Blog
Threat Finds
APT41 によるゼロデイ脆弱性悪用の検知
エグゼクティブサマリー
- Darktrace は 3 月上旬にいくつかの高度に標的を絞った攻撃を検知しました。これらが発生したのは 関連するシグネチャが利用可能になるかなり前でした。2 週間後、これらの攻撃は中国の攻撃アクター、APT41 によるものであることがわかりました。
- APT41 は Zoho ManageEngine のゼロデイ脆弱性、CVE-2020-10189 を悪用しました。Darktrace はこれらの攻撃の最も早い段階で自動的に検知しレポートを生成したため、顧客は影響を受ける前に脅威を封じ込めることができました。
- 本稿で解説する侵入の事例は、CVE-2020-10189 により発生した侵入の機会を利用し、その期間中にできるだけ多数の企業に対して最初のアクセスを得ようとした APT41 による広範な作戦の一部で した。
- Darktrace が生成したレポートは、インシデントのあらゆる側面を意味のあるセキュリティ解説として明確に描き出していました。経験の浅い対応者であっても、この出力結果をレビューすることにより、このゼロデイ APT 攻撃に対して 5分以内に対処することができたはずです。
APT41 による世界規模の攻撃に対抗
3月上旬、Darktraceは米国とヨーロッパの顧客を標的としたいくつかの高度な攻撃を検知しました。これらの大 半は法律分野の顧客でした。攻撃の戦術、技術および手順(TTP:Techniques, Tools & Procedures)は 共通しており、外部公開サーバーを標的とし、影響の大きな脆弱性を悪用したものでした。先週、FireEyeは この疑わしいアクティビティを中国のサイバースパイ活動集団APT41に起因するものとしています。
この攻撃は Zoho ManageEngine のゼロデイ脆弱性であるCVE-2020-10189を使用してさまざまな企業へのアクセスを獲得しましたが 、最初の侵入以後フォローアップの動作はほとんどあるいはまったく検知されませんでした。このアクティビティは、ゼロデイ脆弱性が利用できる期間にできる限り、多数の標的企業に対して最初のアクセスを得ようとする、広範な作戦であったことを示しています。
Darktrace は 2020 年 3 月 8 日日曜日午前中(UTC)に悪意あるアクティビティを観測しましたが、これは以前中国のサイバースパイ活動集団 APT41 によるものとされた攻撃とほぼ活動時間が一致していました。
以下のグラフは、APT41に標的にされた顧客の1社で見られた攻撃のタイムライン例です。他の顧客の環境で観測された攻撃もこれと同様のタイムラインでした。
技術分析
ここで説明されている攻撃は、Zoho ManageEngineのゼロデイ脆弱性、CVE-2020-10189を狙ったものです。ほとんどの攻撃 は自動化されているものと思われました。
最初の侵入と、それに続くいくつかのペイロードダウンロード、そしてコマンド&コントロール(C2)トラフィックを観測しました。すべてのケースにおいて、これらのアクティビティはラテラルムーブメントやデータ持ち出しなど、攻撃ライフサイクル後期のステップが見られる前に封じ込められました。
以下のスクリーンショットはCyber AI Analystでレポートされた主な検知結果です。SSLおよびHTTPのC2トラ フィックに関するレポートだけでなく、ペイロードのダウンロードについてもレポートしています:
最初の侵入
最初の侵入は、Zoho ManageEngine のゼロデイ脆弱性、CVE-2020-10189 の悪用に成功したところから始まりました。侵入後、Microsoft BITSAdmin コマンドラインツールが使われ、以下の悪意あるバッチファイルが フェッチおよびインストールされました:
インフラストラクチャ 66.42.98[.]220 の 12345 ポートからの install.bat (MD5: 7966c2c546b71e800397a67f942858d0)
Source: 10.60.50.XX
Destination: 66.42.98[.]220
Destination Port: 12345
Content Type: application/x-msdownload
Protocol: HTTP
Host: 66.42.98[.]220
URI: /test/install.bat
Method: GET
Status Code: 200
図4: バッチファイルをフェッチする送信接続
最初の侵入後まもなく、第一段階のCobalt Strike Beacon LOADERがダウンロードされました。
コマンド&コントロールトラフィック
興味深いことに、TeamViewerのアクティビティとNotepad++のダウンロードは、いくつかの顧客攻撃でC2トラフィックが開始されるのと同時に行われていました。これは、APT41が完全に環境寄生型攻撃(Living off the Land)を実行するのではなく、使い慣れたツールを使用しようとしていることを示しています。
Storesyncsvc.dll は exchange.dumb1[.]com に接続する Cobalt Strike BEACON インプラント(トライアル版)です。74.82.201[.]8 に対する DNS 解決の成功が観測され、Darktrace はこれを Dynamic DNS プロパティを使ったホスト名への SSL 接続の成功と判別しました。
exchange.dumb1[.]com への複数回の接続は、C2センターへのビーコニングであると識別されました。最初のCobalt Strike BEACONへのこのC2トラフィックを使って、第二段階のペイロードがダウンロードされました。
興味深いことに、一部の顧客への攻撃ではC2トラフィックの開始と同じタイミングでTeamviewerアクティビティと Notepad++ のダウンロードも行われていました。これはAPT41が環境寄生型での攻撃ではなく、馴染みのあるツールを使おうとしていたことを示すものです。少なくとも、これら2つのツールが使用されたことは、通常のビジネス活動ではなく侵入によるものである可能性が高いということです。Notepad++は標的となった顧客の環境では 通常使われていませんでした。Teamviewer についても然りです。事実、これらのアプリケーションの使用はどち らも標的となった組織にとって100%通常とは異なるアクティビティでした。
攻撃ツールのダウンロード
その後、Certificate Servicesの一部としてインストールされるCertUtil.exeコマンドラインプログラムを利用して 外部への接続が行われ、第二段階のペイロードがダウンロードされました。
図6: DarktraceはCertUtilの使用を検知
この実行形式がダウンロードされた1-2時間後、感染したデバイスが送信HTTP接続を行いURI/TzGGを要求しました。これはMeterpreterがCobalt Strike Beaconのためにさらにシェルコードをダウンロードしているものと識別されました。
Cyber AI Analyst がゼロデイエクスプロイトをどのようにレポートしたか
Darktraceはゼロデイ攻撃作戦を検知しただけではなく、Cyber AI Analystにより個々のイベントを調査しレポ ートを生成したため、セキュリティチームは即座にアクションを取る準備ができ、貴重な時間を稼ぐことができまし た。
以下のスクリーンショットは、ある感染した環境において、侵入された8日間にわたってCyber AI Analystが検知 したインシデントのレポートです。左端に表示されている最初のインシデントは、本稿で解説しているAPTアクティ ビティです。他の5つのインシデントはAPTアクティビティとは関係のない、それほど深刻でないインシデントです。
Cyber AI Analystは8日間に合計6件のインシデントをレポートしました。Cyber AI Analystでレポートされた各インシデントに対しては、詳細なタイムラインとインシデントのサマリーが簡潔な形式でまとめられているため、平均2分程度でレビューすることが可能です。つまり、Cyber AI Analystを使用することにより、技術を専門としな い人であっても、このような洗練されたゼロデイインシデントに対して5分以内に対応策を実行することができたということです。
結論
公開されている侵害インジケータ(IoC: Indicators of Compromise)やオープンソースのインテリジェンスが存在しない場合、標的型攻撃はきわめて検知が困難になります。さらに、最高レベルの検知を行っても早期段階 でセキュリティアナリストによるアクションがとれなければ意味がありません。圧倒されるような大量のアラートが生成されてしまう、あるいはトリアージと調査を行うためのスキルの障壁が高すぎる、などの理由から、あまりにも多くのケースでこうした問題が発生しています。
今回の事例は、APT41が多数のさまざまな企業および業種に対して最初のアクセスを得ようとした広範な作戦とみられます。非常に高度な性質を持っていましたが、APT41は多数の企業を同時に標的とすることで、速度を優先してステルス性を犠牲にしたのです。APT41はZohoゼロデイがもたらした限られた好機を、ITスタッフがパ ッチの適用を開始する前に利用したかったのです。
DarktraceのCyber AIは、標的型の未知の攻撃を示すかすかな兆候を、過去の知識やIoCに頼ることなく早 い段階で検知できるよう特に設計されています。これは、あらゆるユーザー、デバイス、および関連するグループの通常の動作パターンを、ゼロから「オンザジョブ」で継続的に学習することにより実現されます。
APT41による最近のゼロデイ攻撃作戦に際して、(a) 自己学習AIにより未知の脅威を検知する能力、および (b) AIによる調査とレポートにより人手不足の対応チームを補強できることがきわめて重要であることが証明されました。事実、Cyber AIにより攻撃がライフサイクルの後段にエスカレートする前に、迅速に封じ込めることがで きました。
侵害インジケータ
Darktraceでのモデル違反の種類
- Anomalous File / Script from Rare External
- Anomalous File / EXE from Rare External Location
- Compromise / SSL to DynDNS
- Compliance / CertUtil External Connection
- Anomalous Connection / CertUtil Requesting Non Certificate
- Anomalous Connection / CertUtil to Rare Destination
- Anomalous Connection / New User-Agent to IP Without Hostname
- Device / Initial Breach Chain Compromise
- Compromise / Slow Beaconing Activity To External Rare
- Compromise / Beaconing Activity To External Rare
- Anomalous File / Numeric Exe Download
- Device / Large Number of Model Breaches
- Anomalous Server Activity / Rare External from Server
- Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
- Compliance / Remote Management Tool On Server
以下のスクリーンショットは、ある顧客への侵入インシデント発生時に同時に発生していたDarktraceモデル違反を表示しています。
Like this and want more?
More in this series
Blog
Inside the SOC
ViperSoftX: How Darktrace Uncovered A Venomous Intrusion
Fighting Info-Stealing Malware
The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.
What is ViperSoftX?
ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.
ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].
Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.
ViperSoftX Attack & Darktrace Coverage
In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.
Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files. This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.
The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.
For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:
- Compromise / Agent Beacon (Short Period)
- Compromise / Agent Beacon (Medium Period)
- Compromise / Agent Beacon (Long Period)
- Compromise / Quick and Regular Windows HTTP Beaconing
- Compromise / SSL or HTTP Beacon
Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.
URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.
Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.
Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.
The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.
Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].
Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.
攻撃は他のセキュリティスタックをどのようにすり抜けたか?
As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]
ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).
Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.
Insights/Conclusion
Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.
ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.
However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.
Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.
付録
参考文献
[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat
[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/
Darktrace DETECT Model Detections
· Anomalous File / Anomalous Octet Stream (No User Agent)
· Anomalous Connection / PowerShell to Rare External
· Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
· Anomalous Connection / Lots of New Connections
· Anomalous Connection / Multiple Failed Connections to Rare Endpoint
· Anomalous Server Activity / Outgoing from Server
· Compromise / Large DNS Volume for Suspicious Domain
· Compromise / Quick and Regular Windows HTTP Beaconing
· Compromise / Beacon for 4 Days
· Compromise / Suspicious Beaconing Behaviour
· Compromise / Large Number of Suspicious Failed Connections
· Compromise / Large Number of Suspicious Successful Connections
· Compromise / POST and Beacon to Rare External
· Compromise / DGA Beacon
· Compromise / Agent Beacon (Long Period)
· Compromise / Agent Beacon (Medium Period)
· Compromise / Agent Beacon (Short Period)
· Compromise / Fast Beaconing to DGA
· Compromise / SSL or HTTP Beacon
· Compromise / Slow Beaconing Activity To External Rare
· Compromise / Beaconing Activity To External Rare
· Compromise / Excessive Posts to Root
· Compromise / Connections with Suspicious DNS
· Compromise / HTTP Beaconing to Rare Destination
· Compromise / High Volume of Connections with Beacon Score
· Compromise / Sustained SSL or HTTP Increase
· Device / New PowerShell User Agent
· Device / New User Agent and New IP
Darktrace RESPOND Model Detections
· Antigena / Network / External Threat / Antigena Suspicious File Block
· Antigena / Network / External Threat / Antigena File then New Outbound Block
· Antigena / Network / External Threat / Antigena Watched Domain Block
· Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
· Antigena / Network / External Threat / Antigena Suspicious Activity Block
· Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
· Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block
· Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block
· Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
IoC一覧
Indicator - Type - Description
ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
apibilng[.]com - Hostname - ViperSoftX C2 endpoint
arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint
counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint
fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint
wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint
wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent
MITRE ATT&CK マッピング
Tactic - Technique - Notes
Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms
Command and Control - T1321 Data Encoding
Credential Access - T1555.005 Credentials from Password Stores: Password Managers
Defense Evasion - T1027 Obfuscated Files or Information
Execution - T1059.001 Command and Scripting Interpreter: PowerShell
Execution - T1204 User Execution T1204.002 Malicious File
Persistence - T1176 Browser Extensions - VenomSoftX specific
Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading
Blog
Inside the SOC
Protecting Prospects: How Darktrace Detected an Account Hijack Within Days of Deployment
Cloud Migration Expanding the Attack Surface
Cloud migration is here to stay – accelerated by pandemic lockdowns, there has been an ongoing increase in the use of public cloud services, and Gartner has forecasted worldwide public cloud spending to grow around 20%, or by almost USD 600 billion [1], in 2023. With more and more organizations utilizing cloud services and moving their operations to the cloud, there has also been a corresponding shift in malicious activity targeting cloud-based software and services, including Microsoft 365, a prominent and oft-used Software-as-a-Service (SaaS).
With the adoption and implementation of more SaaS products, the overall attack surface of an organization increases – this gives malicious actors additional opportunities to exploit and compromise a network, necessitating proper controls to be in place. This increased attack surface can leave organization’s open to cyber risks like cloud misconfigurations, supply chain attacks and zero-day vulnerabilities [2]. In order to achieve full visibility over cloud activity and prevent SaaS compromise, it is paramount for security teams to deploy sophisticated security measures that are able to learn an organization’s SaaS environment and detect suspicious activity at the earliest stage.
Darktrace Immediately Detects Hijacked Account
In May 2023, Darktrace observed a chain of suspicious SaaS activity on the network of a customer who was about to begin their trial of Darktrace/Cloud™ and Darktrace/Email™. Despite being deployed on the network for less than a week, Darktrace DETECT™ recognized that the legitimate SaaS account, belonging to an executive at the organization, had been hijacked. Darktrace/Email was able to provide full visibility over inbound and outbound mail and identified that the compromised account was subsequently used to launch an internal spear-phishing campaign.
If Darktrace RESPOND™ were enabled in autonomous response mode at the time of this compromise, it would have been able to take swift preventative action to disrupt the account compromise and prevent the ensuing phishing attack.
Account Hijack Attack Overview
Unusual External Sources for SaaS Credentials
On May 9, 2023, Darktrace DETECT/Cloud detected the first in a series of anomalous activities performed by a Microsoft 365 user account that was indicative of compromise, namely a failed login from an external IP address located in Virginia.
Just a few minutes later, Darktrace observed the same user credential being used to successfully login from the same unusual IP address, with multi-factor authentication (MFA) requirements satisfied.
A few hours after this, the user credential was once again used to login from a different city in the state of Virginia, with MFA requirements successfully met again. Around the time of this activity, the SaaS user account was also observed previewing various business-related files hosted on Microsoft SharePoint, behavior that, taken in isolation, did not appear to be out of the ordinary and could have represented legitimate activity.
The following day, May 10, however, there were additional login attempts observed from two different states within the US, namely Texas and Florida. Darktrace understood that this activity was extremely suspicious, as it was highly improbable that the legitimate user would be able to travel over 2,500 miles in such a short period of time. Both login attempts were successful and passed MFA requirements, suggesting that the malicious actor was employing techniques to bypass MFA. Such MFA bypass techniques could include inserting malicious infrastructure between the user and the application and intercepting user credentials and tokens, or by compromising browser cookies to bypass authentication controls [3]. There have also been high-profile cases in the recent years of legitimate users mistakenly (and perhaps even instinctively) accepting MFA prompts on their token or mobile device, believing it to be a legitimate process despite not having performed the login themselves.
New Email Rule
On the evening of May 10, following the successful logins from multiple US states, Darktrace observed the Microsoft 365 user creating a new inbox rule, named “.’, in Microsoft Outlook from an IP located in Florida. Threat actors are often observed naming new email rules with single characters, likely to evade detection, but also for the sake of expediency so as to not expend any additional time creating meaningful labels.
In this case the newly created email rules included several suspicious properties, including ‘AlwaysDeleteOutlookRulesBlob’, ‘StopProcessingRules’ and “MoveToFolder”.
Firstly, ‘AlwaysDeleteOutlookRulesBlob’ suppresses or hides warning messages that typically appear if modifications to email rules are made [4]. In this case, it is likely the malicious actor was attempting to implement this property to obfuscate the creation of new email rules.
The ‘StopProcessingRules’ rule meant that any subsequent email rules created by the legitimate user would be overridden by the email rule created by the malicious actor [5]. Finally, the implementation of “MoveToFolder” would allow the malicious actor to automatically move all outgoing emails from the “Sent” folder to the “Deleted Items” folder, for example, further obfuscating their malicious activities [6]. The utilization of these email rule properties is frequently observed during account hijackings as it allows attackers to delete and/or forward key emails, delete evidence of exploitation and launch phishing campaigns [7].
In this incident, the new email rule would likely have enabled the malicious actor to evade the detection of traditional security measures and achieve greater persistence using the Microsoft 365 account.
Account Update
A few hours after the creation of the new email rule, Darktrace observed the threat actor successfully changing the Microsoft 365 user’s account password, this time from a new IP address in Texas. As a result of this action, the attacker would have locked out the legitimate user, effectively gaining full access over the SaaS account.
Phishing Emails
The compromised SaaS account was then observed sending a high volume of suspicious emails to both internal and external email addresses. Darktrace was able to identify that the emails attempting to impersonate the legitimate service DocuSign and contained a malicious link prompting users to click on the text “Review Document”. Upon clicking this link, users would be redirected to a site hosted on Adobe Express, namely hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/.
Adobe Express is a free service that allows users to create web pages which can be hosted and shared publicly; it is likely that the threat actor here leveraged the service to use in their phishing campaign. When clicked, such links could result in a device unwittingly downloading malware hosted on the site, or direct unsuspecting users to a spoofed login page attempting to harvest user credentials by imitating legitimate companies like Microsoft.
The malicious site hosted on Adobe Express was subsequently taken down by Adobe, possibly in response to user reports of maliciousness. Unfortunately though, platforms like this that offer free webhosting services can easily and repeatedly be abused by malicious actors. Simply by creating new pages hosted on different IP addresses, actors are able to continue to carry out such phishing attacks against unsuspecting users.
In addition to the suspicious SaaS and email activity that took place between May 9 and May 10, Darktrace/Email also detected the compromised account sending and receiving suspicious emails starting on May 4, just two days after Darktrace’s initial deployment on the customer’s environment. It is probable that the SaaS account was compromised around this time, or even prior to Darktrace’s deployment on May 2, likely via a phishing and credential harvesting campaign similar to the one detailed above.
Darktrace のカバレッジ
As the customer was soon to begin their trial period, Darktrace RESPOND was set in “human confirmation” mode, meaning that any preventative RESPOND actions required manual application by the customer’s security team.
If Darktrace RESPOND had been enabled in autonomous response mode during this incident, it would have taken swift mitigative action by logging the suspicious user out of the SaaS account and disabling the account for a defined period of time, in doing so disrupting the attack at the earliest possible stage and giving the customer the necessary time to perform remediation steps. As it was, however, these RESPOND actions were suggested to the customer’s security team for them to manually apply.
Nevertheless, with Darktrace DETECT/Cloud in place, visibility over the anomalous cloud-based activities was significantly increased, enabling the swift identification of the chain of suspicious activities involved in this compromise.
In this case, the prospective customer reached out to Darktrace directly through the Ask the Expert (ATE) service. Darktrace’s expert analyst team then conducted a timely and comprehensive investigation into the suspicious activity surrounding this SaaS compromise, and shared these findings with the customer’s security team.
結論
Ultimately, this example of SaaS account compromise highlights Darktrace’s unique ability to learn an organization’s digital environment and recognize activity that is deemed to be unexpected, within a matter of days.
Due to the lack of obvious or known indicators of compromise (IoCs) associated with the malicious activity in this incident, this account hijack would likely have gone unnoticed by traditional security tools that rely on a rules and signatures-based approach to threat detection. However, Darktrace’s Self-Learning AI enables it to detect the subtle deviations in a device’s behavior that could be indicative of an ongoing compromise.
Despite being newly deployed on a prospective customer’s network, Darktrace DETECT was able to identify unusual login attempts from geographically improbable locations, suspicious email rule updates, password changes, as well as the subsequent mounting of a phishing campaign, all before the customer’s trial of Darktrace had even begun.
When enabled in autonomous response mode, Darktrace RESPOND would be able to take swift preventative action against such activity as soon as it is detected, effectively shutting down the compromise and mitigating any subsequent phishing attacks.
With the full deployment of Darktrace’s suite of products, including Darktrace/Cloud and Darktrace/Email, customers can rest assured their critical data and systems are protected, even in the case of hybrid and multi-cloud environments.
Credit: Samuel Wee, Senior Analyst Consultant & Model Developer
付録
参考文献
[2] https://www.upguard.com/blog/saas-security-risks
[4] https://learn.microsoft.com/en-us/powershell/module/exchange/disable-inboxrule?view=exchange-ps
[7] https://blog.knowbe4.com/check-your-email-rules-for-maliciousness
Darktraceによるモデル検知
Darktrace DETECT/Cloud and RESPOND Models Breached:
SaaS / Access / Unusual External Source for SaaS Credential Use
SaaS / Unusual Activity / Multiple Unusual External Sources for SaaS Credential
Antigena / SaaS / Antigena Unusual Activity Block (RESPOND Model)
SaaS / Compliance / New Email Rule
Antigena / SaaS / Antigena Significant Compliance Activity Block
SaaS / Compromise / Unusual Login and New Email Rule (Enhanced Monitoring Model)
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
SaaS / Compromise / SaaS Anomaly Following Anomalous Login (Enhanced Monitoring Model)
SaaS / Compromise / Unusual Login and Account Update
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
IoC – Type – Description & Confidence
hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/ - Domain – Probable Phishing Page (Now Defunct)
37.19.221[.]142 – IP Address – Unusual Login Source
35.174.4[.]92 – IP Address – Unusual Login Source
MITRE ATT&CK マッピング
Tactic - Techniques
INITIAL ACCESS, PRIVILEGE ESCALATION, DEFENSE EVASION, PERSISTENCE
T1078.004 – Cloud Accounts
探索
T1538 – Cloud Service Dashboards
CREDENTIAL ACCESS
T1539 – Steal Web Session Cookie
RESOURCE DEVELOPMENT
T1586 – Compromise Accounts
PERSISTENCE
T1137.005 – Outlook Rules
