Acalvio Threat Research Labs
Web Servers are becoming one of the entry vectors in breaches. In the last blog, I had shared the details of deception based architecture to prevent breaches involving web server as an entry vector. In this blog, we take Zealot campaign as a case study to show the effectiveness of deception based architecture.
F5 Labs recently disclosed zealot campaign. It employs a vulnerability in Apache Struts. Upon successful exploitation, threat actor then uses Eternal Blue and Eternal Synergy exploit to mine monero in the internal network [1]. As per the investigation
- Zealot collectively exploits servers vulnerable to:
- CVE-2017-5638: Apache Struts Jakarta Multipart Parser attack.
- CVE-2017-9822: DotNetNuke (DNN) content management system vulnerability.
- The attack leverages EternalBlue and EternalSynergy exploits for lateral movement inside of networks.
As the exploit is running on a Windows machine, it will download the the SMB exploit package zealot.zip and raven64.exe which does network enumeration[1]. For infection, as shown in figure 1.0, Raven64.exe generates class B IPv4 private network address pseudo-randomly in a static manner.
Figure 1.0 showing memory page of the IPv4 addresses.
These IP addresses are then used to send TCP SYN packet to the SMB ports. Raven64.exe will invoke Zealot.py which will make use EternalSynergy and EternalBlue exploit for lateral movement to the computers in the Class B private network address range.
Figure 3.0 TCP Sync Traffic to IPv4 address on SMB ports.
Further details of post exploitation have been discussed in the blog[1] from F5 Networks and hence will not be presented here.
Distributed deception architecture involves projecting services deceptions such as SMB, SSH, etc. in the internet class B IPv4 private network address. When these deceptions are accessed then :
- Alerts are generated, which are validated by the proprietary algorithms for the possibility of a breach[2].
- Or the threat is diverted to the high engagement platform for the execution of every stage of a breach. The execution of every step of a multi-stage attack leads to the generation of IoC[3]. These IoC can then be used for validation of a breach.
When the raven64.exe will send TCP syn packets to the class B IP address, as shown in Figure 3.0, it will get detected by the distributed deception architecture. (Shown in Figure 4.0.)
Figure 4.0 Alert getting generated from TCP SYN
There is a very low probability that a web server will attempt to establish a connection to the deceptions which are projected in the internal network. Hence, the TCP SYN packet received from the web server instantly becomes an indicator of breach with a probability close to 100%.
Deception centric architecture detects the second stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of known vulnerability. A deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions. Since the deception-centric architecture complements the existing inline monitoring detection architecture, it is a recommended architecture to prevent breaches.
IoC’s:
- dcaa9e0cfeef2e0fd9360ddb72b19227
- b22bded796e83cd19335180083eabf07a681b913189b40a1615f5308d8bdd36c
References:
Authors
