RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors.  During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

–          Web shells

–          Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

–          Code signing of backdoor malware so it installed without warnings

–          Utilising SETHC RDP backdoor

–          Proxy tools installed on servers to avoid corporate proxies

–          Proxy away malwae that connected out using stolen credentials

–          Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal.  This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables).  The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

  • Details of the exploit were      clearly captured in the web server logs – highlighting the need for      proper log correlation and alerting.
  • They logged into the web      server with the Admin password within 10 minutes of stealing the hash – 2-factor      authentication should be used for web accessible accounts where possible.       If passwords must be used, a large salt must be added to the hashes.
  • Once they were on this      server they quickly moved to control / access many other servers on the      compromised network.
  • Various ‘entrenchment      methods used to ensure their presence was hard to remove including;
    • They used various web       shells from simple one lines ones all the way to advanced ones with       trojan like capabilities. Web shells are malicious files written in web       scripting languages.  They have some benefits over trojans such as       being rarely detected by AV programs, run within the web server so blend       with other traffic and hard to block, and no need to beacon home.
    • Registering malicious       DLLs so that the commands they run were interpreted by the malicious DLL       making them harder to detect
    • Modifying the       System.Web.dll file (this is a       dll) enabling specifically crafted posts to the server that without a #       at the start would just result in a 404 page
    • Installation of       custom variants of the ‘Trojan.Derusbi’ malware.  This monitors all       open TCP ports on the server for a specific simple, but pseudo random,       handshake.  When it sees one it responds with a handshake.  The       remote user can then control the trojan with various obfuscated commands.        These include file traversal, starting / stopping processes,       uploading / downloading files, time stomping (deleting or modifying time       stamp related information on files – makes forensics more challenging),       opening reverse shells, locating and decrypting passwords stored in       browsers such as IE and Firefox.
    • Sethc backdoor –       replacing the setch exe with cmd or explorer, or making a registry change       to the setch entry.  If RDP is enabled, connecting, then pressing       SHIFT 5 times will then bring up CMD, explorer, or the debugger.
  • On top of this they also      downloaded a lot of other malicious files and ‘secondary tools’ including      many variants of the Derusbi trojan, notepad.exe (actually multi purpose      malware including proxy capabilities, time stomping, user impersonation,      Run As etc.), credential loggers etc.
  • The attack appears to      target Windows Server 2003, 2003r2 and XP variants. – ensure you are      using current versions of operating systems, and that they remain fully      patched
  • Obfuscation of code for the      various malware tools was heavily used.  While it is often not      complex to manually de-obfuscate the code, this technique helps malware      avoid detection by automated tools and also means the code / scripts don’t      look like they are code to the untrained eye if an admin or someone      stumbles across them.
  • Credential capture /      logging was attempted in various ways on compromised machines in the      estate including; Hash Dumping (grabbing hashes then likely using rainbow      tables to crack them), Keystroke logging, MSGINA (MS Graphical      Identification and Authentication – key part of MS logon process) man in      the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.