Charles Leaver – Carbanak Case Study 3 The Effects Of Ziften Continuous Endpoint Monitoring

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series

 

Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring solution. The Ziften system has a concentrates on generic indicators of compromise that have actually corresponded for years of hacker attacks and cyber security experience. IoC’s can be determined for any os such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that show C2 infrastructure or particular attack code instances, but these are not utilized long term and not normally used again in fresh attacks. There are billions of these artifacts in the cyber security world with thousands being included each day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a number of industry threat feeds and watch lists that aggregate these. These both have worth and will assist in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases utilized spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not actually a IoC, critical exposed vulnerabilities are a significant hacker manipulation and is a large warning that increases the risk rating (and the SIEM priority) for the end point, particularly if other signs are also present. These vulnerabilities are indications of lazy patch management and vulnerability lifecycle management which leads to a lessened cyber defense position.

2. Geographies That Are Suspect

Excerpt: Command and Control (C2) servers situated in China have actually been recognized in this campaign.

Comment: The geolocation of endpoint network touches and scoring by geography both contribute to the danger rating that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some organizations might have sites located in China, however this ought to be verified with spatial and temporal checking of anomalies. IP address and domain info must be included with a resulting SIEM alarm so that SOC triage can be carried out rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively manipulated, it installs Carbanak on the victim’s system.

Remark: Any brand-new binaries are always suspicious, however not all of them should raise alarms. The metadata of images must be evaluated to see if there is a pattern, for instance a new app or a new variation of an existing app from an existing vendor on a most likely file path for that vendor and so on. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, size of the file and filepath etc to filter out obvious instances.

4. Unusual Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, hidden and read-only.

Remark: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it goes through scrutiny by checking anomalies right away. A classic abnormality would be svchost.exe, which is a vital system procedure image, in the unusual area the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware creates a brand-new service.

Remark: Any autostart or brand-new service is common with malware and is constantly checked with the analytics. Anything low prevalence would be suspicious. If examining the image hash against market watchlists results in an unknown quantity to most of the anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Directory

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be performed.

Comment: This is a traditional example of “one of these things is not like the other” that is simple for the security analytics to check (continuous monitoring environment). And this IoC is absolutely generic, has definitely nothing to do with which filename or which folder is produced. Even though the technical security report lists it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Remark: Any suspect signer will raise suspicion. One case was where a signer supplies a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk score will be elevated for this image. In other cases no email address is provided. Signers can be easily noted and a Pareto analysis carried out, to identify the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive directory then this is really suspicious.

8. Remote Administration Tools

Excerpt: There seems a preference for the Ammyy Admin remote administration tool for remote control thought that the attackers used this remote administration tool because it is commonly whitelisted in the victims’ environments as a result of being utilized frequently by administrators.

Remark: Remote admin tools (RAT) constantly raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would happen to identify whether temporally or spatially each new remote admin tool corresponds. RAT’s go through abuse. Hackers will constantly choose to utilize the RAT’s of an organization so that they can prevent detection, so they need to not be provided access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools indicate that they were accessed from 2 dissimilar IPs, probably used by the attackers, and located in Ukraine and France.

Comment: Constantly suspect remote logins, since all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not want to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this ought to reveal low prevalence use (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have actually also found traces of many different tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools must always be examined for abnormalities, due to the fact that many hackers subvert them for malicious functions. It is possible that Metasploit could be utilized by a penetration tester or vulnerability scientist, however instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would lead to restorative action. It likewise highlights the issue where blanket whitelisting does not help in the identification of suspicious activity.

Leave a Reply

Your email address will not be published. Required fields are marked *