I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;
The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors. During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.
They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;
– Web shells
– Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.
– Code signing of backdoor malware so it installed without warnings
– Utilising SETHC RDP backdoor
– Proxy tools installed on servers to avoid corporate proxies
– Proxy away malwae that connected out using stolen credentials
– Falsifying time and date stamps on malicious files
Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.
Looking at the tools and techniques used it appears they predominantly attacked Windows based systems
The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal. This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables). The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.
Some take away points include;
- Details of the exploit were clearly captured in the web server logs – highlighting the need for proper log correlation and alerting.
- They logged into the web server with the Admin password within 10 minutes of stealing the hash – 2-factor authentication should be used for web accessible accounts where possible. If passwords must be used, a large salt must be added to the hashes.
- Once they were on this server they quickly moved to control / access many other servers on the compromised network.
- Various ‘entrenchment methods used to ensure their presence was hard to remove including;
- They used various web shells from simple one lines ones all the way to advanced ones with trojan like capabilities. Web shells are malicious files written in web scripting languages. They have some benefits over trojans such as being rarely detected by AV programs, run within the web server so blend with other traffic and hard to block, and no need to beacon home.
- Registering malicious DLLs so that the commands they run were interpreted by the malicious DLL making them harder to detect
- Modifying the System.Web.dll file (this is a core.net dll) enabling specifically crafted posts to the server that without a # at the start would just result in a 404 page
- Installation of custom variants of the ‘Trojan.Derusbi’ malware. This monitors all open TCP ports on the server for a specific simple, but pseudo random, handshake. When it sees one it responds with a handshake. The remote user can then control the trojan with various obfuscated commands. These include file traversal, starting / stopping processes, uploading / downloading files, time stomping (deleting or modifying time stamp related information on files – makes forensics more challenging), opening reverse shells, locating and decrypting passwords stored in browsers such as IE and Firefox.
- Sethc backdoor – replacing the setch exe with cmd or explorer, or making a registry change to the setch entry. If RDP is enabled, connecting, then pressing SHIFT 5 times will then bring up CMD, explorer, or the debugger.
- On top of this they also downloaded a lot of other malicious files and ‘secondary tools’ including many variants of the Derusbi trojan, notepad.exe (actually multi purpose malware including proxy capabilities, time stomping, user impersonation, Run As etc.), credential loggers etc.
- The attack appears to target Windows Server 2003, 2003r2 and XP variants. – ensure you are using current versions of operating systems, and that they remain fully patched
- Obfuscation of code for the various malware tools was heavily used. While it is often not complex to manually de-obfuscate the code, this technique helps malware avoid detection by automated tools and also means the code / scripts don’t look like they are code to the untrained eye if an admin or someone stumbles across them.
- Credential capture / logging was attempted in various ways on compromised machines in the estate including; Hash Dumping (grabbing hashes then likely using rainbow tables to crack them), Keystroke logging, MSGINA (MS Graphical Identification and Authentication – key part of MS logon process) man in the middle, and hooking into authentication functions.
Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.
Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.
Detection and response are becoming increasingly important in a world where you will be compromised.