A Preamble on Link Analysis
Graphing relationships adds another level of context when looking at emerging exploit technologies. For instance, if a new exploit tool is connected with a development cluster that has produced other effective exploit technologies, the probability is high that this tool will also be effective. Following that train of thought, typically authors within a development cluster are also connected to other similar projects and insights may be obtained with this reasoning. This became apparent when our sensors ingested the tool evilginx2 and then proceeded to map the development cluster for that tool. It was because of this mapping (seeing the other projects the developers were working on) that we found an entire colony of exploit tools targeting 2-factor authentication 6 months before the FBI released an official Private Industry Notification warning about these technologies. “At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools--Muraena and NecroBrowser—which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.” Lastly, we know that adversaries surveil the security community to look for innovative ways to migrate their tradecraft and skirt modern defenses. By analyzing connections within the graph, the level of social influence imposed by a development cluster can be assessed and an exposure probability for an exploit tool can be determined. Our analysis indicates that adversaries are more likely to migrate their tradecraft to new technologies where they already know and follow the authors in some capacity. To summarize this idea, exploit tools coming from development clusters with low social influence may still be quite effective but may lack the overall exposure to be widely adopted by adversaries.
Continuing with the example development cluster above, additional mapping revealed a tool connected to the evilginx2 development cluster which automated the setup of these tools targeting 2FA. “Phish-Composer is a docker-compose project intended to spin up three docker images often used together for phishing. The individual components of this infra are GoPhish, Evilginx2, and Postfix.” While this automation framework leverages evilginx2 to phish 2FA, we felt another tool within the cluster was also of notable mention. “Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.” It will be of great value for adversaries to setup advanced initial access tooling in a repeatable and secure fashion utilizing automation.
Red-Baron is part of a development cluster that has prolific exploit tool makers. One such maker goes by the alias byt3bl33d3r and has co-developed tools like SILENTTRINITY, CrackMap and Empire. “Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. During Red Team assessments, infrastructure creation and management can be a huge time sink. This project tries to alleviate this by attempting to automate some (if not all) aspects by providing a set of modules and example configurations: testers can pick & choose the infrastructure to be created and configure it to their needs.” This tool can create complex infrastructure, such as redirector and command and control servers, across multiple cloud platforms.
“Redcloud is a powerful and user-friendly toolbox for deploying a fully featured Red Team Infrastructure using Docker. Harness the cloud's speed for your tools. Deploys in minutes. Use and manage it with its polished web interface. Ideal for your penetration tests, shooting ranges, red teaming and bug bounties! Self-host your attack infrastructure painlessly, deploy your very own live, scalable and resilient offensive infrastructure in a matter of minutes.” Similar to Red-Baron, this tool aims at deploying full-featured adversary infrastructure but with its own polished interface.
It stands to reason that setting up adversary infrastructure in an automated fashion will become a standard. Considering the efficiency and operational security advantages, setting up an infrastructure in a repeatable and secure manner can have huge benefits for adversaries. Using automation to setup more complex components like redirector servers (Apache mod_rewrite) automatedly, could eliminate operators deciding on default infrastructure deployments that are easily located by blue teamers.