Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH

Read Time:6 Minute, 7 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers. 

Executive summary

Since mid-June 2022, AT&T Managed Extended Detection and Response (MXDR) Security Operations Center (SOC) observed an enormous number of attacks from Mirai botnet-C2 attempting to gain access to SSH servers instead of Telnet.

Due to the various tactics, techniques, and procedures (TTP) observed, this attack has been associated with RapperBot botnet (Mirai variants.) RapperBot’s goal is still undefined.

According to the analysis that was published by FortiGuard Labs, while the majority of Mirai variants can naturally brute force Telnet servers that use default or weak passwords, RapperBot in particular scans and attempts to brute force SSH servers that are designed to require password authentication.

A large part of the malware is executing an SSH 2.0 client which is able to connect and brute force any SSH server using Diffie-Hellman key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. A unique characteristic of brute forcing in RapperBot is the use of SSH-2.0-HELLOWORLD in order to identify itself to the targeted SSH server during the SSH Protocol Exchange phase.

One of the malicious Mirai botnet IP addresses had allowed network traffic with an asset in an organization over SSH port 22. After some data transferring, the session closed with the client-reset action. The MXDR SOC team quickly identified and recommended mitigation steps to prevent lateral movement and the attacker going further.

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The alarm initiated with the multiple Open Threat Exchange (OTX)  pulses (Miraibotnet-C2- CDIR Drop List) and an OTX indicator of a known malicious IP. There was network traffic between the known malicious IP and a public IP of an internal asset in an organization. The network traffic was over SSH port 22, and the security system (firewall) action was a deny. The security system (firewall) deny action was evidence of the auto-mitigation. In this case, auto-mitigation means the attack is prevented by firewall rules and threat intelligence by denying the connection from malicious IP.

However, further analysis of the events showed that the traffic was allowed from the malicious IP to another internal asset. In addition to this, there were signs of data transfer from source IP with “sentbyte=1560, rcvdbyte=2773, sentpkt=15, rcvdpkt=13”

** Risk mitigation in Cybersecurity is the reduction of the overall risk/impact of cyber-attacks. Detection, prevention, and remediation are three components of risk mitigation in cybersecurity.

Expanded investigation

Events search

After checking events associated with the alarm, the team always checks the environmental security to see if the malware had further penetrated the environment or attempted any lateral movement.

The team searched events by pivoting on the indicator IP, filtering the past 90 days of events, and the security system (firewall) allowed action types. It was determined that there were a few connections from malicious IP to different internal assets with the client-rst, server-rst, timeout, and closed events.

Client-rst – Session reset by client, Server-rst – Session reset by server

These are usually session end reasons that show who is sending TCP (Transmission Control Protocol) reset and the session terminates – so this does not mean that a security system (firewall) is blocking the traffic. It means after a session is started between client-to-server, it is terminated by (client or server), depending on who sent the TCP reset. Session-end results can be found in traffic logs.

The team suspected that the system might be compromised because the session was reset from the client side (which is the adversary side.) It was then observed that the session was closed (terminated) with a large amount of packet transmissions.

Event deep dive

After further examination of the allowed connections, the malicious IP showed traffic with the customer security system (firewall) over SSH port 22. SSH port 22 uses a TCP connection. Therefore, before transferring data  it needs to establish a reliable connection with the 3-way handshakes.

In order to handshake the header (first two packets), TCP uses approximately 24 bytes and for normal transmission of packet about 20 bytes. Establishing a reliable connection with 3-way handshake needs just three packets to be transmitted. Establishing a connection: ~ 128-136 bytes.

Another observation is that the sent and received bytes with the packet size are indicators of data transferring due to the packets and bytes being bigger than normal packets and bytes of TCP 3-way handshake. This is believed to be an indication of a payload or compromised credentials.

Rapperbots work like an SSH brute-forcing campaign. After it has gained access on a device, it sends its architecture to the C2 server – the device’s IP, and the credentials used. Then the adversary tries to load the main payload binary on the compromised device via binary downloader or software like ftpget, wget, curl, or tftp, that is installed on the device.

Reviewing for additional indicators

At this point, the attacker tried to get “Initial Access (tactic)” into the network by using “Exploit Public Facing Application” technique based on the Mitre Att&ck Framework.

Exploit Public Facing Application is a technique which is used by adversaries to take advantage of vulnerabilities/weaknesses in a program or internet facing computer to gain Initial access to a network. In this case, even though there was evidence of data transfer, evidence of payload or lateral movement activity were not seen.

Response

Building the investigation

An investigation was created by following the incident response process. The investigation included identifying the incident, finding the root cause of the incident and Indicators of compromise. Then we made recommendations to the customer on mitigation/remediation steps. We communicated with the customer to ensure necessary actions are executed. Recommended mitigation steps were:

Blocking the malicious IP
Disabling SSH password authentication (if possible)
Changing passwords to stronger passwords for the device.

Incident response is an organizationed approach and process to manage cybersecurity breaches/incidents or cyberattacks. It includes multiple steps:

Identifying an incident/attack
Minimizing damage
Eradicating the root cause
Minimizing recovery cost and time
Learning lessons from the incident
Taking preventative action

According to the analysis that was published by FortiGuard Labs, Rapperbot developers improved their code to maintain persistence, which differentiates it from other Mirai variants. Even after rebooting infected assets or removing malware, intruders can continuously access infected assets via SSH. Therefore, rebooting the device or removing malware Is not a permanent mitigation option.

The Rapperbot’s primary threat is brute forcing the credentials of SSH. By disabling SSH password authentication (if possible), or changing passwords to stronger passwords for the device, the Rapperbot mitigation can easily be done.

Customer interaction

The customer wanted to be kept in the loop and informed if the attack continues.

Limitations and opportunities

Limitations

In this investigation, MXDR was unable able to see inside the transmitted packets. As a result of the lack of visibility into the network flows in the environment, MXDR has limited access to the customer environment. However, MXDR suspected the data transfer could include the main payload binary on the compromised device.

Read More

java-latest-openjdk-19.0.2.0.7-1.rolling.el8

Read Time:1 Minute, 7 Second

FEDORA-EPEL-2023-52e0512741

Packages in this update:

java-latest-openjdk-19.0.2.0.7-1.rolling.el8

Update description:

New in release OpenJDK 19.0.2 (2023-01-17)

CVEs Fixed

CVE-2023-21835
CVE-2023-21843

Security Fixes

* JDK-8286070: Improve UTF8 representation
* JDK-8286496: Improve Thread labels
* JDK-8287411: Enhance DTLS performance
* JDK-8288516: Enhance font creation
* JDK-8293554: Enhanced DH Key Exchanges
* JDK-8293598: Enhance InetAddress address handling
* JDK-8293717: Objective view of ObjectView
* JDK-8293734: Improve BMP image handling
* JDK-8293742: Better Banking of Sounds
* JDK-8295687: Better BMP bounds

Major Changes

JDK-8295687: Better BMP bounds

Loading a linked ICC profile within a BMP image is now disabled by default. To re-enable it, set the new system property sun.imageio.bmp.enabledLinkedProfiles to true. This new property replaces the old property, sun.imageio.plugins.bmp.disableLinkedProfiles.

JDK-8293742: Better Banking of Sounds

Previously, the SoundbankReader implementation, com.sun.media.sound.JARSoundbankReader, would download a JAR soundbank from a URL. This behaviour is now disabled by default. To re-enable it, set the new system property jdk.sound.jarsoundbank to true.

JDK-8287411: Enhance DTLS performance

The JDK now exchanges DTLS cookies for all handshakes, new and resumed. The previous behaviour can be re-enabled by setting the new system property jdk.tls.enableDtlsResumeCookie to false.

Read More

java-latest-openjdk-19.0.2.0.7-1.rolling.el9

Read Time:1 Minute, 7 Second

FEDORA-EPEL-2023-fc74dc491a

Packages in this update:

java-latest-openjdk-19.0.2.0.7-1.rolling.el9

Update description:

New in release OpenJDK 19.0.2 (2023-01-17)

CVEs Fixed

CVE-2023-21835
CVE-2023-21843

Security Fixes

* JDK-8286070: Improve UTF8 representation
* JDK-8286496: Improve Thread labels
* JDK-8287411: Enhance DTLS performance
* JDK-8288516: Enhance font creation
* JDK-8293554: Enhanced DH Key Exchanges
* JDK-8293598: Enhance InetAddress address handling
* JDK-8293717: Objective view of ObjectView
* JDK-8293734: Improve BMP image handling
* JDK-8293742: Better Banking of Sounds
* JDK-8295687: Better BMP bounds

Major Changes

JDK-8295687: Better BMP bounds

Loading a linked ICC profile within a BMP image is now disabled by default. To re-enable it, set the new system property sun.imageio.bmp.enabledLinkedProfiles to true. This new property replaces the old property, sun.imageio.plugins.bmp.disableLinkedProfiles.

JDK-8293742: Better Banking of Sounds

Previously, the SoundbankReader implementation, com.sun.media.sound.JARSoundbankReader, would download a JAR soundbank from a URL. This behaviour is now disabled by default. To re-enable it, set the new system property jdk.sound.jarsoundbank to true.

JDK-8287411: Enhance DTLS performance

The JDK now exchanges DTLS cookies for all handshakes, new and resumed. The previous behaviour can be re-enabled by setting the new system property jdk.tls.enableDtlsResumeCookie to false.

Read More

New UN cybercrime convention has a long way to go in a tight timeframe

Read Time:40 Second

Cybercrime is a growing scourge that transcends borders, spreading across the boundaries of virtually all the world’s nearly 200 nation-states. From ransomware attacks to rampant cryptocurrency theft, criminal exploitation of borderless digital systems threatens global economic security and the political welfare of all countries.

Now, the United Nations has a major initiative to develop a new and more inclusive approach to addressing cybercrime that would replace a two-decades-old international cybercrime convention. This revised global approach could spark new laws worldwide to battle cybercrime more effectively. However, concerns over the scope of the emerging international convention and its possible threats to free speech, privacy, and cybersecurity research, among other issues, have emerged following the recent release of early drafts of the new convention.

To read this article in full, please click here

Read More

Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URL

Read Time:18 Second

Posted by Stefan Pietsch on Jan 30

# Trovent Security Advisory 2203-01 #
#####################################

Micro Focus GroupWise transmits session ID in URL
#################################################

Overview
########

Advisory ID: TRSA-2203-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2203-01
Affected product: Micro Focus GroupWise
Affected version: prior to 18.4.2
Vendor: Micro Focus, https://www.microfocus.com

Read More