Adversaries track developments within the security community to look for effective ways to skirt modern defenses. Our sensing technology (Guru) that surveils the security community has been effective at ingesting signals relating to emerging attack vectors, sometimes 3 – 6 months ahead of confirmed campaigns. The signals we consume originate from social influencers, code repositories, CVE PoCs, community chatter and research blogs from within the security community. A recent example of where our emerging threat technology was confirmed by actual adversary events was the Fox Kitten Campaign. This campaign was masterfully articulated in a report written by ClearSky Cyber Security which recounted the activities of the suspected Iranian APT groups involved. Drilling down, we will focus on the methods utilized by the attackers which allowed for credential access and were signaled in advanced by our platform, as early as July 2019.
Mimikatz and Endpoint Security
Mimikatz has long been an adversary staple for gaining credential access. Most endpoint security solutions will now easily detect the signatures and(or) behaviors associated with Mimikatz, forcing adversaries to find new methods to skirt defenses. Additionally, default security features like Virtualization-Based Security for Win 10 enterprise users will significantly hinder credential dumping techniques as the processes involved are shielded within a virtual environment. “The Microsoft hypervisor creates VSM and enforces restrictions which protect vital operating system resources, provides an isolated execution environment for privileged software and can protect secrets such as authenticated user credentials. With the increased protections offered by VBS, even if malware compromises the operating system kernel, the possible exploits can be greatly limited and contained because the hypervisor can prevent the malware from executing code or accessing secrets”. That being said, there is a significant part of the computer population not running enterprise edition but still possessing security solutions able to chew up tools like Mimikatz. This is where the security research in the latter half of 2019 focused and how adversary tradecraft migrated in response.
Procdump + Mimikatz
Starting early fall of 2019, our sensors saw an explosion of activity in the security community relating to credential dumping techniques and tools. The first family of signals surrounded the use of ProcDump (a legitimate Microsoft tool) to dump LSASS memory, and then parse the output with Mimikatz on an attacker controlled endpoint. An interesting caveat to this technique was that if the command “procdump -ma lsass.exe lsass.dmp” was used without the PID for LSASS being specified, Defender would catch the behavior. Within the recently documented Fox Kitten Campaign, this command was issued to dump credentials during the attacks. In addition to the tradecraft chatter regarding ProcDump, our sensors ingested purpose-built tools that capitalize on this vector. Examples of exploit tools that utilize this vector are lsassy - “Extract credentials from lsass remotely” and spraykatz - “Credentials gathering tool automating remote procdump and parse of lsass process ”. Had defenders realized in advance that this vector was gaining significant traction, these attacks may have been prevented or detected earlier.
MiniDump + Mimikatz
Additional LSASS attack vectors were also simultaneously trending within the security community. Taking advantage of the Windows library “Dbghelp.dll”, attackers may exploit the function "MiniDumpWriteDump” to dump LSASS memory. Examples of tools that utilize this technique are MiniDump - “an alternative to procdump written in C# (perfect for execute-assembly)” and SharpDump - “SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality”. Other tools utilizing this vector can possess additional advanced functionality like API unhooking and command and control integration. A great example of such a tool is Dumpert - “LSASS memory dumper using direct system calls and API unhooking ”.
Had Defenders had access to forward-looking cyber intelligence, they may have been able to mitigate or minimize some of the attacks associated with the Fox Kitten Campaign. While we have seen direct correlation between Guru’s ingested signals relating to dumping LSASS memory and recent adversary behaviors, other variations aimed at targeting LSASS can also be assumed to be in play (MiniDump). Defenders should look at how adversary tradecraft migrated from the security community (the use of ProcDump to dump the LSASS + offline Mimikatz) to an actual adversarial campaign (Fox Kitten). Defenders should threat hunt for indicators relating to coexisting exploit vectors that are developing within the security community, aimed at dumping LSASS memory.
A Preamble on Link Analysis
Graphing relationships adds another level of context when looking at emerging exploit technologies. For instance, if a new exploit tool is connected with a development cluster that has produced other effective exploit technologies, the probability is high that this tool will also be effective. Following that train of thought, typically authors within a development cluster are also connected to other similar projects and insights may be obtained with this reasoning. This became apparent when our sensors ingested the tool evilginx2 and then proceeded to map the development cluster for that tool. It was because of this mapping (seeing the other projects the developers were working on) that we found an entire colony of exploit tools targeting 2-factor authentication 6 months before the FBI released an official Private Industry Notification warning about these technologies. “At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools--Muraena and NecroBrowser—which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.” Lastly, we know that adversaries surveil the security community to look for innovative ways to migrate their tradecraft and skirt modern defenses. By analyzing connections within the graph, the level of social influence imposed by a development cluster can be assessed and an exposure probability for an exploit tool can be determined. Our analysis indicates that adversaries are more likely to migrate their tradecraft to new technologies where they already know and follow the authors in some capacity. To summarize this idea, exploit tools coming from development clusters with low social influence may still be quite effective but may lack the overall exposure to be widely adopted by adversaries.
Continuing with the example development cluster above, additional mapping revealed a tool connected to the evilginx2 development cluster which automated the setup of these tools targeting 2FA. “Phish-Composer is a docker-compose project intended to spin up three docker images often used together for phishing. The individual components of this infra are GoPhish, Evilginx2, and Postfix.” While this automation framework leverages evilginx2 to phish 2FA, we felt another tool within the cluster was also of notable mention. “Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.” It will be of great value for adversaries to setup advanced initial access tooling in a repeatable and secure fashion utilizing automation.
Red-Baron is part of a development cluster that has prolific exploit tool makers. One such maker goes by the alias byt3bl33d3r and has co-developed tools like SILENTTRINITY, CrackMap and Empire. “Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. During Red Team assessments, infrastructure creation and management can be a huge time sink. This project tries to alleviate this by attempting to automate some (if not all) aspects by providing a set of modules and example configurations: testers can pick & choose the infrastructure to be created and configure it to their needs.” This tool can create complex infrastructure, such as redirector and command and control servers, across multiple cloud platforms.
“Redcloud is a powerful and user-friendly toolbox for deploying a fully featured Red Team Infrastructure using Docker. Harness the cloud's speed for your tools. Deploys in minutes. Use and manage it with its polished web interface. Ideal for your penetration tests, shooting ranges, red teaming and bug bounties! Self-host your attack infrastructure painlessly, deploy your very own live, scalable and resilient offensive infrastructure in a matter of minutes.” Similar to Red-Baron, this tool aims at deploying full-featured adversary infrastructure but with its own polished interface.
It stands to reason that setting up adversary infrastructure in an automated fashion will become a standard. Considering the efficiency and operational security advantages, setting up an infrastructure in a repeatable and secure manner can have huge benefits for adversaries. Using automation to setup more complex components like redirector servers (Apache mod_rewrite) automatedly, could eliminate operators deciding on default infrastructure deployments that are easily located by blue teamers.
Over the past few years, Cobalt strike has become an industry standard for professional red teamers, state sponsored actors and cyber criminals alike. Cobalt Strike is defined as “a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.” Cobalt Strike has been leveraged by advanced persistent threat groups like APT19, APT29, APT32, FIN7 and Cobalt group to facilitate various campaign objectives. In order to try and keep this powerful tool out of the hands of malicious actors, Strategic Cyber LLC (creators of Cobalt Strike) impose export controls and monitors for illicit usage. Despite software licensing for Cobalt Strike being strictly controlled, adversaries crack trial versions of the software and disseminate them across various channels frequented by the criminal underworld. Some of these cracked versions are sold, and some are distributed for free, but a free version most likely means you are sharing your experience with someone else via a backdoor.
Fingerprinting Cobalt Strike Servers
Researchers at Fox IT and Recorded Futures started utilizing fingerprints unique to Cobalt Strike team servers to find adversary C2 infrastructures in the wild. June 18th, 2019, Recorded Futures published a report detailing the features they employed to fingerprint team servers and expounded on their effectiveness. The methods used to fingerprint Cobalt Strike servers were to look for default security certificates, to see if the DNS server would respond to any DNS request, port 50050 usage, a unique 404 response code and versions prior to 3.13, a null space in the HTTP response could be used to identify the team servers. This actually proved quite effective as many operators seemed to run on default configurations even after these security publications - “The continued identification of Cobalt Strike servers using an outdated version of the framework (via the null space in the HTTP header) and the default configurations may indicate that a large population of Cobalt Strike servers are cracked or stolen versions. It may also be an instance of operators not reading security publications, but the answer may be more simple than that — most targets are not likely searching for Cobalt Strike servers, and the payloads remain effective, so why change their behavior?” In response to these advancements in breaching adversary operational security, “Cobalt Strike operators were encouraged by Strategic Cyber LLC in their February study to make use of an Apache or Nginx web server as a “redirector” to proxy their traffic; this precludes simple detections of Cobalt Strike servers by removing the anomalous HTTP responses, default security certificates, and other such identifiers from the equation”. In closing thoughts, the report stated “Obstacles other than intentional tradecraft may prevent the patching of Cobalt Strike servers, including lack of knowledge of the update due to a language barrier, operational comfort with currently installed versions, or other modifications that prevent the installation of the update.” But, things are never so neat in reality..
Increased Cobalt Strike Momentum
Starting mid-summer of 2019, our intelligence sensors started ingesting significantly more material related to Cobalt Strike, emanating out of the Chinese security community. Our investigations led us to an actor presumed to be Chinese (Mrxn) that was creating and disseminating cracked versions of exploit software on his/her personal blog. One post in particular caught our eye which was entitled “CobaltStrike3.14破解 / English: CobaltStrike3.14 crack” and was published one day after Recorded Futures released their report mentioned above.
In the following blog post, we see actor Mrxn talking about the operational security problems related to cobalt strike versions pre 3.13, confessing to cracking and distributing a cracked version of Cobalt Strike 3.14, briefly explaining which files to alter to crack the software and providing links to cracked and trial versions of Cobalt Strike.
Our sensors continued to ingest material related to Cobalt Strike, this time they found aggregations of red team resources being translated into Chinese. These vast lists contained detailed information on a wealth of adversary topics, but it was the in-depth explanation on red team infrastructure that made us realize that a language barrier was actually no barrier at all. In a code repository entitled “RedTeam-BCS” we found a detailed explanation of Cobalt Strike infrastructure tactics. Under the heading “基础设施架构设计部署 - Infrastructure architecture design and deployment” we saw the detailed teachings of how a redirector server functions and how it is used operationally.
A key theory we based building our backend cyber intelligence tooling on was “tradecraft migration”. We define “tradecraft migration” as an adversary’s willingness to shift their TTPs (Tactics, Techniques and Procedures) to skirt innovation in cyber defenses, while expending the least amount of resources to do so. Actually, adversaries just need to employ a good cyber intelligence program to accomplish this, leveraging and building off innovation that is taking place within the security community already. We see security researcher content consistently shared and discussed on criminally controlled communication assets. The above scenario is an excellent representation of tradecraft migration for these reasons:
Our analysis indicates that more advanced forms of adversary infrastructure obfuscation such as leveraging redirectors, domain fronting or utilizing legitimate web services will become a standard in adversary tradecraft, if it’s not already. Defenders should not presume a language barrier is any kind of obstacle preventing adversaries from learning and deploying advanced infrastructure obfuscation tactics. As we indicated above, that is clearly not the case. Using tradecraft such as redirector servers to obscure Cobalt Strike infrastructure makes blue team detection strategies significantly less effective – especially when redirectors are paired with proper domain categorization and HTTPS. Knowing adversarial capabilities in near real-time is a powerful tool for defenders and must be utilized to come up with new, innovative detection methods for things like Cobalt Strike team servers.