We got called into a client last week for an interesting issue. Someone had updated and patched their servers, and a day later all the workstations including the 3rd party software on those workstations. Nothing was broken per se however people were confused because some of that patching and updating resulted in lost configurations as well as some skin changes. Nothing significant but those “cosmetic” changes are what got them asking, “Did you update this system”, “No I didn’t, I thought you did…”
The client tried to figure out what they could on their own, and reluctantly called us. They weren’t mad, but confused and a little troubled that someone may have a method to get into their network with out being noticed. Granted most networks are not looking for good, they are looking for bad. On the surface, an admin account logged into each server in question and ran a PowerShell script that would result in obtaining the latest Microsoft updates and applying them. The script was practically verbaitum of this Microsoft Blog Script: How Can I Search For, Download, and Install an Update?
All of that is very interesting in of itself, but to the clients main point: Is there someone with an easy way or backdoor’d entrance to their network. While we’ve ruled out typical malicious backdoor’s, they used a variety of Remote Desktop software, and one particular Remote Desktop in particular the past week has had a lot of attention. The mitigation’s for that software were also implemented, but we do think that was the initial method the “vigilante admin” as we dubbed them, probably gained access. Shodan showed they were vulnerable to the attack, and we were able to find a popular VPN IP connecting to the host that was first patched and where the other patching activity appeared to stem from.
We have stepped up the monitoring for this client, and are altering how we will monitor our other clients for something similar. In this case, no harm no foul as far as lost revenue or disruption of services. However, even if the white knight was well intentioned, they could have broken or hurt more than they were helping. If anything further develops or IOC’s are found, we’ll share them here.
A few days ago in a table top exercise with a client, the subject was brought up about how cheap, available and open electronics and software have become. How anyone, just about anywhere could make, purchase, or order tailored devices that do anything you’d want them to; good or in this case for bad. For instance you can go to a web forum for programmers and ask how to make your program log key strokes, and often for free, you’d get a quick answer or link to an answer. Another example, the Pi Zero is tiny, very powerful and very cheap. It is an entire computer with connectivity and plenty of processing power and only the size of two sticks of gum. Many IC’s and chips have been created that do wondrous and amazing amounts of work in the most minuscule footprint. These devices are so small and so powerful, they are easily concealed/hidden and can carry out very complex tasks, without being seen.
Our analysts have a propensity to look at most if not all items like technology and software from a dual-use perspective; what might seem like a great way to address one problem for good, may be just as useful for bad. Facial recognition came up in this discussion. It would be a great use of that tech to authenticate someone entering a secure area. What if they have a literal evil-twin, an identical sibling that can also get into that area too just based on their face. Employee credential sharing happens more than you think. Foreign consultants have been found abusing card access systems, one employee leaves and hands over their badge to another person. That person, then enters the building and continues to the work on what the last person was working on.
In this day an age you could be guilty by proximity, your phone is in the same area as when people are killed in separate instances, or your phone was joined to a network near where something bad happened. Context is lost in most Meta-Data, so it makes sense for the Police to suspect you of the crimes, your phone was in the “right” place and “right” time so it may stand to reason to suspect you. Your Google Home or Alexa recorded you saying you want to hurt your boss, and if he/she ended up hurt, the Police may subpoena the recordings of you saying you wished harm to your boss… the context may get lost and you become a prime suspect.
Again this is where convenience and security are at odd’s. Laser beams modulated with voice commands, aimed at microphones do transfer enough data to the mic’s to carry out the command. No voice print, pin or other authentication is needed typically. This kind of thing sort of happened a few years ago when News stories would say “OK Google” or “Alexa” commands. The TV said the wake phrases, then a command, and the digital assistant carried out the command.
All of this is to say, look for us to drop some “adversarial” idea’s and PoC’s coming to this space soon :p
Ransomware typically holds your data within your computer(s), right where it was, just locked up inside some encryption. Now the criminals are getting wise that fewer and fewer companies are paying the ransom. So Plan-B, is pay me (the bad guy) something to keep this same data out of the public eye, and away from usurpers or competition. The bad guys have the decryption key (typically), so this just makes sense, if the victim was unable to stop the initial attack that lead to the data being encrypted, maybe they won’t detect the exfiltration of it either.
There are also groups breaking into companies, and then selling that access to Ransomer’s. That means the Ransomer’s are out a little at first, but might have more access or more computers within the companies to hold ransom and or blackmail.
None of these are new ideas, in fact it’s a testament to the human predilection for doing good that none of this hasn’t happened sooner. Doomsday or worst case scenarios are super easy to come up with, and any virus that spread well in the past could of done any of these same things that are just now being done.
What’s next you ask? Something similar to what’s going on with Phone APP’s that spy on you or steal your data, software that does the same. The software will be legit seeming, even have support and help available. Secretly, it will steal your data, or store it in the Cloud, and the company will then sell the backup data to your competitor’s or that company will all of a sudden start holding your computers/data hostage. Trojan’s are one thing, this will be on another level. Software that passively monitor’s your computer for details, who your correspond with in email, keywords you type in those emails, IM’s or Slack postings. Real life bad guys will get alerts to these keywords, and they will have access into your computer, they will find you bad mouthing your CEO, or cheating on your spouse. Maybe they find you colluding with the competition, or someone signing off on risky behavior that if made public could affect stock prices… HR systems will be a great target for this type of blackmail, and could certainly be rife with data that a blackmailer would use. #ToldYaSo #TruDat
Got an interesting paste alert for : https://pastebin.com/XQuWZHU5
Had to make some changes (the url), but the steps the macro takes does avoid detection in our testing. Not to say it’s the most stealth or anything; it uses a macro, however does have a few new nuances that are interesting.
Very clever finding a character that is accepted as an “L” while not being an US-ASCII “L”. Then renaming the cmd.exe and certutil.exe to Chrome and Firefox will likely work as a bypass for a short time as well.
We found too that the paste hinted at another LOLbas, looks like in Tanium is looking for a “/y” in the esentult.exe rule, and has no rule for the “-y” argument! Now the En-Dash and Em-Dash, while clever for certutil, we could not find many exe’s accepting them, but there are others that did, the en-dash really looks like a normal dash in the logs, but the em-dash does stand out more, still that could certainly get past a junior analyst.
We’ll be informing Tanium of this shortly. process.command_line contains ‘/y’ AND process.path ends with ‘esentutl.exe’
Just use “esentutl.exe -y“, there are probably dozens of similar “bypasses” of HIDS since many binaries accept multiple argument separators.
During this years, final:(, DerbyCon we saw a guy with a Carbon Fiber Derby! Very cool, very tough and made with CF of course and “bar resin” as he called it (instead of polyester resin). He was also giving a talk about some devices his company made for a client engagement that used Carbon Fiber cloth materials. While we didn’t attend the talk itself, we have watched it since and wow, really interesting work! We’re still a little skeptical it’s as easy as it was stated in the talk, but also kinda-sorta seeing what he (they?) claimed in the talk could 100% work. Below is a picture of the CF-Derby, outfitted with sound activated LED’s, a bluetooth speaker (exciter?) and googly-eyes naturally ;)
Link to the talk: RFID sniffing under your nose and in your face