Maintain Remote access without a C2
As malware writers attempt to make their malware more resilient to take-down attempts and detection, there are a number of trends that we can expect in the near future.
To understand this blog, let’s understand how C2 works. After the malware is installed, the malware will call out to the C2 server and wait for its next command. It is usually going to send out a beacon on a time basis to let the server know it is still alive and to see if there is anything it should do. When the server is ready, it will issue its command to execute on the infected host machine. Most of the current C2 instances will have unique id for every execution they make, if in sudden interruption happens the C2 infrastructure can be automatically work-on to get back the connection based on the unique id. C2 includes persistence also.
Red Team: Attack vectors and Techniques
Maintaining remote access without C2 using common interfaces is a sweet thing for red teamers wherein they create a backdoor account rather maintaining a C2 infrastructure. Yes, I agree on what you’re thinking — Persistence accounts, Stolen Authentication keys, not disclosing vulnerabilities to the victim. So you can come back using methods that your targets support rather than your target connecting back to you.
1.Stolen authentication tokens
Valid Accounts: Consider how many of the organization’s credentials have already been exposed and could be used in an account takeover.
Leverage stolen credentials to connect to servers to gather more credentials. Servers running applications such as Microsoft Exchange Client Access Servers (CAS), Microsoft Exchange OWA, Microsoft SQL, and Terminal Services (RDP) tend to have lots of credentials in memory from recently authenticated users (or services that likely have Domain Admin rights).
Password/private key — Pass the Hash — Pass the Ticket — All these once compromised can be able to get the account whenever attacker wanted(unless modified/patched).
Skeleton key — How lucky if you’re able to access the machine without credentials or by creating your own credentials on the fly. Yeah it’s possible with Skeleton key.
Skeleton key injects itself into LSASS and creates a master password that will work for any account in the domain without even affecting the existing users login
Note: Skeleton can be only helpful to bypass single authentication if MFA is implemented you need to look for another method.
2. Common internet facing interfaces
It is a common TTP for adversaries. Red teamers have developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets.
Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services.
Once a firm is targeted, it’s surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multi-factor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user’s password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches.
“Recent Sophos Firewall XG SQL injection (CVE-2020–12271)is an example.”
While I was performing internal assessment, I have come across employee tried 1 month azure A.D trial account wherein he opened ports 3389 & 22 open to internet and even configured weak passwords. Such RDP & SSH protocols facilitates the adversary to get foothold on an organisation and from then attacker can use pivoting technique to extend the impact.
Attacks on Services hosted over the internet(Cloud computing). Hypervisor also known as Virtual Machine Monitor is responsible for managing VMs in cloud computing.
When a hypervisor is compromised, a hacker can attack each virtual machine(VM) on a virtual host and this can lead to an DOS across the host or even a collection of servers. I have seen Ransomware attacks after compromising the hypervisor and then it affected all the virtual machines under that.
Dragonfly 2.0 and OilRig used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.
FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment
Linux Rabbit attempts to gain access to the server via SSH.
Let’s take an example of Equifax, Equifax breach occurred through an unpatched web application that was vulnerable to an exploit Apache Struts framework (CVE-2017–5638)
Check for the below when attempting access on remote services:
- Open Ports: Exposed ports that indicate services or assets available online that may offer a route to compromising your network or pose a significant risk in being exposed.
- Misconfigurations: Look for misconfigured databases, servers, and devices with Shodan and Censys
- Exploited Vulnerabilities: Major vulnerabilities in your infrastructure that have active exploits being used in the real world and allow for remote code execution.
- Certificates: Check for weak or expiring certificates on infrastructure.
BLUE TEAM: Detective and Preventive Controls
For security teams, the sheer depth and breadth of what they need to defend may seem daunting. Fortunately, With the right tools, security teams can apply the same rules that keep their internal networks safe to their entire attack surface. Attack surface analysis is also important when applications/services are internet faced. Let’s see how we can implement security measures for defending at various levels.
Endpoint level:
1. Enforce Two-factor authentication on all external interfaces
2. Limit Terminal service, Citrix and VDE access to specific groups during specific hours
3. Dedicated system-if a computer is providing a service to the Internet, then it must not be used by any individual to check email, browse the web or be used as a PC for other business reasons.
4. Security patches for the operating system, firmware, application or service must be evaluated and act accordingly.
5. Many systems and applications come with default or built-in accounts that have passwords. Where possible, these default accounts shall be disabled and/or have their password changed
6. Anti-virus programs must be deployed and kept up-to-date on systems which defends if attacker drops and executes the malware.
Network Level:
1.When developing Internet applications, follow industry best-practice guidelines, such as OWASP, and change management procedures.
2. Use authentication and authorization controls to protect access to non-public information. Examples include user name and password, smart cards and tokens, biometrics, etc.
3. Use secure protocols for administration, development or maintenance of the system. For example, use SSH instead of Telnet; use SFTP instead of FTP; use VPN when practical.
4. Configuring firewall rules & network segmentation. Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network
5. Implementing NIDs/NIPs
6. Implementing Canary networks, systems, applications, and accounts.
7. Enable event logging of the operating system and application to a level adequate for incident response and security investigations. All log entries must include time and date. At a minimum, enable logging for login events, logout events and web page access events.
Process Level:
1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.
2. Implement incident respond procedures for handling security incidents, breaches, and cyber threats
3. Maintain Secure Configurations.
4.Train staff on the latest security threat and security tools.
