Blog

Threat Finds

Catching APT41 exploiting a zero-day vulnerability

Catching APT41 exploiting a zero-day vulnerabilityDefault blog imageDefault blog image
02
Apr 2020
02
Apr 2020

Executive summary

  • Darktrace detected several highly targeted attacks in early March, well before any associated signatures had become available. Two weeks later, the attacks were attributed to Chinese threat-actor APT41.
  • APT41 exploited the Zoho ManageEngine zero-day vulnerability CVE-2020-10189. Darktrace automatically detected and reported on the attack in its earliest stages, enabling customers to contain the threat before it could make an impact.
  • The intrusions described here were part of a wider campaign by APT41 aiming to gain initial access to as many companies as possible during the window of opportunity presented by CVE-2020-10189.
  • The reports generated by Darktrace highlighted and delineated every aspect of the incident in the form of a meaningful security narrative. Even a junior responder could have reviewed this output and acted on this zero-day APT attack in under 5 minutes.

Fighting APT41’s global attack

In early March, Darktrace detected several advanced attacks targeting customers in the US and Europe. A majority of these customers are in the legal sector. The attacks shared the same Techniques, Tools & Procedures (TTPs), targeting public-facing servers and exploiting recent high-impact vulnerabilities. Last week, FireEye attributed this suspicious activity to the Chinese cyber espionage group APT41.

This campaign used the Zoho ManageEngine zero-day vulnerability CVE-2020-10189 to get access to various companies, but little to no follow-up was detected after initial intrusion. This activity indicates a broad-brush campaign to get initial access to as many target companies as possible during the zero-day window of opportunity.

The malicious activity observed by Darktrace took place late on Sunday March 8, 2020 and in the morning of March 9, 2020 (UTC), broadly in line with office hours previously attributed to the Chinese cyber espionage group APT41.

The graphic below shows an exemplary timeline from one of the customers targeted by APT41. The attacks observed in other customer environments are identical.

Figure 1: A timeline of the attack

Technical analysis

The attack described here centered around the Zoho ManageEngine zero-day vulnerability CVE-2020-10189. Most of the attack appears to have been automated.

We observed the initial intrusion, several follow-up payload downloads, and command and control (C2) traffic. In all cases, the activity was contained before any later steps in the attack lifecycle, such as lateral movement or data exfiltration, were identified.

The below screenshot shows an overview of the key AI Analyst detections reported. Not only did it report on the SSL and HTTP C2 traffic, but it also reported on the payload downloads:

Figure 2: SSL C2 detection by Cyber AI Analyst

Figure 3: Payload detection by Cyber AI Analyst

Initial compromise

The initial compromise began with the successful exploitation of the Zoho ManageEngine zero-day vulnerability CVE-2020-10189. Following the initial intrusion, the Microsoft BITSAdmin command line tool was used to fetch and install a malicious Batch file, described below:

install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from infrastructure 66.42.98[.]220 on port 12345.

Source: 10.60.50.XX
Destination: 66.42.98[.]220
Destination Port: 12345
Content Type: application/x-msdownload
Protocol: HTTP
Host: 66.42.98[.]220
URI: /test/install.bat
Method: GET
Status Code: 200

Figure 4: Outbound connection fetching batch file

Shortly after the initial compromise, the first stage Cobalt Strike Beacon LOADER was downloaded.

Figure 5: Detection of the Cobalt Strike Beacon LOADER

Command and Control traffic

Interestingly, TeamViewer activity and the download of Notepad++ was taking place at the same time as the C2 traffic was starting in some of the customer attacks. This indicates APT41 trying to use familiar tools instead of completely ‘Living off the Land’.

Storesyncsvc.dll was a Cobalt Strike Beacon implant (trial-version) which connected to exchange.dumb1[.]com. A successful DNS resolution to 74.82.201[.]8 was identified, which Darktrace discerned as a successful SSL connection to a hostname with Dynamic DNS properties.

Multiple connections to exchange.dumb1[.]com were identified as beaconing to a C2 center. This C2 traffic to the initial Cobalt Strike Beacon was leveraged to download a second stage payload.

Interestingly, TeamViewer activity and the download of Notepad++ was taking place at the same time as the C2 traffic was starting in some of the customer attacks. This indicates APT41 trying to use familiar tools instead of completely ‘Living off the Land’. There is at least high certainty that the use of these two tools can be attributed to this intrusion instead of regular business activity. Notepad++ was not normally used in the target customers’ environments, nor was TeamViewer – in fact, the use of both applications was 100% unusual for the targeted organizations.

Attack tools download

CertUtil.exe, a command line program installed as part of Certificate Services, was then leveraged to connect externally and download the second stage payload.

Figure 6: Darktrace detecting the usage of CertUtil

A few hours after this executable download, the infected device made an outbound HTTP connection requesting the URI /TzGG, which was identified as Meterpreter downloading further shellcode for the Cobalt Strike Beacon.

Figure 7: Detection associated with Meterpreter activity

No lateral movement or significant data exfiltration was observed.

How Cyber AI Analyst reported on the zero-day exploit

Darktrace not only detected this zero-day attack campaign, but Cyber AI Analyst also saved security teams valuable time by investigating disparate security events and generating a report that immediately put them in a position to take action.

The below screenshot shows the AI Analyst incidents reported in one infected environment, over the eight days covering the intrusion period. The first incident on the left represents the APT activity described here. The other five incidents are independent of the APT activity and not as severe.

Figure 8: The security incidents surfaced by AI Analyst

AI Analyst reported on six incidents in total over the eight-day period. Each AI Analyst incident includes a detailed timeline and summary of the incident, in a concise format that takes an average of two minutes to review. This means that with Cyber AI Analyst, even a non-technical person could have actioned a response to this sophisticated, zero-day incident in less than five minutes.

Conclusion

While very sophisticated in nature, APT41 sacrificed stealth for speed by targeting many companies at the same time. APT41 wanted to utilize the limited window of opportunity that the Zoho zero-day provided before IT staff starts patching.

Without public Indicators of Compromise (IoCs) or any open-source intelligence available, targeted attacks are incredibly difficult to detect. Moreover, even the best detections are useless if they cannot be actioned by a security analyst at an early stage. Too often this occurs because of an overwhelming volume of alerts, or simply because the skills barrier to triage and investigation is too high.

This appears to be a broad campaign by APT41 to gain initial access to many different companies and sectors. While very sophisticated in nature, APT41 sacrificed stealth for speed by targeting many companies at the same time. APT41 wanted to utilize the limited window of opportunity that the Zoho zero-day provided before IT staff starts patching.

Darktrace’s Cyber AI is specifically designed to detect the subtle signs of targeted, unknown attacks at an early stage, without relying on prior knowledge or IoCs. It achieves this by continuously learning the normal patterns of behavior for every user, device, and associated peer group from scratch, and ‘on the job’.

In the face of APT41’s recent zero-day attack campaign, the AI’s ability to (a) detect unknown threats with self-learning AI and (b) augment strained responders with AI-driven investigations and reporting proved crucial. Indeed, it ensured that the attacks were swiftly contained before escalating to the later stages of the attack lifecycle.

Indicators of Compromise

Selection of Darktrace model breaches:

  • Anomalous File / Script from Rare External
  • Anomalous File / EXE from Rare External Location
  • Compromise / SSL to DynDNS
  • Compliance / CertUtil External Connection
  • Anomalous Connection / CertUtil Requesting Non Certificate
  • Anomalous Connection / CertUtil to Rare Destination
  • Anomalous Connection / New User-Agent to IP Without Hostname
  • Device / Initial Breach Chain Compromise
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Beaconing Activity To External Rare
  • Anomalous File / Numeric Exe Download
  • Device / Large Number of Model Breaches
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
  • Compliance / Remote Management Tool On Server

The below screenshot shows Darktrace model breaches occurring together during the compromise of one customer:

Figure 9: Darktrace model breaches occurring together

Network IoCs:

IoCComment66.42.98[.]220Initial compromise and payload downloads74.82.201[.]8DNS resolution for C2 domainexchange.dumb1[.]comMain C2 domain91.208.184[.]78Secondary Cobalt Strike C2

Host IoCs:

IoCCommentFilenameMD5 Hashinstall.bat7966c2c546b71e800397a67f942858d0storesyncsvc.dll5909983db4d9023e4098e56361c96a6f2.exe3e856162c36b532925c8226b4ed3481cTzGG659bd19b562059f3f0cc978e15624fd9

MITRE ATT&CK techniques observed

Initial AccessT1190 – Exploit Public-Facing ApplicationT1133 – External Remote ServicesExecutionT1064 — ScriptingPersistenceT1050 – New ServiceT1197 – BITS JobsPrivilege EscalationT1068 — Exploitation for Privilege EscalationDefense EvasionT1055 – Process InjectionT1197 – BITS JobsDiscoveryExfiltrationCommand and ControlT1043 – Commonly Used PortsT1071 – Standard Application Layer ProtocolT1132 – Data EncodingT1008 – Fallback Channels

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Catching APT41 exploiting a zero-day vulnerability
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.