Presented By Charles Leaver And Written By Dr Al Hartmann
Part 3 in a 3 part series
Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring service. The Ziften system has a focus on generic indicators of compromise that have actually corresponded for decades of hacker attacks and cyber security experience. IoC’s can be recognized for any operating system such as Linux, OS X and Windows. Specific indicators of compromise also exist that show C2 infrastructure or specific attack code circumstances, but these are not used long term and not typically made use of once again in fresh attacks. There are billions of these artifacts in the security world with thousands being included every day. Generic IoC’s are ingrained for the supported operating systems by the Ziften security analytics, and the specific IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a variety of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.
1. Exposed vulnerabilities
Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).
Comment: Not really a IoC, critical exposed vulnerabilities are a significant hacker manipulation and is a large warning that increases the risk rating (and the SIEM priority) for the end point, particularly if other indications are also present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which leads to a weakened cyber defense position.
2. Locations That Are Suspect
Excerpt: Command and Control (C2) servers located in China have actually been determined in this project.
Remark: The geolocation of endpoint network touches and scoring by location both add to the risk score that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some organizations might have sites situated in China, however this should be verified with spatial and temporal checking of abnormalities. IP address and domain information should be added with a resulting SIEM alarm so that SOC triage can be performed rapidly.
3. Binaries That Are New
Excerpt: Once the remote code execution vulnerability is successfully exploited, it installs Carbanak on the victim’s system.
Remark: Any new binaries are always suspicious, however not all of them need to raise alarms. The metadata of images need to be examined to see if there is a pattern, for example a new app or a new variation of an existing app from an existing vendor on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared along with size, size of the file and filepath etc to filter out obvious circumstances.
4. Uncommon Or Delicate Filepaths
Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, hidden and read-only.
Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it goes through examination by examining anomalies right away. A classic anomaly would be svchost.exe, which is an essential system procedure image, in the uncommon area the com subdirectory.
5. New Autostarts Or Services
Excerpt: To guarantee that Carbanak has autorun privileges the malware produces a brand-new service.
Remark: Any autostart or new service is common with malware and is always checked with the analytics. Anything low prevalence would be suspicious. If inspecting the image hash against market watchlists leads to an unknown quantity to the majority of antivirus engines this will raise suspicions.
6. Low Prevalence File In High Prevalence Directory
Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be carried out.
Comment: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to check (continuous monitoring environment). And this IoC is totally generic, has absolutely nothing to do with which filename or which directory is created. Although the technical security report lists it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.
7. Suspect Signer
Excerpt: In order to render the malware less suspicious, the latest Carbanak samples are digitally signed
Remark: Any suspect signer will be treated as suspicious. One case was where a signer provides a suspect anonymous gmail e-mail address, which does not inspire confidence, and the threat rating will rise for this image. In other cases no email address is provided. Signers can be quickly noted and a Pareto analysis carried out, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more delicate directory then this is really suspicious.
8. Remote Administration Tools
Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the attackers utilized this remote administration tool since it is typically whitelisted in the victims’ environments as a result of being used frequently by administrators.
Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would occur to recognize whether temporally or spatially each new remote admin tool corresponds. RAT’s go through abuse. Hackers will always prefer to use the RAT’s of an organization so that they can prevent detection, so they should not be provided access each time just because they are whitelisted.
9. Patterns Of Remote Login
Excerpt: Logs for these tools show that they were accessed from 2 different IPs, probably used by the attackers, and located in Ukraine and France.
Remark: Constantly suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this should reveal low prevalence use (relative to peer systems) plus any suspect geography.
10. Atypical IT Tools
Excerpt: We have actually also discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.
Comment: Being sensitive apps, IT tools must always be checked for anomalies, due to the fact that numerous hackers subvert them for malicious functions. It is possible that Metasploit could be utilized by a penetration tester or vulnerability scientist, but instances of this would be uncommon. This is a prime example where an unusual observation report for the vetting of security personnel would lead to corrective action. It also highlights the problem where blanket whitelisting does not assist in the recognition of suspicious activity.