Blog entry by Les Bell

Les Bell
by Les Bell - Tuesday, June 27, 2023, 10:52 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Chinese APT Targets Critical Infrastructure, OT

Researchers at managed security provider Crowdstrike have released on an incident involving a Chinese-nexus threat actor which they track as VANGUARD PANDA (also known as Volt Typhoon). The cyber-espionage group consistently targets Zoho ManageEngine ADSelfService Plus in order to obtain initial access, after which they deploy webshells and make use of living-off-the-land techniques to avoid leaving behind detectable artifacts which could be used as IOC's.

In this particular incident, Crowdstrike's Falcon Complete managed-detection-and-response was triggered by suspicious reconnaissance commands - such as listing processes, testing network connectivity, gathering user and group information, and using WMI to enumerate domain trust and DNS zones - executed under an Apache Tomcat web application server running ManageEngine ADSelfService Plus. The use of these commands indicated a familiarity with the target environment, as the commands were executed rapidly and used specific internal hostnames and passwords:

cmd /C "tasklist /svc"
cmd /C "ping -n 1 [redacted]"
cmd /C "ping -n 1 -a [redacted]"
cmd /C "net group "domain controllers" /dom"
cmd /C "net use \\[redacted]\admin$ REDACTED /u:[redacted]"
cmd /C "dir \\[redacted]\c$\Users"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c nltest /DOMAIN_TRUSTS >>C:\Users\[redacted]\AppData\Local\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c Dnscmd . /EnumZones >>C:\Users\[redacted]\AppData\Local\Temp\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"

At this point the Crowdstrike team quickly quarantined and triaged the host, notifying the impacted customer while analysing the Apache Tomcat access logs. This revealed multiple POST requests to the file /html/promotion/selfsdp.jspx which, upon analysis, turned out to be a webshell capable of running arbitrary commands by using the /C option of the classic Windows shell, cmd.exe and the ProcessBuilder class. It also attempted to masquerade as part of ManageEngine ADSelfService Plus, using that as its page title and adding legitimate links to help desk software. In fact, selfsdp.jspx will match the EncryptJSP YARA rule provided in a May CISA advisory on Volt Typhoon.

However, a lot of red flags remained: for example, the use of hostnames above indicated a lot of prior reconnaisance and enumeration and the inclusion of passwords indicated that admin accounts had already been compromised - likely before the Falcon Complete sensor had been installed. In fact, the selfsdp.jspx webshell had been written to disk almost six months before the Falcon sensor was installed, and examination of the Apache Tomcat logs correlated its installation with an HTTP POST request to /html/error.jsp - but that file no longer existed, indicating its deletion in an attempt to evade detection and analysis. A lot of related log entries had also vanished - on one day, the entire first 12 hours of the access log had gone.

To cut a long story short - Crowdstrike's blog article provides the full details - the threat actor eventually slipped up. .jsp and .jspx pages - Java Server Pages - contain scriptlets of Java code which are extracted to create .java Java source code files and then compiled into the corresponding .class bytecode files for execution. This is done by a component of Apache Tomcat - the Jasper 2 JSP engine - which places the .java and .class files in a separate directory structure, and while the intruder cleaned up the log files and other artifacts, they missed these.

One of them, ListName_jsp.java, in turn deployed a backdoored version of the tomcat-websocket.jar Apache Tomcat library incorporating a webshell. This was then timestamped to match the timestamp on the original tomcat-websocket.jar file so that it would appear not to have been replaced (although obviously a filesystem verification program would detect its changed digest value).

The Crowdstrike blog article makes fascinating reading and includes some recommendations for detection and mitigation of this attack, which is just one of many the firm has seen against US-based critical infrastructure.

CISA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, cybersecurity advisory AA23-144a, 24 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a.

Falcon Complete Team, Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft, blog post, 22 June 2023. Available online at https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/.

Cozy Bear At It Again

In a series of tweets, Microsoft Threat Intelligence has reported a rise in credential attack activity by the Russian state-sponsored APT29, a.k.a. Cozy Bear and NOBELIUM, which the Redmondites track as Midnight Blizzard (I wish they would stick to bears and pandas - it makes life a lot easier!). The attacks target governments, IT service providers, NGO's, defense contractors and critical manufacturing, using a variety of password spray, brute force and token theft techniques, as well as session replay attacks using stolen session credentials likely acquired via illicit sale in dark web markets or Telegram channels.

In this campaign the threat actor is using residential proxy services to hide the real source of their attacks. Residential proxies are a low-cost or free proxies provided by a variety of service providers - I have even seen home users being invited to install proxy servers under the pretext that it will get them additional bandwidth (it won't) or in return for a small income. The problem is that the main purpose of such proxies is to disguise the source of online activities for a variety of dodgy or disreputable activities (which means that home users who naively install them are likely to see their IP addresses blacklisted), although they do have a few legitimate uses, especially in states which restrict their citizens' access to information.

APT29's use of residential proxies for a brief period before moving on also makes it harder for defenders to distinguish these attacks from legitimate traffic and block them.

Microsoft Threat Intelligence, "Microsoft has detected increased credential attack activity...", Twitter thread, 22 June 2023. Available online at https://twitter.com/MsftSecIntel/status/1671579358031486991.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: