers.
Using strong and unique MS SQL user account passwords is a must, and the researchers advise against exposing database servers to the internet.
“Instead, they need to be accessible to specific machines within the organization through segmentation and whitelist access policies. We recommend enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts,” they noted.
For those who are not sure whether their installations have been compromised, the researchers have provided a list of IoCs and a detection script they can use to check.
“If infected, we highly recommend to immediately quarantine the infected machine and prevent it from accessing other assets in the network. It is also important to change all your MS SQL user account passwords to strong passwords, to avoid being reinfected by this or other brute force attacks,” they concluded.
Python backdoor attacks are increasingly common. Iran, for example, used a MechaFlounder Python backdoor attack against Turkey last year. Scripting attacks are nearly as common as malware-based attacks in the United States and, according to the most recent Crowdstrike Global Threat Report, scripting is the most common attack vector in the EMEA region.
Python’s growing popularity among attackers shouldn’t come as a surprise. Python is a simple but powerful programming language. With very little effort, a hacker can create a script of less than 100 lines that establishes persistence, so that even if you kill the process, it will start itself back up, establish a backdoor, obfuscate communications both internally and with external servers and set up command and control links. And if an attacker doesn’t want to write the code, that’s no problem either. Python backdoor scripts are easy to find – a simple GitHub search turns up more than 200.
Scripting attacks are favored by cybercriminals and nation states because they are hard to detect by endpoint detection and response (EDR) systems. Python is heavily used by admins, so malicious Python traffic looks exactly like the traffic produced by day-to-day network management tools.
It’s also fairly easy to get these malevolent scripts onto targeted networks. Simply include a malicious script in a commonly used library, change the file name by a single character and, undoubtedly, someone will use it by mistake or include it as a dependency in some other library. That’s particularly insidious, given how enormous the list of dependencies can be in many libraries.
By adding a bit of social engineering, attackers can successfully compromise specific targets. If an attacker knows the StackOverflow usernames of some of the admins at their targeted organization, he or she can respond to a question with ready-to-copy Python code that looks completely benign. This works because many of us have been “trained” by software companies to copy and paste code to deploy their software. Everyone knows it isn’t safe, but admins are often pressed for time and do it anyway.
Anatomy of a Python backdoor attack
Now, let’s imagine a Python backdoor has established itself on your network. How will the attack play out?
First, it will probably try to establish persistence. There are many ways to do this, but one of the easiest is to establish a crontab that restarts the script, even if it’s killed. To stop the process permanently, you’ll need to kill it and the crontab in the right sequence at the right time. Then it will make a connection to an external server to establish command and control, obfuscating communications so they look normal, which is relatively easy to do since its traffic already resembles that of ordinary day-to-day operations.
At this point, the script can do pretty much anything an admin can do. Scripting attacks are often used as the point of the spear for multi-layered attacks, in which the script downloads malware and installs it throughout the environment.
Fighting back against Python backdoors
Scripting attacks often bypass traditional perimeter and EDR defenses. Firewalls, for example, use approved network addresses to determine whether traffic is “safe,” but it can’t verify exactly what is communicating on either end. As a result, scripts can easily piggyback on approved firewall rules. As for EDR, traffic from malicious scripts is very similar to that produced by common admin tools. There’s no clear signature for EDR defenses to detect.
The most efficient way to protect against scripting attacks is to adopt an identity-based zero trust approach. In a software identity-based approach, policies are not based on network addresses, but rather on a unique identity for each workload. These identities are based on dozens of immutable properties of the device, software or script, such as a SHA-256 hash of the binary, the UUID of the bios or a cryptographic hash of a script.
Any approach that’s based on network addresses cannot adequately protect the environment. Network addresses change frequently, especially in autoscaling environments such as the cloud or containers, and as mentioned earlier, attackers can piggyback on approved policies to move laterally.
With a software and machine identity-based approach, IT can create policies that explicitly state which devices, software and scripts are allowed to communicate with one another — all other traffic is blocked by default. As a result, malicious scripts would be automatically blocked from establishing backdoors, deploying malware or communicating with sensitive assets.
Scripts are rapidly becoming the primary vector for bad actors to compromise enterprise networks. By establishing and enforcing zero trust based on identity, enterprises can shut them down before they have a chance to establish themselves in the environment.
– Rootkit on board;
– Dropped driver has ~100MB size on disk;
– Contains AVKill code;
– Injected DLL as a payload.
Original dropper fingerprints:
File size: 98304 bytes
Dropper is detected by almost all vendors:
Resource section is interesting, because it stores the rootkit driver in packed state (APLib).
Point of driver loading by dropper is trivial – using of ntdll!ZwLoadDriver.
For loading the driver the first time, it creates the same file and service name.