How Ziften Continuous Endpoint Monitoring Would Have Dealt With Indicators Of Compromise Carbanak 3 – Charles Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series

Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring service. The Ziften system has a focus on generic indicators of compromise that have actually corresponded for decades of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Particular indicators of compromise also exist that show C2 infrastructure or specific attack code instances, but these are not utilized long term and not typically made use of again in fresh attacks. There are billions of these artifacts in the cyber security world with thousands being added each day. Generic IoC’s are ingrained for the supported operating systems by the Ziften security analytics, and the particular IoC’s are employed by the Ziften Knowledge Cloud from memberships to a number of market risk feeds and watch lists that aggregate these. These both have worth and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases utilized spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not actually a IoC, critical exposed vulnerabilities are a major hacker manipulation and is a large red flag that increases the risk rating (and the SIEM priority) for the end point, particularly if other indicators are also present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which results in a weakened cyber defense position.

2. Geographies That Are Suspect

Excerpt: Command and Control (C2) servers situated in China have been determined in this campaign.

Comment: The geolocation of endpoint network touches and scoring by geography both contribute to the danger score that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some companies might have sites located in China, but this should be confirmed with spatial and temporal checking of abnormalities. IP address and domain information ought to be added with a resulting SIEM alarm so that SOC triage can be conducted quickly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is successfully exploited, it sets up Carbanak on the victim’s system.

Remark: Any new binaries are always suspicious, but not all them must raise alarms. The metadata of images ought to be evaluated to see if there is a pattern, for example a brand-new app or a brand-new version of an existing app from an existing supplier on a most likely file path for that vendor and so on. Hackers will try to spoof apps that are whitelisted, so signing data can be compared in addition to size, size of the file and filepath etc to filter out apparent circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, hidden and read-only.

Remark: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it undergoes examination by checking abnormalities immediately. A classic anomaly would be svchost.exe, which is an essential system procedure image, in the uncommon location the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware creates a brand-new service.

Comment: Any autostart or brand-new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspect. If inspecting the image hash against industry watchlists results in an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Directory

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it saves commands to be performed.

Comment: This is a traditional example of “one of these things is not like the other” that is easy for the security analytics to inspect (continuous monitoring environment). And this IoC is completely generic, has absolutely nothing to do with which filename or which folder is produced. Despite the fact that the technical security report notes it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer supplies a suspect anonymous gmail email address, which does not inspire confidence, and the danger score will be elevated for this image. In other cases no email address is supplied. Signers can be quickly noted and a Pareto analysis performed, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive directory then this is very suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control thought that the attackers used this remote administration tool because it is typically whitelisted in the victims’ environments as a result of being used frequently by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the company. Checking of abnormalities would take place to recognize whether temporally or spatially each brand-new remote admin tool corresponds. RAT’s are subject to abuse. Hackers will always prefer to use the RAT’s of a company so that they can avoid detection, so they should not be given access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools show that they were accessed from two dissimilar IPs, probably used by the attackers, and located in Ukraine and France.

Remark: Always suspect remote logins, due to the fact that all hackers are presumed to be remote. They are likewise utilized a lot with insider attacks, as the insider does not want to be recognized by the system. Remote addresses and time pattern anomalies would be inspected, and this should reveal low prevalence use (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have actually likewise found traces of many different tools used by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools need to always be examined for abnormalities, since numerous hackers overturn them for destructive functions. It is possible that Metasploit could be used by a penetration tester or vulnerability scientist, however instances of this would be rare. This is a prime example where an unusual observation report for the vetting of security personnel would result in corrective action. It also highlights the issue where blanket whitelisting does not help in the recognition of suspicious activity.